GitHub Actions exploitation: repo jacking and environment manipulation

In the previous article, we highlighted three common misconfigurations in GitHub workflows that can be leveraged to obtain write access to the targeted repository or extract sensitive secrets. We illustrated these vulnerabilities using real-world instances from popular open-source projects such as Microsoft, FreeRDP, AutoGPT, Excalidraw, Angular, Apache, Cypress and others. We also present octoscan a static vulnerability scanner for GitHub action workflows. In this article, we will again outline three common misconfigurations that ca...

GitHub Actions exploitation: untrusted input

In the previous article, we explored the mechanics of GitHub Actions, uncovering the various elements present in a GitHub workflow. For example, we explained how permissions are managed, how workflows are triggered and the security implication of some dangerous triggers. We also detailed security protections that need to be bypassed to perform exploitation. In this article, we will outline three common misconfigurations that can be exploited to gain write access to the targeted repository or extract sensitive secrets. Each of them wi...

GitHub Actions exploitation: introduction

CI/CD (Continuous Integration / Continuous Delivery) systems are becoming increasingly popular today. This can be explained by the difficulty to maintain and deploy multiple projects simultaneously. These systems help teams and developers by enforcing automation when building, testing and deploying applications. For example, an application deployment can be triggered after a developer pushes a new version of the code to a repository. GitHub Actions is the CI/CD environment of GitHub, allowing users to execute a specific set of tasks ...

WHFB and Entra ID : Say Hello to your new cache flow

During security assessments, the cache can be a goldmine on Microsoft environments. Red teamers are familiar with MSCache or DCC2 hashes, which could be a fast track to a privileged account. However, when using WHFB and a cloud-only Entra ID environment, these hashes no longer exist. This blogpost aims at analyzing the cache components of Entra ID-joined devices with WHFB configured and provides a toolkit to use them.

Hijacking GitHub runners to compromise the organization

In a recent engagement we managed to compromise a GitHub app allowed to register self-hosted runners at the organization level. Turns out, it is possible to register a GitHub runner with the ubuntu-latest tag, granting access to jobs originally designated for GitHub-provisioned runners. Using this method, an attacker could compromise any workflow of the organization and steal CI/CD secrets or push malicious code on the different repositories.

Understanding and evading Microsoft Defender for Identity PKINIT detection

A few months following our blogpost on Microsoft Defender for Identity, new alerts related to Active Directory Certificate Services were added. This article will focus on suspicious certificate usage alerts: the detection mechanism will be explained as well as how to avoid raising any alert. In addition, a PowerShell script will be released to perform Kerberos authentication via PKINIT with the Windows API, from a non domain-joined machine.

So I became a node: exploiting bootstrap tokens in Azure Kubernetes Service

During one of our assessments, we managed to retrieve a Kubernetes bootstrap token from an AKS pod. It was a good opportunity to get a closer look at these tokens, how they work and how to exploit them. In this first blog post, we will describe the inner working of bootstrap tokens, the node authorization mode, signers and certificate controllers. Then we will show how to exploit a pod sharing the host network namespace in an AKS environment to leak such a token. The information provided in this blog post is based on Kubernetes v1.28 ... exploiting hidden Organizational Units ACL attack vectors in Active Directory

Exploitation of Organizational Units (OUs) ACLs received comparatively little attention when it comes to the security analysis of domain objects permissions in Active Directory environments. Yet, their successful exploitation could lead to the compromise of all OU child objects, and thus to high-impact privilege escalation scenarios. Building upon the work of Petros Koutroumpis, this article will present how an attack based on the manipulation of the gPLink attribute of Organizational Units could be exploitable through several common ...

Entra ID Banned Password Lists: password spraying optimizations and defenses

Banned Password Lists is a feature of the Password Protection component of Entra ID providing additional security for password-based authentication by enforcing both a global and a custom list of banned words for user passwords. This article aims at analyzing its implementation with the objectives to improve password spraying attacks for red team operators while providing better defenses for blue teams.

Java deserialization tricks

During a red team engagement, we faced Java applications exposed on the internet and affected by arbitrary deserialization from user-supplied data. After quickly identifying a well-known gadget chain, we noticed that a WAF was rejecting requests exploiting the vulnerability by detecting specific patterns of the serialized chain, and that an EDR caught our first exploit. Moreover, firewalls were strictly filtering outbound traffic, including DNS. This article will present a few tricks regarding the gadgets that were used to exploit the...