GITBOOK-485: change request with no subject merged in GitBook

Author: carlospolop

pentesting-cloud/aws-security/aws-privilege-escalation/aws-codebuild-privesc.md

@@ -101,7 +101,7 @@ In a **Codebuild container** the file `/codebuild/output/tmp/env.sh` contains al
 
 This file contains the **env variable `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`** which contains the **URL path** to access the credentials. It will be something like this `/v2/credentials/2817702c-efcf-4485-9730-8e54303ec420`
 
- Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
+Add that to the URL **`http://169.254.170.2/`** and you will be able to dump the role credentials.
 
 Moreover, it also contains the **env variable `ECS_CONTAINER_METADATA_URI`** which contains the complete URL to get **metadata info about the container**.
 {% endhint %}
@@ -276,6 +276,10 @@ aws codebuild start-build --project-name <project-name>
 
 **Impact:** Direct privesc to the role used by the AWS CodeBuild worker that usually has high privileges.
 
+{% hint style="warning" %}
+Note that the buildspec could be expected in zip format, so an attacker would need to download, unzip, modify the `buildspec.yml` from the root directory, zip again and upload
+{% endhint %}
+
 More details could be found [here](https://www.shielder.com/blog/2023/07/aws-codebuild--s3-privilege-escalation/).
 
 **Potential Impact:** Direct privesc to attached AWS Codebuild roles.