Kali Linux

GitOops : All Paths Lead To Clouds

GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.

It works by mapping relationships between a GitHub organization and its CI/CD jobs and environment variables. It’ll use any Bolt-compatible graph database as backend, so you can query your attack paths with openCypher:

MATCH p=(:User{login:”alice”})-[..5]->(v:EnvironmentVariable) WHERE v.name =~ “.SECRET.*”
RETURN p

Docs

Overview

In addition to mapping relationships between your users, teams and repositories, GitOops maps relationships between those and environment variables in your CI/CD systems.

The following CI/CD systems are currently supported:

  • GitHub Actions
  • CircleCI

On top of this, GitOops ingests CI/CD configuration files from repositories for other popular CI/CD systems, enabling less refined queries on those.

Finally, GitOops will also map webhooks and status checks from commits to a repository’s pull requests and default branch. These allow you to find integrations that are typically configured server-side (e.g. AWS CodeBuild).

Install, Build & Run

You can build GitOops yourself or use our binaries.

You may also consider using it as a package if you want to run some custom ingestion.

Install

Download the latest release for your OS from the releases page or:

$ export OS=linux # or macos/windows
$ curl -Lso gitoops “https://github.com/ovotech/gitoops/releases/latest/download/gitoops-$OS”

Build

$ go version
go version go1.16.6 linux/amd64
$ git clone git@github.com:ovotech/gitoops.git
$ cd gitoops
$ make
$ ./gitoops
Usage: ./gitoops [SUBCOMMAND] [OPTIONS]…
Available subcommands:
circleci
enrich
github

CLI

Database

You will need a Bolt-compatible database. We provide a docker-compose file for Neo4j.

IMPORTANT: This sets up an unauthenticated Neo4j instance listening on localhost. You’re recommended to set a password.

$ docker-compose -f docker-compose.yml up -d

Ingest GitHub data

GitOops uses a Personal Access Token (PAT) to ingest GitHub data. You will need the read:org and repo (Full control of private repositories) scopes.

To get full coverage you should use an organization owner PAT. You can use an organization member PAT but you will get only partial coverage.

$ gitoops github \
-debug \
-organization fakenews \
-neo4j-password $NEO4J_PASSWORD \
-neo4j-uri=”neo4j://localhost:7687″ \
-token $GITHUB_TOKEN \
-ingestor default \
-ingestor secrets \
-session helloworld

Most parameters should be self-explanatory.

Please check gitoops github -h for more information on the -ingestor.

The session is just a unique identifier for this run of the ingestor. You can use this to remove old nodes and relationships that are no longer relevant (by removing any nodes and relationships that don’t have the latest session identifier from your database).

Note on Rate Limits

If you are targeting a large GitHub organization, you may encounter rate limits. If this happens you can use the -ingestor flags to limit the information you are ingesting at a time.

The following ingestors need to run first and in this particular order:

  • Organizations
  • Teams
  • Users
  • Repos

Order doesn’t matter for other ingestors.

GitHub Enterprise Server

If you are targetting a self-hosted GitHub Enterprise Server, you will want to set the -github-rest-url and -github-graphql-url parameters. These default to the GitHub cloud URLs.

Ingest CircleCI data

Unfortunately, the documented CircleCI REST API doesn’t give everything we want. Luckily there’s a “hidden” GraphQL API we can access with a cookie. With your browser, navigate to the CircleCI web UI and fetch your ring-session cookie. You should be able to find this in a request to the graphql-unstable endpoint when loading some pages.

