Skip to content

Commit

Permalink
GITBOOK-650: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
@carlospolop @gitbook-bot
carlospolop authored and gitbook-bot committed Jul 29, 2024
1 parent 9e6bf92 commit b3fb815
Show file tree
Hide file tree
Showing 7 changed files with 114 additions and 20 deletions.
Binary file added .gitbook/assets/image (344).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (345).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .gitbook/assets/image (346).png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions SUMMARY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
* [Gh Actions - Artifact Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md)
* [GH Actions - Cache Poisoning](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md)
* [Gh Actions - Context Script Injections](pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md)
* [Accessible Deleted Data in Github](pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md)
* [Basic Github Information](pentesting-ci-cd/github-security/basic-github-information.md)
* [Gitea Security](pentesting-ci-cd/gitea-security/README.md)
* [Basic Gitea Information](pentesting-ci-cd/gitea-security/basic-gitea-information.md)
Expand Down
16 changes: 12 additions & 4 deletions pentesting-ci-cd/github-security/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Github Security

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down Expand Up @@ -67,6 +67,14 @@ When you look for leaks in a repo and run something like `git log -p` don't forg

It's possible to **compromise repos abusing pull requests**. To know if a repo is vulnerable you mostly need to read the Github Actions yaml configs. [**More info about this below**](./#execution-from-a-external-fork).

### Github Leaks in deleted/internal forks

Even if deleted or internal it might be possible to obtain sensitive data from forks of github repositories. Check it here:

{% content-ref url="accessible-deleted-data-in-github.md" %}
[accessible-deleted-data-in-github.md](accessible-deleted-data-in-github.md)
{% endcontent-ref %}

## Organization Hardening

### Member Privileges
Expand Down Expand Up @@ -250,8 +258,8 @@ jobs:
For more info check [https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
Expand Down
85 changes: 85 additions & 0 deletions pentesting-ci-cd/github-security/accessible-deleted-data-in-github.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# Accessible Deleted Data in Github

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

This ways to access data from Github that was supposedly deleted was [**reported in this blog post**](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).

## Accessing Deleted Fork Data

1. You fork a public repository
2. You commit code to your fork
3. You delete your fork

{% hint style="danger" %}
The data commited in the deleted fork is still accessible.
{% endhint %}

## Accessing Deleted Repo Data

1. You have a public repo on GitHub.
2. A user forks your repo.
3. You commit data after they fork it (and they never sync their fork with your updates).
4. You delete the entire repo.

{% hint style="danger" %}
Even if you deleted your repo, all the changes made to it are still accessible through the forks.
{% endhint %}

## Accessing Private Repo Data

1. You create a private repo that will eventually be made public.
2. You create a private, internal version of that repo (via forking) and commit additional code for features that you’re not going to make public.
3. You make your “upstream” repository public and keep your fork private.

{% hint style="danger" %}
It's possible to access al the data pushed to the internal fork in the time between the internal fork was created and the public version was made public.
{% endhint %}

## How to discover commits from deleted/hidden forks

The same blog post propose 2 options:

### Directly accessing the commit

If the commit ID (sha-1) value is known it's possible to access it in `https://github.com/<user/org>/<repo>/commit/<commit_hash>`

### Brute-forcing short SHA-1 values

It's the same to access both of these:

* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14](https://github.com/HackTricks-wiki/hacktricks/commit/8cf94635c266ca5618a9f4da65ea92c04bee9a14)
* [https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463](https://github.com/HackTricks-wiki/hacktricks/commit/8cf9463)

And the latest one use a short sha-1 that is bruteforceable.

## References

* [https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
32 changes: 16 additions & 16 deletions pentesting-cloud/workspace-security/gws-persistence.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# GWS - Persistence

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down Expand Up @@ -33,7 +33,7 @@ All the actions mentioned in this section that change setting will generate a **

1. Open [Gmail](https://mail.google.com/).
2. In the search box at the top, click Show search options ![photos tune](https://lh3.googleusercontent.com/cD6YR\_YvqXqNKxrWn2NAWkV6tjJtg8vfvqijKT1\_9zVCrl2sAx9jROKhLqiHo2ZDYTE=w36) .
3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**.&#x20;
3. Enter your search criteria. If you want to check that your search worked correctly, see what emails show up by clicking **Search**.
4. At the bottom of the search window, click **Create filter**.
5. Choose what you’d like the filter to do.
6. Click **Create filter**.
Expand Down Expand Up @@ -97,22 +97,22 @@ You can just **delegate the account** to a different account controlled by the a

(Information [copied form the docs](https://support.google.com/a/answer/7223765))

As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can:
As an administrator for your organization (for example, your work or school), you control whether users can delegate access to their Gmail account. You can let everyone have the option to delegate their account. Or, only let people in certain departments set up delegation. For example, you can:

* Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf.&#x20;
* Add an administrative assistant as a delegate on your Gmail account so they can read and send email on your behalf.
* Add a group, such as your sales department, in Groups as a delegate to give everyone access to one Gmail account.

