Comment on page
Travis CI is a hosted or on premises continuous integration service used to build and test software projects hosted on several different git platform.
To launch an attack you first need to know how to trigger a build. By default TravisCI will trigger a build on pushes and pull requests:
If you have access to the web application you can set crons to run the build, this could be useful for persistence or to trigger a build:
TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
As explained in the basic information page, there are 2 types of secrets. Environment Variables secrets (which are listed in the web page) and custom encrypted secrets, which are stored inside the
.travis.ymlfile as base64 (note that both as stored encrypted will end as env variables in the final machines).
- To enumerate secrets configured as Environment Variables go to the settings of the project and check the list. However, note that all the project env variables set here will appear when triggering a build.
- To enumerate the custom encrypted secrets the best you can do is to check the
- To enumerate encrypted files you can check for
.encfiles in the repo, for lines similar to
openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -din the config file, or for encrypted iv and keys in the Environment Variables such as:
- Example build with reverse shell running on Windows/Mac/Linux
- Example build leaking the env base64 encoded in the logs
If an attacker ends in an environment which uses TravisCI enterprise (more info about what this is in the basic information), he will be able to trigger builds in the the Worker. This means that an attacker will be able to move laterally to that server from which he could be able to:
- escape to the host?
- compromise kubernetes?
- compromise other machines running in the same network?
- compromise new cloud credentials?