Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
First, check if there are any source credentials configured that you could leak:
If you find that authentication to for example Github is set in the account, you can exfiltrate that access (GH token or OAuth token) by making Codebuild to use an specific docker image to run the build of the project.
For this purpose you could create a new Codebuild project or change the environment of an existing one to set the Docker image.
The Docker image you could use is https://github.com/carlospolop/docker-mitm. This is a very basic Docker image that will set the env variables https_proxy, http_proxy and SSL_CERT_FILE. This will allow you to intercept most of the traffic of the host indicated in https_proxy and http_proxy and trusting the SSL CERT indicated in SSL_CERT_FILE.
Create & Upload your own Docker MitM image
Follow the instructions of the repo to set your proxy IP address and set your SSL cert and build the docker image.
DO NOT SET http_proxy to not intercept requests to the metadata endpoint.
You could use ngrok like ngrok tcp 4444 lo set the proxy to your host
Once you have the Docker image built, upload it to a public repo (Dockerhub, ECR...)
Set the environment
Create a new Codebuild project or modify the environment of an existing one.
Set the project to use the previously generated Docker image
Set the MitM proxy in your host
As indicated in the Github repo you could use something like:
The mitmproxy version used was 9.0.1, it was reported that with version 10 this might not work.
Run the build & capture the credentials
You can see the token in the Authorization header:
This could also be done from the aws cli with something like
Codebuild projects have a setting called insecureSsl that is hidden in the web you can only change it from the API.
Enabling this, allows to Codebuild to connect to the repository without checking the certificate offered by the platform.
First you need to enumerate the current configuration with something like:
Then, with the gathered info you can update the project setting insecureSsl to True. The following is an example of my updating a project, notice the insecureSsl=True at the end (this is the only thing you need to change from the gathered configuration).
Moreover, add also the env variables http_proxy and https_proxy pointing to your tcp ngrok like:
Then, run the basic example from https://github.com/synchronizing/mitm in the port pointed by the proxy variables (http_proxy and https_proxy)
Finally, click on Build the project, the credentials will be sent in clear text (base64) to the mitm port:
This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)
An attacker with elevated permissions in over a CodeBuild could leak the Github/Bitbucket token configured or if permissions was configured via OAuth, the temporary OAuth token used to access the code.
An attacker could add the environment variables http_proxy and https_proxy to the CodeBuild project pointing to his machine (for example http://5.tcp.eu.ngrok.io:14972).
Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: http://github.com/carlospolop-forks/TestActions
Then, run the basic example from https://github.com/synchronizing/mitm in the port pointed by the proxy variables (http_proxy and https_proxy)
Finally, click on Build the project, the credentials will be sent in clear text (base64) to the mitm port:
Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