$ export CIRCLECI_COOKIE=RING_SESSION_COOKIE_VALUE
$ gitoops circleci \
-debug \
-organization fakenews \
-neo4j-password $NEO4J_PASSWORD \
-neo4j-uri=”neo4j://localhost:7687″ \
-cookie=$CIRCLECI_COOKIE \
-session helloworld

Data enrichment

We do some very crude “enriching” of data. After you’ve ingested GitHub proceed to:

$ gitoops enrich \
-debug \
-organization fakenews \
-session helloworld \
-neo4j-password $NEO4J_PASSWORD \
-neo4j-uri=”neo4j://localhost:7687″

Schema

This file is generated by ./scripts/generate_schema_doc.py

Branch Protection Rule

Properties

KeyType
idSTRING
patternSTRING
requiresReviewsBOOLEAN
sessionSTRING

Relationships

OutboundInbound
HAS_BRANCH_PROTECTION_RULE

Circle CI Context

Properties

KeyType
allMembersBOOLEAN
idSTRING
nameSTRING
sessionSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLEHAS_ACCESS_TO_CIRCLECI_CONTEXT

Circle CI Project

Properties

KeyType
idSTRING
repositorySTRING
sessionSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLEHAS_CI

Environment

Properties

KeyType
customBranchPolicyBOOLEAN
idSTRING
nameSTRING
protectedBranchesBOOLEAN
sessionSTRING
urlSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLEHAS_ENVIRONMENT

Environment Variable

Properties

KeyType
idSTRING
sessionSTRING
truncatedValueSTRING
variableSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLE

File

Properties

KeyType
idSTRING
pathSTRING
sessionSTRING
textSTRING

Relationships

OutboundInbound
HAS_CI_CONFIGURATION_FILE

Organization

Properties

KeyType
idSTRING
loginSTRING
sessionSTRING
urlSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLEIS_MEMBER_OF
OWNED_BY

Repository

Properties

KeyType
databaseIdINTEGER
idSTRING
isArchivedBOOLEAN
isPrivateBOOLEAN
nameSTRING
sessionSTRING
urlSTRING

Relationships

OutboundInbound
EXPOSES_ENVIRONMENT_VARIABLEHAS_PERMISSION_ON
HAS_WEBHOOK
HAS_STATUS_CHECK
OWNED_BY
HAS_BRANCH_PROTECTION_RULE
HAS_CI
HAS_CI_CONFIGURATION_FILE
HAS_ENVIRONMENT

StatusCheck

Properties

KeyType
contextSTRING
hostSTRING
idSTRING
sessionSTRING

Relationships

OutboundInbound
HAS_STATUS_CHECK

Team

Properties

KeyType
idSTRING
nameSTRING
sessionSTRING
slugSTRING
urlSTRING

Relationships

OutboundInbound
HAS_PERMISSION_ONIS_MEMBER_OF
HAS_ACCESS_TO_CIRCLECI_CONTEXT

User

Properties

KeyType
idSTRING
loginSTRING
sessionSTRING
urlSTRING

Relationships

OutboundInbound
HAS_PERMISSION_ON
IS_MEMBER_OF
HAS_ACCESS_TO_CIRCLECI_CONTEXT

Webhook

Properties

KeyType
eventsLIST OF STRING
hostSTRING
idSTRING
nameSTRING
sessionSTRING
targetSTRING
urlSTRING

Relationships

OutboundInbound
HAS_WEBHOOK
Download
R K

Leave a Comment
Share
Published by
R K
Tags: All PathsCloudsGitOops
3 years ago

Recent Posts

Burrow – Breaking Through Firewalls With Open Source Ingenuity

Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…

3 days ago

Its-A-Trap : Building Secure Web Applications With A Golang Web Server For Authentication

Simple golang webserver that listens for basic auth or post requests and sends a notification…

3 days ago

Nutek-Apple : Unleashing Power On macOS And Linux

Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…

3 days ago

SecureSphere Labs – A Haven For Cybersecurity Innovators And Ethical Hackers

Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…

3 days ago

Vulpes/VulpOS : The Docker-Powered All-in-One Workstation For Penetration Testing And Offsec Labs

All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…

3 days ago

LiCo-Extrator : Revolutionizing Icon Extraction Across Platforms

Got it! Below is the updated README.md file with instructions for downloading the project on…

4 days ago