gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 19:11:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:24:43 +00:00
parent 10e2881a9b
commit 9ce07d92a3
245 changed files with 9883 additions and 12659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

256
src/pentesting-ci-cd/github-security/README.md
View File

@@ -2,41 +2,41 @@
{{#include ../../banners/hacktricks-training.md}}
## What is Github
## Šta je Github
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) At a high level, **GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code**.
(From [here](https://kinsta.com/knowledgebase/what-is-github/)) Na visokom nivou, **GitHub je veb sajt i usluga zasnovana na oblaku koja pomaže programerima da čuvaju i upravljaju svojim kodom, kao i da prate i kontrolišu promene u svom kodu**.
### Basic Information
### Osnovne informacije
{{#ref}}
basic-github-information.md
{{#endref}}
## External Recon
## Spoljašnje istraživanje
Github repositories can be configured as public, private and internal.
Github repozitorijumi mogu biti konfigurisani kao javni, privatni i interni.
- **Private** means that **only** people of the **organisation** will be able to access them
- **Internal** means that **only** people of the **enterprise** (an enterprise may have several organisations) will be able to access it
- **Public** means that **all internet** is going to be able to access it.
- **Privatni** znači da će **samo** ljudi iz **organizacije** moći da im pristupe
- **Interni** znači da će **samo** ljudi iz **preduzeća** (preduzeće može imati nekoliko organizacija) moći da mu pristupe
- **Javni** znači da će **svi na internetu** moći da mu pristupe.
In case you know the **user, repo or organisation you want to target** you can use **github dorks** to find sensitive information or search for **sensitive information leaks** **on each repo**.
U slučaju da znate **korisnika, repozitorijum ili organizaciju koju želite da ciljate**, možete koristiti **github dorks** da pronađete osetljive informacije ili pretražujete **curenja osetljivih informacija** **u svakom repozitorijumu**.
### Github Dorks
Github allows to **search for something specifying as scope a user, a repo or an organisation**. Therefore, with a list of strings that are going to appear close to sensitive information you can easily **search for potential sensitive information in your target**.
Github omogućava da **pretražujete nešto specificirajući kao opseg korisnika, repozitorijuma ili organizacije**. Stoga, sa listom stringova koji će se pojaviti blizu osetljivih informacija, možete lako **pretraživati potencijalne osetljive informacije u vašem cilju**.
Tools (each tool contains its list of dorks):
Alati (svaki alat sadrži svoju listu dorks):
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Dorks list](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Dorks list](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Dorks list](https://github.com/hisxo/gitGraber/tree/master/wordlists))
- [https://github.com/obheda12/GitDorker](https://github.com/obheda12/GitDorker) ([Lista Dorks](https://github.com/obheda12/GitDorker/tree/master/Dorks))
- [https://github.com/techgaun/github-dorks](https://github.com/techgaun/github-dorks) ([Lista Dorks](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt))
- [https://github.com/hisxo/gitGraber](https://github.com/hisxo/gitGraber) ([Lista Dorks](https://github.com/hisxo/gitGraber/tree/master/wordlists))
### Github Leaks
### Github Curenja
Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will **download each repo and search for sensitive information in them** (even checking certain depth of commits).
Molimo vas, imajte na umu da su github dorks takođe namenjeni pretraživanju curenja koristeći github opcije pretrage. Ova sekcija je posvećena onim alatima koji će **preuzeti svaki repozitorijum i pretražiti osetljive informacije u njima** (čak proveravajući određenu dubinu commit-a).
Tools (each tool contains its list of regexes):
Alati (svaki alat sadrži svoju listu regex-a):
- [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
- [https://github.com/trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog)
@@ -47,202 +47,190 @@ Tools (each tool contains its list of regexes):
- [https://github.com/awslabs/git-secrets](https://github.com/awslabs/git-secrets)
> [!WARNING]
> When you look for leaks in a repo and run something like `git log -p` don't forget there might be **other branches with other commits** containing secrets!
