Stealing OAuth Github Tokens with AWS CodeBuild
Key Takeaways
The video demonstrates a technique to steal OAuth Github tokens using AWS CodeBuild and a custom Docker container, exploiting a vulnerability in the HTTPS protocol to man-in-the-middle the OAuth credentials. The technique involves creating a custom Docker image, modifying an existing CodeBuild project, and using the CodeBuild project to execute code inside the Docker container.
Full Transcript
iPhone that in AWS you could just change https for HTTP and the connection will work so so AWS was just sending me all the the configure tokens to my account to my my in the middle and then download it all right everyone hey thanks so much for jumping back in I'm stoked to be hanging out with Carlos polyp and Ignacio Dominguez over from halborn where we have been discussing a little bit of cicd here that continuous integration continuous deployment continuous delivery however you want to interpret that last bitly acronym there but man we've been doing some uh sort of crawl walk run uh structure in these videos and now moving on I think we're going to start to run for a little bit I think we're going to be rocking two demos uh both in things that I'm a little bit new to naive and ignorant on uh but I think the first one when we've previously been chatting about Jenkins and GitHub actions and these sort of I don't know knee-jerk reactions to set up CI CD I think more formally in production infrastructure you're usually working with like AWS like Amazon web services or artificial Cloud hosting provider and they're using something is is that code build is that right I look I'd love to be schooled I'll let you take the floor man what's code built yeah so the first demo is going to be talking about gold bill um code bill is one of these AWS services for cicd one of the main ones and the goal of code bill is that um you are going to be specifying a build spec which is like kind of the commands you want to run whenever a change happens somewhere potentially in arrival so you can say hey if this git have Ripple uh modifies this main branch I want you to download it execute some I don't know build a Docker container and push it so it's kind of the way AWS allows you to react to change in your in your code oh that sounds like at least partially like a sort of desired State configuration sort of thing or just again very of course GitHub action like look there's something new let's work with it uh are there any sort of best practices or how do you get that right and especially how do you get that wrong so man I um so obviously as you said as you said is like the GitHub actions of AWS but the fun thing about this is that is the GitHub actions of AWS so in here we are saying hey AWS you can access GitHub and GitHub always have a lot of interesting resources so in Harvard we have this this line don't talk to me and said hey man look um you cannot see the GitHub tokens you are using but they are very privileged and in fact I know that most of the companies will get these tokens with all the permissions just put in that it will work and they will forget about those tokens why they will forget about those servings because there is no way to retrieve them AWS have an API to create the connection with the token to list the connections without getting the token and to delete it but there is no API to say hey give me about the token I I want to see it so this client told me hey Carlos is there any way an attacker cool man is to get this token like what do happen if someone compromise AWS because actually we don't have any WS anything super sensitive but this token is it possible to to get it so I started doing some researching and informed this kind of um issue in in AWS that allowed you to steal this token because because it allowed you to to set environmental variables um in this case HTTP underscore proxy and https underscore proxy so you could proxify the connection oh there is there is a drawback if you use https github.com obviously I don't have a valid certificate for that so they are not going to trust it but I found that in AWS you could just change https for HTTP and the connection will work so so uh AWS was just sending me all the the configure tokens to my account to my mind in the middle and then downloading it so iPhone this way and I talked to Adams and I thought hey guys like you you have this this problem like it's super simple to fix you just need to not allow HTTP to earn after a month they put exactly that check they they wouldn't allow us to to use the HTTP protocol and unfortunately man and this is fun I found this while I was so in this vulnerability at a conference so they fix it like the day before I didn't check it again and when it was so in the conference the demo was like oh I cannot put https here anymore so yeah it was kind of pieces because of of that and at the other day I was checking I was playing again with code bill and I found a very nice feature that was execute your code Bill inside the docker container of your election so again we cannot change the protocol but we can set the the environmental variables and we can select the the docker container would it be any other environmental variable that say hey trust this certificate this is a good one well there is and if you are thinking about where can you find that it's in hat tricks for a year nice so the DIY would like to show you it's about how you can create this Docker container to do a money in the middle saying hey trust this certificate and continue still list these tokens the good thing about this is that this is actually an AWS feature so I don't even consider this a vulnerability this is just a feature of AWS because you are just using your own Docker container for this that's awesome I'm stoked to see it it sounds like this is a bypass to a previous fix with a feature right that's super cool I saw this and well I don't know I I just wanted to to try it so let's find out if I find a way to properly share my screen I think this is going to work okay so here we are in in cloud hard tricks and and actually here bi CTP protocol in in this page right here we are in AWS fantastic impulse exploitation code build uh token leakage you can see that actually here is explaining the technique I just saw I just told you use this reportable which is fixed but today we are will be we are going to be following this uh well this explanation right here so let me show how code Bill looks like so if we go to Gold bills and we go to the projects here we can see some projects that have tried to be built and today we have been using this testing one and as an attacker so first of all this is not a vulnerability percent this is just kind of a process for patient technique here we are abusing high privilege in code bit so you need to be high privileged in coding it's not something you can Will usually be able to do but let's imagine we have already compromised AWS and we are trying to Pivot from AWS using this cicd pipeline to GitHub just exactly the opposite we did the in the in the other so you can go to a code build project and you can check or actually what you could try to do which is going to be easier you just go to create a project and one of the main things you need to check is okay let's go to GitHub and here you can see your connection is status and here we can see that hey we are already connecting to GitHub using all this means someone has connected here there is a token we can still so now we could create a