gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-03-12 21:22:57 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #246 from HackTricks-wiki/update_Infiltrating_the_AWS_Console_Supply_Chain__Hijacki_20260116_124313

Browse Source 
Infiltrating the AWS Console Supply Chain Hijacking Core AWS...
This commit is contained in:
SirBroccoli
2026-01-18 15:58:08 +01:00
committed by GitHub
parent c716f0a3ba a41dc4c89f
commit 6ced6574a0
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
View File

@@ -185,6 +185,23 @@ aws codebuild start-build --project-name <proj-name>
> [!WARNING]
> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
## Webhook filter ACTOR_ID regex allowlist bypass (PR-triggered privileged builds)
Misconfigured CodeBuild GitHub webhooks that use unanchored `ACTOR_ID` regexes let *untrusted* PRs start privileged builds. If the allowlist is like `123456|7890123` without `^`/`$`, any ID containing one of those substrings matches. Because GitHub user IDs are sequential, an attacker can race to register an “eclipsing” ID (a superstring of a trusted ID) and trigger the build.
**Exploit path**
1. Find public CodeBuild projects exposing webhook filters and extract an unanchored `ACTOR_ID` allowlist.
2. Obtain an eclipsing GitHub ID:
- Sample the global ID counter by creating/deleting GitHub orgs (org IDs share the pool).
- Pre-stage many GitHub App manifest creations and fire the confirmation URLs when the counter is within ~100 IDs of the target to burst-register a bot ID containing the trusted substring.
3. Open a PR from the eclipsing account; the regex matches the substring and the privileged build runs.
4. Use build RCE (e.g., dependency install hooks) to dump process memory handling the GitHub credential and recover the PAT/OAuth token.
5. With the tokens `repo` scope, invite your account as collaborator/admin and push/approve malicious commits or exfiltrate secrets.
## References
- [Wiz: CodeBreach AWS CodeBuild ACTOR_ID regex bypass and token theft](https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild)
{{#include ../../../../banners/hacktricks-training.md}}