> Kada tražite curenja u repozitorijumu i pokrenete nešto poput `git log -p`, ne zaboravite da mogu postojati **druge grane sa drugim commit-ima** koje sadrže tajne!
### External Forks
### Spoljašnji Forkovi
It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).
Moguće je **kompromitovati repozitorijume zloupotrebom pull zahteva**. Da biste znali da li je repozitorijum ranjiv, uglavnom treba da pročitate Github Actions yaml konfiguracije. [**Više informacija o ovome u nastavku**](./#execution-from-a-external-fork).
### Github Leaks in deleted/internal forks
### Github Curenja u obrisanim/internim forkovima
Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:
Čak i ako su obrisani ili interni, može biti moguće dobiti osetljive podatke iz forkova github repozitorijuma. Proverite ovde:
{{#ref}}
accessible-deleted-data-in-github.md
{{#endref}}
## Organization Hardening
## Ojačavanje organizacije
### Member Privileges
### Privilegije članova
There are some **default privileges** that can be assigned to **members** of the organization. These can be controlled from the page `https://github.com/organizations/<org_name>/settings/member_privileges` or from the [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
Postoje neke **podrazumevane privilegije** koje se mogu dodeliti **članovima** organizacije. Ove se mogu kontrolisati sa stranice `https://github.com/organizations/<org_name>/settings/member_privileges` ili iz [**Organizations API**](https://docs.github.com/en/rest/orgs/orgs).
- **Base permissions**: Members will have the permission None/Read/write/Admin over the org repositories. Recommended is **None** or **Read**.
- **Repository forking**: If not necessary, it's better to **not allow** members to fork organization repositories.
- **Pages creation**: If not necessary, it's better to **not allow** members to publish pages from the org repos. If necessary you can allow to create public or private pages.
- **Integration access requests**: With this enabled outside collaborators will be able to request access for GitHub or OAuth apps to access this organization and its resources. It's usually needed, but if not, it's better to disable it.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository visibility change**: If enabled, **members** with **admin** permissions for the **repository** will be able to **change its visibility**. If disabled, only organization owners can change repository visibilities. If you **don't** want people to make things **public**, make sure this is **disabled**.
- _I couldn't find this info in the APIs response, share if you do_
- **Repository deletion and transfer**: If enabled, members with **admin** permissions for the repository will be able to **delete** or **transfer** public and private **repositories.**
- _I couldn't find this info in the APIs response, share if you do_
- **Allow members to create teams**: If enabled, any **member** of the organization will be able to **create** new **teams**. If disabled, only organization owners can create new teams. It's better to have this disabled.
- _I couldn't find this info in the APIs response, share if you do_
- **More things can be configured** in this page but the previous are the ones more security related.
- **Osnovne dozvole**: Članovi će imati dozvolu None/Read/write/Admin za repozitorijume organizacije. Preporučuje se **None** ili **Read**.
- **Forkovanje repozitorijuma**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da fork-uju repozitorijume organizacije.
- **Kreiranje stranica**: Ako nije neophodno, bolje je **ne dozvoliti** članovima da objavljuju stranice iz repozitorijuma organizacije. Ako je neophodno, možete dozvoliti kreiranje javnih ili privatnih stranica.
- **Zahtevi za pristup integraciji**: Sa ovim omogućeno, spoljnim saradnicima će biti omogućeno da zatraže pristup za GitHub ili OAuth aplikacije da pristupe ovoj organizaciji i njenim resursima. Obično je potrebno, ali ako nije, bolje je onemogućiti to.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Promena vidljivosti repozitorijuma**: Ako je omogućeno, **članovi** sa **admin** dozvolama za **repozitorijum** će moći da **promene njegovu vidljivost**. Ako je onemogućeno, samo vlasnici organizacije mogu menjati vidljivosti repozitorijuma. Ako ne želite da ljudi učine stvari **javnim**, uverite se da je ovo **onemogućeno**.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Brisanje i prenos repozitorijuma**: Ako je omogućeno, članovi sa **admin** dozvolama za repozitorijum će moći da **obrišu** ili **prenose** javne i privatne **repozitorijume**.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Dozvoliti članovima da kreiraju timove**: Ako je omogućeno, svaki **član** organizacije će moći da **kreira** nove **timove**. Ako je onemogućeno, samo vlasnici organizacije mogu kreirati nove timove. Bolje je da ovo bude onemogućeno.
