Add content from: Infiltrating the AWS Console Supply Chain: Hijacking Core AW...

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md

@@ -185,6 +185,23 @@ aws codebuild start-build --project-name <proj-name>
 > [!WARNING]
 > Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
 
+## Webhook filter ACTOR_ID regex allowlist bypass (PR-triggered privileged builds)
+
+Misconfigured CodeBuild GitHub webhooks that use unanchored `ACTOR_ID` regexes let *untrusted* PRs start privileged builds. If the allowlist is like `123456|7890123` without `^`/`$`, any ID containing one of those substrings matches. Because GitHub user IDs are sequential, an attacker can race to register an “eclipsing” ID (a superstring of a trusted ID) and trigger the build.
+
+**Exploit path**
+
+1. Find public CodeBuild projects exposing webhook filters and extract an unanchored `ACTOR_ID` allowlist.
+2. Obtain an eclipsing GitHub ID:
+   - Sample the global ID counter by creating/deleting GitHub orgs (org IDs share the pool).
+   - Pre-stage many GitHub App manifest creations and fire the confirmation URLs when the counter is within ~100 IDs of the target to burst-register a bot ID containing the trusted substring.
+3. Open a PR from the eclipsing account; the regex matches the substring and the privileged build runs.
+4. Use build RCE (e.g., dependency install hooks) to dump process memory handling the GitHub credential and recover the PAT/OAuth token.
+5. With the token’s `repo` scope, invite your account as collaborator/admin and push/approve malicious commits or exfiltrate secrets.
+
+## References
+- [Wiz: CodeBreach – AWS CodeBuild ACTOR_ID regex bypass and token theft](https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild)
+
 {{#include ../../../../banners/hacktricks-training.md}}