code build project with the docker container I told you or maybe if you want to be a little bit more stiff we could just modify an existing one and this is what we are going to be doing today so I'm going to overwrite the image and in this case I'm going to be using a custom image arm because I I compare I compiled this Docker image in a you know Aaron microwave so we are using arm we are using all the registry um I just upgrade the version I'm going to tell you why in a moment update environment okay so now I have configured this code build project to use my Docker container what is inside this Docker container well this is what is inside this Docker container um this the I look how simple is the is the docker file could you zoom in a little bit can we amp up that text size but that looks awesome so this is it nice this is super simple we are installing Google updating we are coping the the the certificate we want the docker to trust which is this one and we are just setting these environmental variables in this case in this case I don't want to steal HTTP um Communications because the HTTP Communications inside code build is with the metadata service which obviously I cannot proxy because I cannot access it and it will break the whole communication so in this case I'm just still in the HTTP https communication and indicating this is the Environmental variable you can use to say hey just trust this certificate don't worry man it's it's all good okay so how can you do this mind in the middle it's actually super simple um you can just copy this actually money in the middle process this is something you install with Pip using pip install monitorial approaches something like this is in GitHub I don't know it's super simple so I'm going to be executing this we are well um I said we are listening in Port 444 uh let's get everything and let's allow the host github.com we don't want to steal other stuff so because the docker container should be using this address as money in the middle we should get here the communication from the code bill to GitHub we are going to be stealing not a traditional GitHub token but an O house GitHub token this means that even if you configure AWS code wheel to use GitHub via oauth we can still match in the middle of that the token is going to be shortly if I think it was like five minutes but we will be able to completely abuse it okay um so I press on start build is in progress here we should see in a moment that is getting execute okay provisioning downloading source so um sometimes like AWS is using um some kind of public access to Docker Hub where is that where I have the docker container and it sometimes say like hey you have been trying to download too many and you just need to retry anyway we see that we successfully man in the middle this token with this token with this all else GitHub token we will be able to access my uh actually this is our testing GitHub account it's not my main personal one but yeah I mean like we managed to Pivot from AWS to GitHub I really I really hope you enjoyed this technique I love that I think that's so cool I hadn't seen that like darker men in the middle set up in structure before so that is very very slick are there any I feel awful asking this are there any preventions or protections against that it's a feature right that's just what AWS will naturally let you do so um oh the main the obvious main protection is don't give privilege access to code bill right but there should be more like there should be Ada only AWS will be able to access these tokens so for example I haven't tried this specific Docker feature in gcp but what I see gcp is you doing is they have kind of their own men in the middle so instead of getting the container download the repo directly um directly from GitHub they download it to an internal process an internal service of their own which at the moment I think it's called like Club repository or something like this and then it downloads from there so actually you don't need that token you you cannot steal the GitHub token because you don't have it you know wow I wonder if that's possible with AWS code comment AWS also has a service that acts like GitHub code commit is the name of that yeah yeah I don't know if you can make it to replicate a GitHub repository if that's the case you could do the same kind of exercise in AWS I guess we will find out in a Sooner video absolutely if the YouTube comments don't beat us to it um but goodness that one is crazy cool is there anything more to unpack there or is that like hey mic drop look at this wild crazy thing you can steal and swipe those GitHub tokens even through AWS I love that that's like such a reverse approach from what we showcased in the previous videos uh so from my side I did them prepare anything else okay um but I don't know man like what I love to say when I talk in Sun conferences is that today's red team is not about compromation and internal Network and inspiration privilege in active directory at least not in today's startup but about compromising one SAS or cloud provider and a star is stealing tokens and accessing the owners like the more techniques you have like this one for your red teams the better the better you're going to be still in a lot of accesses that is so slick and man what a cool technique I got to take a look within hat tricks because man it looks like all the secret sauce a lot of the quick copy paste syntax you've already got uh readily available and willing to share over on hack tricks Cloud so hey kudos to you man and thank you thank you thank you if you're cool with it I think that would be a really cool wrap up for this video and I think maybe just I don't know being cognizant of time we could probably roll Ignacio your next demo for dependency confusion in the next one and then I don't know we'll keep running does that work yep
Original Description
https://jh.live/halborn || Carlos Polop from HALBORN showcases his technique to exfiltrate Github tokens via the AWS CodeBuild cloud service, with a custom Docker container to man-in-the-middle the OAuth credentials!
You can learn more about Carlos Polop, Ignacio Dominguez or the security audits and assessments that HALBORN performs at https://jh.live/halborn
Check out the vulnerability disclosure writeup from HALBORN: https://www.halborn.com/blog/post/halborn-discovers-and-discloses-vulnerability-in-aws-code-build
00:00 Preview
00:20 Introduction with Carlos & Ignacio
01:00 AWS CodeBuild Background
02:12 CodeBuild and GitHub Mishaps
05:12 Execute CodeBuild within a Docker Container
06:43 Demo: Stealing GitHub Tokens with Man-in-the-Middle
12:17 Takeaways: Mitigation & Today's Red Teamers
🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ https://jh.live/discord ↔ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Tool Use & Function Calling
View skill →Related Reads
📰
📰
📰
📰
How I built my own Railway at just just $2/mo with 4 CPU cores and 7.7 GB of RAM; INSANE!
Dev.to AI
Reverse Proxy
Dev.to · Gouranga Das Samrat
In Pursuit of the Ideal Developer Experience
Dev.to · Jonatan Lampa
Why AWS CodePipeline + ECS falls short for production-grade microservices (and how EKS fixes it)
Dev.to · Arnab Adhikary
Chapters (7)
Preview
0:20
Introduction with Carlos & Ignacio
1:00
AWS CodeBuild Background
2:12
CodeBuild and GitHub Mishaps
5:12
Execute CodeBuild within a Docker Container
6:43
Demo: Stealing GitHub Tokens with Man-in-the-Middle
12:17
Takeaways: Mitigation & Today's Red Teamers
🎓
Tutor Explanation
DeepCamp AI