- _Nisam mogao pronaći ove informacije u API odgovoru, podelite ako ih pronađete_
- **Još stvari se mogu konfigurisati** na ovoj stranici, ali prethodne su one koje su više vezane za bezbednost.
### Actions Settings
### Podešavanja akcija
Several security related settings can be configured for actions from the page `https://github.com/organizations/<org_name>/settings/actions`.
Nekoliko podešavanja vezanih za bezbednost može se konfigurisati za akcije sa stranice `https://github.com/organizations/<org_name>/settings/actions`.
> [!NOTE]
> Note that all this configurations can also be set on each repository independently
> Imajte na umu da se sve ove konfiguracije takođe mogu postaviti na svakom repozitorijumu nezavisno
- **Github actions policies**: It allows you to indicate which repositories can tun workflows and which workflows should be allowed. It's recommended to **specify which repositories** should be allowed and not allow all actions to run.
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **Fork pull request workflows from outside collaborators**: It's recommended to **require approval for all** outside collaborators.
- _I couldn't find an API with this info, share if you do_
- **Run workflows from fork pull requests**: It's highly **discouraged to run workflows from pull requests** as maintainers of the fork origin will be given the ability to use tokens with read permissions on the source repository.
- _I couldn't find an API with this info, share if you do_
- **Workflow permissions**: It's highly recommended to **only give read repository permissions**. It's discouraged to give write and create/approve pull requests permissions to avoid the abuse of the GITHUB_TOKEN given to running workflows.
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
- **Github akcije politike**: Omogućava vam da navedete koji repozitorijumi mogu pokretati radne tokove i koji radni tokovi bi trebali biti dozvoljeni. Preporučuje se da **specificirate koji repozitorijumi** bi trebali biti dozvoljeni i ne dozvoliti svim akcijama da se pokreću.
- [**API-1**](https://docs.github.com/en/rest/actions/permissions#get-allowed-actions-and-reusable-workflows-for-an-organization)**,** [**API-2**](https://docs.github.com/en/rest/actions/permissions#list-selected-repositories-enabled-for-github-actions-in-an-organization)
- **Fork pull request radni tokovi od spoljnjih saradnika**: Preporučuje se da **zahtevate odobrenje za sve** spoljne saradnike.
- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_
- **Pokretanje radnih tokova iz fork pull zahteva**: Veoma je **nepreporučljivo pokretati radne tokove iz pull zahteva** jer će održavaoci fork porekla dobiti mogućnost korišćenja tokena sa dozvolama za čitanje na izvorni repozitorijum.
- _Nisam mogao pronaći API sa ovim informacijama, podelite ako ih pronađete_
- **Dozvole radnog toka**: Veoma se preporučuje da **samo date dozvole za čitanje repozitorijuma**. Ne preporučuje se davanje dozvola za pisanje i kreiranje/odobravanje pull zahteva kako bi se izbegla zloupotreba GITHUB_TOKEN-a datog pokrenutim radnim tokovima.
- [**API**](https://docs.github.com/en/rest/actions/permissions#get-default-workflow-permissions-for-an-organization)
### Integrations
### Integracije
_Let me know if you know the API endpoint to access this info!_
_Javite mi ako znate API krajnju tačku za pristup ovim informacijama!_
- **Third-party application access policy**: It's recommended to restrict the access to every application and allow only the needed ones (after reviewing them).
