AWS - CodeBuild Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

CodeBuild

For more information, check:

Abuse CodeBuild Repo Access

In order to configure CodeBuild, it will need access to the code repo that it's going to be using. Several platforms could be hosting this code:

The CodeBuild project must have access to the configured source provider, either via IAM role of with a github/bitbucket token or OAuth access.

An attacker with elevated permissions in over a CodeBuild could abuse this configured access to leak the code of the configured repo and others where the set creds have access. In order to do this, an attacker would just need to change the repository URL to each repo the config credentials have access (note that the aws web will list all of them for you):

And change the Buildspec commands to exfiltrate each repo.

However, this task is repetitive and tedious and if a github token was configured with write permissions, an attacker won't be able to (ab)use those permissions as he doesn't have access to the token. Or does he? Check the next section

Leaking Access Tokens from AWS CodeBuild

You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:

aws codebuild list-source-credentials

pageAWS Codebuild - Token Leakage

`codebuild:DeleteProject`

An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.

aws codebuild delete-project --name <value>

Potential Impact: Loss of project configuration and service disruption for applications using the deleted project.

`codebuild:TagResource` , `codebuild:UntagResource`

An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.

aws codebuild tag-resource --resource-arn <value> --tags <value>
aws codebuild untag-resource --resource-arn <value> --tag-keys <value>

Potential Impact: Disruption of cost allocation, resource tracking, and tag-based access control policies.

`codebuild:DeleteSourceCredentials`

An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.

aws codebuild delete-source-credentials --arn <value>

Potential Impact: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - CloudFront Post Exploitation NextAWS Codebuild - Token Leakage

Last updated 2 months ago

CodeBuild

Abuse CodeBuild Repo Access

Leaking Access Tokens from AWS CodeBuild

codebuild:DeleteProject

codebuild:TagResource , codebuild:UntagResource

codebuild:DeleteSourceCredentials

`codebuild:DeleteProject`

`codebuild:TagResource` , `codebuild:UntagResource`

`codebuild:DeleteSourceCredentials`