Terraform Cloud token abuse turns speculative plan into remo...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/
• Blog Title: Terraform Cloud token abuse turns speculative plan into remote code execution
• Suggested Section: Pentesting CI/CD > Terraform Security (add a subsection: Terraform Cloud speculative plan RCE and credential exfiltration)

🎯 Content Summary

Technical Summary: Terraform Cloud Speculative Plan Execution and Credential Exfiltration

What the post shows

A stolen Terraform Cloud CLI token plus the ability to run a speculative plan lets an attacker execute arbitrary code on Terraform Cloud runners and exfiltrate short‑lived cloud credentials (GCP/AWS). Those credentials can then be used with native CLIs to bypass VCS-gated workflows and make out‑of‑band infrastructure changes.

How Terraform + VCS norma...

🔧 Technical Details

Speculative-plan RCE via external data source: In any Terraform workspace you can access, define data "external" with program = ["bash", "./script.sh"]. Running terraform plan executes that program during a speculative run on the runner, enabling arbitrary code execution even when apply is VCS-gated.

Token pivot from developer machines: Steal ~/.terraform.d/credentials.tfrc.json to imperso...

🤖 Agent Actions

I analyzed the blog and HackTricks repository, found the most relevant place to incorporate the new technique, and updated the content accordingly.

What I did:

• Explored repository structure and reviewed at least 5 related files:
  • src/pentesting-ci-cd/terraform-security.md
  • src/pentesting-ci-cd/atlantis-security.md
  • src/pentesting-ci-cd/circleci-security.md
  • src/pentesting-ci-cd/pentesting-ci-cd-methodology.md
  • src/pentesting-ci-cd/serverless.com-security.md
• Determined the best fit is updating src/pentesting-ci-cd/terraform-security.md with a new subsection focused on Terraform Cloud speculative plan RCE and credential exfiltration.
• Added a new section: “Terraform Cloud speculative plan RCE and credential exfiltration” to describe:
  • Attack preconditions (stolen Terr...

✅ Review Checklist

• Content is technically accurate
• Formatting follows HackTricks style guidelines
• Links and references are working
• Content adds educational value
• No sensitive information is exposed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.pentestpartners.com/security-blog/terraform-token-abuse-speculative-plan/

Content Categories: Based on the analysis, this content was categorized under "Pentesting CI/CD > Terraform Security (add a subsection: Terraform Cloud speculative plan RCE and credential exfiltration)".

Repository Maintenance:

• MD Files Formatting: 520 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0