From c86885ebe6ab4e540fba714531748b1258809396 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 6 Jan 2026 12:50:55 +0000 Subject: [PATCH 1/3] Add content from: Holiday Hack Challenge 2025 (Act 1) - Spare Key --- .../azure-security/az-services/az-storage.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md index 42b9be4ce..71010057e 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-storage.md +++ b/src/pentesting-cloud/azure-security/az-services/az-storage.md @@ -65,6 +65,30 @@ If "Allow Blob public access" is **enabled** (disabled by default), when creatin
+### Static website (`$web`) exposure & leaked secrets + +- **Static websites** are served from the special `$web` container over a region-specific endpoint such as `https://.z13.web.core.windows.net/`. +- The `$web` container may report `publicAccess: null` via the blob API, but files are still reachable through the static site endpoint, so dropping config/IaC artifacts there can leak secrets. +- Quick audit workflow: + +```bash +# Identify storage accounts with static website hosting enabled +az storage blob service-properties show --account-name --auth-mode login +# Enumerate containers (including $web) and their public flags +az storage container list --account-name --auth-mode login +# List files served by the static site even when publicAccess is null +az storage blob list --container-name '$web' --account-name --auth-mode login +# Pull suspicious files directly (e.g., IaC tfvars containing secrets/SAS) +az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name --auth-mode login +``` + +- Inspect downloaded files for leaked **SAS tokens** or credentials. SAS params show scope and risk: `sv` (API version), `ss` (services like blob `b`), `srt` (resource types `s`/`c`/`o`), `sp` (permissions such as `r`/`l`/`a`/`c`/`w`/`d`/`x`), `se` (expiry), and `sig` (signature). A wide `sp` set plus far-future `se` indicates a long-lived bearer credential that enables read/list/write/delete until revoked. +- Abuse a recovered SAS immediately, for example: + +```bash +az storage blob list --account-name --container-name --sas-token "" +``` + ### Connect to Storage If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so. @@ -433,6 +457,7 @@ az-file-shares.md - [https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction) - [https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview](https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview) - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support) +- [Holiday Hack Challenge 2025 – Spare Key (Azure static website SAS leak)](https://0xdf.gitlab.io/holidayhack2025/act1/spare-key) {{#include ../../../banners/hacktricks-training.md}} From ce30a61d987be6e9c26c8833d836129071501373 Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Tue, 13 Jan 2026 15:55:00 +0100 Subject: [PATCH 2/3] Update az-storage.md --- .../azure-security/az-services/az-storage.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-services/az-storage.md b/src/pentesting-cloud/azure-security/az-services/az-storage.md index 71010057e..413ec5cb0 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-storage.md +++ b/src/pentesting-cloud/azure-security/az-services/az-storage.md @@ -82,13 +82,6 @@ az storage blob list --container-name '$web' --account-name --auth-mo az storage blob download -c '$web' --name iac/terraform.tfvars --file /dev/stdout --account-name --auth-mode login ``` -- Inspect downloaded files for leaked **SAS tokens** or credentials. SAS params show scope and risk: `sv` (API version), `ss` (services like blob `b`), `srt` (resource types `s`/`c`/`o`), `sp` (permissions such as `r`/`l`/`a`/`c`/`w`/`d`/`x`), `se` (expiry), and `sig` (signature). A wide `sp` set plus far-future `se` indicates a long-lived bearer credential that enables read/list/write/delete until revoked. -- Abuse a recovered SAS immediately, for example: - -```bash -az storage blob list --account-name --container-name --sas-token "" -``` - ### Connect to Storage If you find any **storage** you can connect to you could use the tool [**Microsoft Azure Storage Explorer**](https://azure.microsoft.com/es-es/products/storage/storage-explorer/) to do so. From a41dc4c89f214e11be0b75e5d828cdea6036719d Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 16 Jan 2026 12:44:49 +0000 Subject: [PATCH 3/3] Add content from: Infiltrating the AWS Console Supply Chain: Hijacking Core AW... --- .../aws-codebuild-token-leakage.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md index c514d7a7c..3fae9a144 100644 --- a/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md +++ b/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md @@ -185,6 +185,23 @@ aws codebuild start-build --project-name > [!WARNING] > Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. +## Webhook filter ACTOR_ID regex allowlist bypass (PR-triggered privileged builds) + +Misconfigured CodeBuild GitHub webhooks that use unanchored `ACTOR_ID` regexes let *untrusted* PRs start privileged builds. If the allowlist is like `123456|7890123` without `^`/`$`, any ID containing one of those substrings matches. Because GitHub user IDs are sequential, an attacker can race to register an “eclipsing” ID (a superstring of a trusted ID) and trigger the build. + +**Exploit path** + +1. Find public CodeBuild projects exposing webhook filters and extract an unanchored `ACTOR_ID` allowlist. +2. Obtain an eclipsing GitHub ID: + - Sample the global ID counter by creating/deleting GitHub orgs (org IDs share the pool). + - Pre-stage many GitHub App manifest creations and fire the confirmation URLs when the counter is within ~100 IDs of the target to burst-register a bot ID containing the trusted substring. +3. Open a PR from the eclipsing account; the regex matches the substring and the privileged build runs. +4. Use build RCE (e.g., dependency install hooks) to dump process memory handling the GitHub credential and recover the PAT/OAuth token. +5. With the token’s `repo` scope, invite your account as collaborator/admin and push/approve malicious commits or exfiltrate secrets. + +## References +- [Wiz: CodeBreach – AWS CodeBuild ACTOR_ID regex bypass and token theft](https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild) + {{#include ../../../../banners/hacktricks-training.md}}