- **Installed GitHub Apps**: It's recommended to only allow the needed ones (after reviewing them).
- **Politika pristupa aplikacijama trećih strana**: Preporučuje se ograničiti pristup svakoj aplikaciji i dozvoliti samo potrebne (nakon pregleda).
- **Instalirane GitHub aplikacije**: Preporučuje se dozvoliti samo potrebne (nakon pregleda).
## Recon & Attacks abusing credentials
## Istraživanje i napadi zloupotrebom kredencijala
For this scenario we are going to suppose that you have obtained some access to a github account.
Za ovaj scenario pretpostavićemo da ste dobili neki pristup github nalogu.
### With User Credentials
### Sa korisničkim kredencijalima
If you somehow already have credentials for a user inside an organization you can **just login** and check which **enterprise and organization roles you have**, if you are a raw member, check which **permissions raw members have**, in which **groups** you are, which **permissions you have** over which **repos,** and **how are the repos protected.**
Ako nekako već imate kredencijale za korisnika unutar organizacije, možete **samo da se prijavite** i proverite koje **preduzetničke i organizacione uloge imate**, ako ste običan član, proverite koje **dozvole imaju obični članovi**, u kojim **grupama** ste, koje **dozvole imate** nad kojim **repozitorijumima** i **kako su repozitorijumi zaštićeni**.
Note that **2FA may be used** so you will only be able to access this information if you can also **pass that check**.
Imajte na umu da se **2FA može koristiti** tako da ćete moći da pristupite ovim informacijama samo ako takođe možete **proći tu proveru**.
> [!NOTE]
> Note that if you **manage to steal the `user_session` cookie** (currently configured with SameSite: Lax) you can **completely impersonate the user** without needing credentials or 2FA.
> Imajte na umu da ako **uspete da ukradete `user_session` kolačić** (trenutno konfigurisano sa SameSite: Lax) možete **potpuno imitirati korisnika** bez potrebe za kredencijalima ili 2FA.
Check the section below about [**branch protections bypasses**](./#branch-protection-bypass) in case it's useful.
Proverite odeljak u nastavku o [**zaobilaznicama zaštite grana**](./#branch-protection-bypass) u slučaju da je korisno.
### With User SSH Key
### Sa korisničkim SSH ključem
Github allows **users** to set **SSH keys** that will be used as **authentication method to deploy code** on their behalf (no 2FA is applied).
With this key you can perform **changes in repositories where the user has some privileges**, however you can not sue it to access github api to enumerate the environment. However, you can get **enumerate local settings** to get information about the repos and user you have access to:
Github omogućava **korisnicima** da postave **SSH ključeve** koji će se koristiti kao **metoda autentifikacije za implementaciju koda** u njihovo ime (2FA se ne primenjuje).
Sa ovim ključem možete izvršiti **promene u repozitorijumima gde korisnik ima neke privilegije**, međutim ne možete ga koristiti za pristup github API-ju da enumerišete okruženje. Međutim, možete **enumerisati lokalne postavke** da dobijete informacije o repozitorijumima i korisniku kojem imate pristup:
```bash
# Go to the the repository folder
# Get repo config and current user name and email
git config --list
```
Ako je korisnik konfigurisao svoje korisničko ime kao svoje github korisničko ime, možete pristupiti **javnim ključevima koje je postavio** na svom nalogu na _https://github.com/\<github_username>.keys_, možete proveriti ovo da potvrdite da li se privatni ključ koji ste pronašli može koristiti.
If the user has configured its username as his github username you can access the **public keys he has set** in his account in _https://github.com/\<github_username>.keys_, you could check this to confirm the private key you found can be used.
**SSH ključevi** se takođe mogu postaviti u repozitorijume kao **deploy ključevi**. Svako ko ima pristup ovom ključiću moći će da **pokrene projekte iz repozitorijuma**. Obično, na serveru sa različitim deploy ključevima, lokalna datoteka **`~/.ssh/config`** će vam dati informacije o tome kojem ključu se odnosi.