Users can only delegate access to another user in the same organization, regardless of their domain or their organizational unit.

### Delegation limits & restrictions&#x20;
#### Delegation limits & restrictions

* **Allow users to grant their mailbox access to a Google group** option: To use this option, it must be enabled for the OU of the delegated account and for each group member's OU. Group members that belong to an OU without this option enabled can't access the delegated account.
* With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number.&#x20;
* With typical use, 40 delegated users can access a Gmail account at the same time. Above-average use by one or more delegates might reduce this number.
* Automated processes that frequently access Gmail might also reduce the number of delegates who can access an account at the same time. These processes include APIs or browser extensions that access Gmail frequently.
* A single Gmail account supports up to 1,000 unique delegates. A group in Groups counts as one delegate toward the limit.
* Delegation does not increase the limits for a Gmail account. Gmail accounts with delegated users have the standard Gmail account limits and policies. For details, visit [Gmail limits and policies](https://support.google.com/a/topic/28609).

### Step 1: Turn on Gmail delegation for your users&#x20;
#### Step 1: Turn on Gmail delegation for your users

**Before you begin:** To apply the setting for certain users, put their accounts in an [organizational unit](https://support.google.com/a/topic/1227584).

Expand All @@ -124,7 +124,7 @@ Users can only delegate access to another user in the same organization, regardl
4. Click **Mail delegation**.
5. Check the **Let users delegate access to their mailbox to other users in the domain** box.
6. (Optional) To let users specify what sender information is included in delegated messages sent from their account, check the **Allow users to customize this setting** box.
7. Select an option for the default sender information that's included in messages sent by delegates:&#x20;
7. Select an option for the default sender information that's included in messages sent by delegates:
* **Show the account owner and the delegate who sent the email**—Messages include the email addresses of the Gmail account owner and the delegate.
* **Show the account owner only**—Messages include the email address of only the Gmail account owner. The delegate email address is not included.
8. (Optional) To let users add a group in Groups as a delegate, check the **Allow users to grant their mailbox access to a Google group** box.
Expand All @@ -133,9 +133,9 @@ Users can only delegate access to another user in the same organization, regardl

Changes can take up to 24 hours but typically happen more quickly. [Learn more](https://support.google.com/a/answer/7514107)

### Step 2: Have users set up delegates for their accounts
#### Step 2: Have users set up delegates for their accounts

After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user. &#x20;
After you turn on delegation, your users go to their Gmail settings to assign delegates. Delegates can then read, send, and receive messages on behalf of the user.

For details, direct users to [Delegate and collaborate on email](https://support.google.com/a/users/answer/138350).

Expand All @@ -152,15 +152,15 @@ You can add up to 10 delegates.
If you're using Gmail through your work, school, or other organization:

* You can add up to 1000 delegates within your organization.
* With typical use, 40 delegates can access a Gmail account at the same time.&#x20;
* With typical use, 40 delegates can access a Gmail account at the same time.
* If you use automated processes, such as APIs or browser extensions, a few delegates can access a Gmail account at the same time.

1. On your computer, open [Gmail](https://mail.google.com/). You can't add delegates from the Gmail app.
2. In the top right, click Settings ![Settings](https://lh3.googleusercontent.com/p3J-ZSPOLtuBBR\_ofWTFDfdgAYQgi8mR5c76ie8XQ2wjegk7-yyU5zdRVHKybQgUlQ=w36-h36) ![and then](https://lh3.googleusercontent.com/3\_l97rr0GvhSP2XV5OoCkV2ZDTIisAOczrSdzNCBxhIKWrjXjHucxNwocghoUa39gw=w36-h36) **See all settings**.
3. Click the **Accounts and Import** or **Accounts** tab.
4. In the "Grant access to your account" section, click **Add another account**. If you’re using Gmail through your work or school, your organization may restrict email delegation. If you don’t see this setting, contact your admin.
* If you don't see Grant access to your account, then it's restricted.
5. Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access. \
5. Enter the email address of the person you want to add. If you’re using Gmail through your work, school, or other organization, and your admin allows it, you can enter the email address of a group. This group must have the same domain as your organization. External members of the group are denied delegation access.\
\
**Important:** If the account you delegate is a new account or the password was reset, the Admin must turn off the requirement to change password when you first sign in.

Expand All @@ -171,7 +171,7 @@ If you're using Gmail through your work, school, or other organization:

The person you added will get an email asking them to confirm. The invitation expires after a week.

If you added a group, all group members will become delegates without having to confirm.&#x20;
If you added a group, all group members will become delegates without having to confirm.

Note: It may take up to 24 hours for the delegation to start taking effect.

Expand All @@ -195,8 +195,8 @@ You can create **time-based triggers** in App Scripts, so if the App Script is a
* [https://www.youtube.com/watch?v=KTVHLolz6cE](https://www.youtube.com/watch?v=KTVHLolz6cE) - Mike Felch and Beau Bullock - OK Google, How do I Red Team GSuite?

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

Expand Down

0 comments on commit b3fb815

Please sign in to comment.