TravisCI Security

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

What is TravisCI

Travis CI is a hosted or on premises continuous integration service used to build and test software projects hosted on several different git platform.

Basic TravisCI Information

Attacks

Triggers

To launch an attack you first need to know how to trigger a build. By default TravisCI will trigger a build on pushes and pull requests:

Cron Jobs

If you have access to the web application you can set crons to run the build, this could be useful for persistence or to trigger a build:

It looks like It's not possible to set crons inside the .travis.yml according to this.

Third Party PR

TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:

Dumping Secrets

As explained in the basic information page, there are 2 types of secrets. Environment Variables secrets (which are listed in the web page) and custom encrypted secrets, which are stored inside the .travis.yml file as base64 (note that both as stored encrypted will end as env variables in the final machines).

  • To enumerate secrets configured as Environment Variables go to the settings of the project and check the list. However, note that all the project env variables set here will appear when triggering a build.

  • To enumerate the custom encrypted secrets the best you can do is to check the .travis.yml file.

  • To enumerate encrypted files you can check for .enc files in the repo, for lines similar to openssl aes-256-cbc -K $encrypted_355e94ba1091_key -iv $encrypted_355e94ba1091_iv -in super_secret.txt.enc -out super_secret.txt -d in the config file, or for encrypted iv and keys in the Environment Variables such as:

TODO:

  • Example build with reverse shell running on Windows/Mac/Linux

  • Example build leaking the env base64 encoded in the logs

TravisCI Enterprise

If an attacker ends in an environment which uses TravisCI enterprise (more info about what this is in the basic information), he will be able to trigger builds in the the Worker. This means that an attacker will be able to move laterally to that server from which he could be able to:

  • escape to the host?

  • compromise kubernetes?

  • compromise other machines running in the same network?

  • compromise new cloud credentials?

References

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Last updated