**SSH keys** can also be set in repositories as **deploy keys**. Anyone with access to this key will be able to **launch projects from a repository**. Usually in a server with different deploy keys the local file **`~/.ssh/config`** will give you info about key is related.
#### GPG Ključevi
#### GPG Keys
As explained [**here**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md) sometimes it's needed to sign the commits or you might get discovered.
Check locally if the current user has any key with:
Kao što je objašnjeno [**ovde**](https://github.com/carlospolop/hacktricks-cloud/blob/master/pentesting-ci-cd/github-security/broken-reference/README.md), ponekad je potrebno potpisati commit-e ili biste mogli biti otkriveni.
Proverite lokalno da li trenutni korisnik ima neki ključ sa:
```shell
gpg --list-secret-keys --keyid-format=long
```
### Sa korisničkim tokenom
### With User Token
Za uvod o [**korisničkim tokenima proverite osnovne informacije**](basic-github-information.md#personal-access-tokens).
For an introduction about [**User Tokens check the basic information**](basic-github-information.md#personal-access-tokens).
Korisnički token može biti korišćen **umesto lozinke** za Git preko HTTPS-a, ili može biti korišćen za [**autentifikaciju na API preko osnovne autentifikacije**](https://docs.github.com/v3/auth/#basic-authentication). U zavisnosti od privilegija koje su mu dodeljene, možda ćete moći da izvršite različite radnje.
A user token can be used **instead of a password** for Git over HTTPS, or can be used to [**authenticate to the API over Basic Authentication**](https://docs.github.com/v3/auth/#basic-authentication). Depending on the privileges attached to it you might be able to perform different actions.
Korisnički token izgleda ovako: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
A User token looks like this: `ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123`
### Sa Oauth aplikacijom
### With Oauth Application
Za uvod o [**Github Oauth aplikacijama proverite osnovne informacije**](basic-github-information.md#oauth-applications).
For an introduction about [**Github Oauth Applications check the basic information**](basic-github-information.md#oauth-applications).
Napadač može kreirati **malicious Oauth aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje.
An attacker might create a **malicious Oauth Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
Ovo su [opsegovi koje Oauth aplikacija može zatražiti](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). Uvek treba proveriti tražene opsegove pre nego što ih prihvatite.
These are the [scopes an Oauth application can request](https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps). A should always check the scopes requested before accepting them.
Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju.
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
### Sa Github aplikacijom
### With Github Application
Za uvod o [**Github aplikacijama proverite osnovne informacije**](basic-github-information.md#github-applications).
For an introduction about [**Github Applications check the basic information**](basic-github-information.md#github-applications).
Napadač može kreirati **malicious Github aplikaciju** da bi pristupio privilegovanim podacima/radnjama korisnika koji je prihvataju verovatno kao deo phishing kampanje.
An attacker might create a **malicious Github Application** to access privileged data/actions of the users that accepts them probably as part of a phishing campaign.
Pored toga, kao što je objašnjeno u osnovnim informacijama, **organizacije mogu dati/oduzeti pristup trećim aplikacijama** informacijama/repozitorijima/radnjama vezanim za organizaciju.
Moreover, as explained in the basic information, **organizations can give/deny access to third party applications** to information/repos/actions related with the organisation.
## Kompromitovanje i zloupotreba Github akcije
## Compromise & Abuse Github Action
There are several techniques to compromise and abuse a Github Action, check them here:
Postoji nekoliko tehnika za kompromitovanje i zloupotrebu Github akcije, proverite ih ovde:
{{#ref}}
abusing-github-actions/
{{#endref}}
## Branch Protection Bypass
## Obilaženje zaštite grane
- **Require a number of approvals**: If you compromised several accounts you might just accept your PRs from other accounts. If you just have the account from where you created the PR you cannot accept your own PR. However, if you have access to a **Github Action** environment inside the repo, using the **GITHUB_TOKEN** you might be able to **approve your PR** and get 1 approval this way.
