HackerTrans
TopNewTrendsCommentsPastAskShowJobs

flexorium

no profile record

Submissions

Show HN: SmokedMeat, like Metasploit, but for CI/CD (open-source)

github.com
13 points·by flexorium·3 miesiące temu·9 comments

comments

flexorium
·3 miesiące temu·discuss
We appreciate this information you share in the open
flexorium
·3 miesiące temu·discuss
Nice! very useful
flexorium
·3 miesiące temu·discuss
That’s definitely part of the solution to limit the risk, but it does not eliminate it. That’s exactly something the tool demonstrates very well. If you can exploit , you can gently ask OIDC to mint you access on the fly. That’s what I call “dwell mode” where you hang for say 1 minute and you perform arbitrary thing with the OIDC access. So yes with short lived creds there’s no “offline access” and if leaves more traces but still.
flexorium
·3 miesiące temu·discuss
Thanks! I got tired of talking about it to defenders. I wanted to talk to Red Teamers too and SOC / detection engineering people. I wanted to build a tool that someone can just have the CISO try it directly.
flexorium
·3 miesiące temu·discuss
Absolutely not. The same TTPs apply almost 1-to-1 for Insider Threat scenarios. We've built the Deciduous Attack Trees (shout out to Kelly) for insider threats last year. It overlaps. So either you start with Initial Access that's purely public and pivot deeper or you already have a modest foothold (like intern with read only access) and off to the races.
flexorium
·3 miesiące temu·discuss
OP here, mini AMA.

Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere.

Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request".

I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser.

To try it: git clone https://github.com/boostsecurityio/smokedmeat.git cd smokedmeat make quickstart

Then you target the whooli GitHub org (https://github.com/whooli) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket)

Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.