You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/pentesting-cloud/aws-security/aws-post-exploitation/aws-codebuild-post-exploitation/aws-codebuild-token-leakage.md
> Now an attacker will be able to use the token from his machine, list all the privileges it has and (ab)use easier than using the CodeBuild service directly.
Misconfigured CodeBuild GitHub webhooks that use unanchored `ACTOR_ID` regexes let *untrusted* PRs start privileged builds. If the allowlist is like `123456|7890123` without `^`/`$`, any ID containing one of those substrings matches. Because GitHub user IDs are sequential, an attacker can race to register an “eclipsing” ID (a superstring of a trusted ID) and trigger the build.
191
+
192
+
**Exploit path**
193
+
194
+
1. Find public CodeBuild projects exposing webhook filters and extract an unanchored `ACTOR_ID` allowlist.
195
+
2. Obtain an eclipsing GitHub ID:
196
+
- Sample the global ID counter by creating/deleting GitHub orgs (org IDs share the pool).
197
+
- Pre-stage many GitHub App manifest creations and fire the confirmation URLs when the counter is within ~100 IDs of the target to burst-register a bot ID containing the trusted substring.
198
+
3. Open a PR from the eclipsing account; the regex matches the substring and the privileged build runs.
199
+
4. Use build RCE (e.g., dependency install hooks) to dump process memory handling the GitHub credential and recover the PAT/OAuth token.
200
+
5. With the token’s `repo` scope, invite your account as collaborator/admin and push/approve malicious commits or exfiltrate secrets.
-**Static websites** are served from the special `$web` container over a region-specific endpoint such as `https://<account>.z13.web.core.windows.net/`.
71
+
- The `$web` container may report `publicAccess: null` via the blob API, but files are still reachable through the static site endpoint, so dropping config/IaC artifacts there can leak secrets.
72
+
- Quick audit workflow:
73
+
74
+
```bash
75
+
# Identify storage accounts with static website hosting enabled
76
+
az storage blob service-properties show --account-name <acc-name> --auth-mode login
77
+
# Enumerate containers (including $web) and their public flags
78
+
az storage container list --account-name <acc-name> --auth-mode login
79
+
# List files served by the static site even when publicAccess is null
80
+
az storage blob list --container-name '$web' --account-name <acc-name> --auth-mode login
-**Locate storage accounts** that can expose data: `az storage account list | jq -r '.[] | select(.properties.allowBlobPublicAccess==true) | .name'`. If `allowBlobPublicAccess` is `false` you cannot turn containers public.
71
88
-**Inspect risky accounts** to confirm the flag and other weak settings: `az storage account show --name <acc> --query '{allow:properties.allowBlobPublicAccess, minTls:properties.minimumTlsVersion}'`.
0 commit comments