- _Note for this and for the Code Owners restriction that usually a user won't be able to approve his own PRs, but if you are, you can abuse it to accept your PRs._
- **Dismiss approvals when new commits are pushed**: If this isnt set, you can submit legit code, wait till someone approves it, and put malicious code and merge it into the protected branch.
- **Require reviews from Code Owners**: If this is activated and you are a Code Owner, you could make a **Github Action create your PR and then approve it yourself**.
- When a **CODEOWNER file is missconfigured** Github doesn't complain but it does't use it. Therefore, if it's missconfigured it's **Code Owners protection isn't applied.**
- **Allow specified actors to bypass pull request requirements**: If you are one of these actors you can bypass pull request protections.
- **Include administrators**: If this isnt set and you are admin of the repo, you can bypass this branch protections.
- **PR Hijacking**: You could be able to **modify the PR of someone else** adding malicious code, approving the resulting PR yourself and merging everything.
- **Removing Branch Protections**: If you are an **admin of the repo you can disable the protections**, merge your PR and set the protections back.
- **Bypassing push protections**: If a repo **only allows certain users** to send push (merge code) in branches (the branch protection might be protecting all the branches specifying the wildcard `*`).
- If you have **write access over the repo but you are not allowed to push code** because of the branch protection, you can still **create a new branch** and within it create a **github action that is triggered when code is pushed**. As the **branch protection won't protect the branch until it's created**, this first code push to the branch will **execute the github action**.
- **Zahtevajte određeni broj odobrenja**: Ako ste kompromitovali nekoliko naloga, možete jednostavno prihvatiti svoje PR-ove iz drugih naloga. Ako imate samo nalog sa kojeg ste kreirali PR, ne možete prihvatiti svoj PR. Međutim, ako imate pristup **Github Action** okruženju unutar repozitorijuma, koristeći **GITHUB_TOKEN** možda ćete moći da **odobrite svoj PR** i dobijete 1 odobrenje na ovaj način.
- _Napomena za ovo i za ograničenje vlasnika koda da obično korisnik neće moći da odobri svoje PR-ove, ali ako možete, možete to zloupotrebiti da prihvatite svoje PR-ove._
- **Odbacite odobrenja kada su novi commit-ovi poslati**: Ako ovo nije postavljeno, možete poslati legitiman kod, čekati da ga neko odobri, a zatim staviti maliciozni kod i spojiti ga u zaštićenu granu.
- **Zahtevajte preglede od vlasnika koda**: Ako je ovo aktivirano i vi ste vlasnik koda, mogli biste napraviti **Github Action da kreira vaš PR i zatim ga odobrite sami**.
- Kada je **CODEOWNER datoteka pogrešno konfigurisana**, Github se ne žali, ali je ne koristi. Stoga, ako je pogrešno konfigurisana, **zaštita vlasnika koda nije primenjena.**
- **Dozvolite određenim akterima da zaobiđu zahteve za povlačenje**: Ako ste jedan od ovih aktera, možete zaobići zaštitu zahteva za povlačenje.
- **Uključite administratore**: Ako ovo nije postavljeno i vi ste administrator repozitorijuma, možete zaobići ovu zaštitu grane.
- **PR otmica**: Možda ćete moći da **modifikujete PR nekog drugog** dodajući maliciozni kod, odobravajući rezultantni PR sami i spajajući sve.
- **Uklanjanje zaštite grane**: Ako ste **administrator repozitorijuma, možete onemogućiti zaštite**, spojiti svoj PR i ponovo postaviti zaštite.
- **Obilaženje zaštita za slanje**: Ako repozitorijum **samo dozvoljava određenim korisnicima** da šalju push (spajaju kod) u granama (zaštita grane može štititi sve grane specificirajući wildcard `*`).
- Ako imate **pristup pisanju u repozitorijumu, ali vam nije dozvoljeno da šaljete kod** zbog zaštite grane, još uvek možete **napraviti novu granu** i unutar nje kreirati **github akciju koja se aktivira kada se kod pošalje**. Kako **zaštita grane neće štititi granu dok ne bude kreirana**, ovo prvo slanje koda u granu će **izvršiti github akciju**.
## Bypass Environments Protections
## Obilaženje zaštita okruženja
For an introduction about [**Github Environment check the basic information**](basic-github-information.md#git-environments).
Za uvod o [**Github okruženju proverite osnovne informacije**](basic-github-information.md#git-environments).
In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
U slučaju da se okruženje može **pristupiti sa svih grana**, **nije zaštićeno** i možete lako pristupiti tajnama unutar okruženja. Imajte na umu da možete pronaći repozitorijume gde su **sve grane zaštićene** (specifikovanjem njihovih imena ili korišćenjem `*`), u tom scenariju, **pronađite granu u kojoj možete poslati kod** i možete **izvući** tajne kreirajući novu github akciju (ili modifikujući jednu).
Napomena, možete naići na ivicu slučaja gde su **sve grane zaštićene** (putem wildcard `*`) i specificirano je **ko može slati kod u grane** (_to možete specificirati u zaštiti grane_) i **vašem korisniku nije dozvoljeno**. I dalje možete pokrenuti prilagođenu github akciju jer možete kreirati granu i koristiti okidač za slanje preko nje same. **Zaštita grane dozvoljava slanje u novu granu, tako da će github akcija biti aktivirana**.
```yaml
push: # Run it when a push is made to a branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
```
Napomena da će se **nakon kreiranja** grane **zaštita grane primeniti na novu granu** i nećete moći da je izmenite, ali do tada ćete već izvući tajne.
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.
## Persistencija
## Persistence
- Generišite **korisnički token**
- Ukradite **github tokene** iz **tajni**
- **Brisanje** rezultata **workflow-a** i **grana**
- Dajte **više dozvola celoj organizaciji**
- Kreirajte **webhook-ove** za exfiltraciju informacija
- Pozovite **spoljašnje saradnike**
- **Uklonite** **webhook-ove** koje koristi **SIEM**
- Kreirajte/izmenite **Github Action** sa **bekdoor-om**
- Pronađite **ranjivu Github Action za injekciju komandi** putem **modifikacije** vrednosti **tajne**
- Generate **user token**
- Steal **github tokens** from **secrets**
- **Deletion** of workflow **results** and **branches**
- Give **more permissions to all the org**
- Create **webhooks** to exfiltrate information
- Invite **outside collaborators**
- **Remove** **webhooks** used by the **SIEM**
- Create/modify **Github Action** with a **backdoor**
- Find **vulnerable Github Action to command injection** via **secret** value modification
### Impostor Commit-ovi - Bekdoor putem repo commit-ova
### Imposter Commits - Backdoor via repo commits
In Github it's possible to **create a PR to a repo from a fork**. Even if the PR is **not accepted**, a **commit** id inside the orginal repo is going to be created for the fork version of the code. Therefore, an attacker **could pin to use an specific commit from an apparently ligit repo that wasn't created by the owner of the repo**.
Like [**this**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
U Github-u je moguće **napraviti PR za repo iz forka**. Čak i ako PR **nije prihvaćen**, **commit** id unutar originalnog repoa će biti kreiran za fork verziju koda. Stoga, napadač **može da se oslanja na korišćenje specifičnog commit-a iz naizgled legitimnog repoa koji nije kreirao vlasnik repoa**.
Kao [**ovaj**](https://github.com/actions/checkout/commit/c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e):
```yaml
name: example
on: [push]
jobs:
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
commit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e
- shell: bash
run: |
echo 'hello world!'
```
For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
Za više informacija proverite [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{{#include ../../banners/hacktricks-training.md}}