gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 05:03:31 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bee34f3c05224a1b60f8d143d8e662434c2c1a33
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/README.md
Carlos Polop 716aa06779 translate 2
2025-01-01 23:55:27 +01:00

89 lines
3.4 KiB
Markdown
Raw Blame History

# AWS - CodeBuild Post Exploitation
{{#include ../../../../banners/hacktricks-training.md}}
## CodeBuild
For more information, check:
{{#ref}}
../../aws-services/aws-codebuild-enum.md
{{#endref}}
### Check Secrets
If credentials have been set in Codebuild to connect to Github, Gitlab or Bitbucket in the form of personal tokens, passwords or OAuth token access, these **credentials are going to be stored as secrets in the secret manager**.\
Therefore, if you have access to read the secret manager you will be able to get these secrets and pivot to the connected platform.
{{#ref}}
../../aws-privilege-escalation/aws-secrets-manager-privesc.md
{{#endref}}
### Abuse CodeBuild Repo Access
In order to configure **CodeBuild**, it will need **access to the code repo** that it's going to be using. Several platforms could be hosting this code:
<figure><img src="../../../../images/image (96).png" alt=""><figcaption></figcaption></figure>
The **CodeBuild project must have access** to the configured source provider, either via **IAM role** of with a github/bitbucket **token or OAuth access**.
An attacker with **elevated permissions in over a CodeBuild** could abuse this configured access to leak the code of the configured repo and others where the set creds have access.\
In order to do this, an attacker would just need to **change the repository URL to each repo the config credentials have access** (note that the aws web will list all of them for you):
<figure><img src="../../../../images/image (107).png" alt=""><figcaption></figcaption></figure>
And **change the Buildspec commands to exfiltrate each repo**.
> [!WARNING]
> However, this **task is repetitive and tedious** and if a github token was configured with **write permissions**, an attacker **won't be able to (ab)use those permissions** as he doesn't have access to the token.\
> Or does he? Check the next section
### Leaking Access Tokens from AWS CodeBuild
You can leak access given in CodeBuild to platforms like Github. Check if any access to external platforms was given with:
```bash
aws codebuild list-source-credentials
```
{{#ref}}
aws-codebuild-token-leakage.md
{{#endref}}
### `codebuild:DeleteProject`
An attacker could delete an entire CodeBuild project, causing loss of project configuration and impacting applications relying on the project.
```bash
aws codebuild delete-project --name <value>
```
**Potential Impact**: Loss of project configuration and service disruption for applications using the deleted project.
### `codebuild:TagResource` , `codebuild:UntagResource`
An attacker could add, modify, or remove tags from CodeBuild resources, disrupting your organization's cost allocation, resource tracking, and access control policies based on tags.
```bash
aws codebuild tag-resource --resource-arn <value> --tags <value>
aws codebuild untag-resource --resource-arn <value> --tag-keys <value>
```
**Potential Impact**: Disruption of cost allocation, resource tracking, and tag-based access control policies.
### `codebuild:DeleteSourceCredentials`
An attacker could delete source credentials for a Git repository, impacting the normal functioning of applications relying on the repository.
```sql
aws codebuild delete-source-credentials --arn <value>
```
**Potential Impact**: Disruption of normal functioning for applications relying on the affected repository due to the removal of source credentials.
{{#include ../../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink