TravisCI Security
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Travis CI is a hosted or on premises continuous integration service used to build and test software projects hosted on several different git platform.
Basic TravisCI InformationTo launch an attack you first need to know how to trigger a build. By default TravisCI will trigger a build on pushes and pull requests:
If you have access to the web application you can set crons to run the build, this could be useful for persistence or to trigger a build:
It looks like It's not possible to set crons inside the .travis.yml
according to this.
TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
As explained in the basic information page, there are 2 types of secrets. Environment Variables secrets (which are listed in the web page) and custom encrypted secrets, which are stored inside the .travis.yml
file as base64 (note that both as stored encrypted will end as env variables in the final machines).
To enumerate secrets configured as Environment Variables go to the settings of the project and check the list. However, note that all the project env variables set here will appear when triggering a build.
To enumerate the custom encrypted secrets the best you can do is to check the .travis.yml
file.
To enumerate encrypted files you can check for .enc
files in the repo, for lines similar to openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d
in the config file, or for encrypted iv and keys in the Environment Variables such as:
Example build with reverse shell running on Windows/Mac/Linux
Example build leaking the env base64 encoded in the logs
If an attacker ends in an environment which uses TravisCI enterprise (more info about what this is in the basic information), he will be able to trigger builds in the the Worker. This means that an attacker will be able to move laterally to that server from which he could be able to:
escape to the host?
compromise kubernetes?
compromise other machines running in the same network?
compromise new cloud credentials?
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)