# Pipeleak Feature Demo

First you need to create a personal access token for the API: https://gitlab.com/-/user_settings/personal_access_tokens and downlad the binary from GitHub.

Make sure to grant the API scope.

In [None]:
!cd /tmp && wget -O- https://github.com/CompassSecurity/pipeleak/releases/download/v0.15.1/pipeleak-v0.15.1-linux-amd64.tar.gz | gunzip | tar xvf -
!chmod +x /tmp/pipeleak && ls -alh /tmp

Place it down below:

In [None]:
%env GITLAB_PAT=glpat-[your-pat]
%env GITLAB_COOKIE=[your-session-cookie]

# Secrets Scans

## Secrets in Pipeline Output

Example repository: https://gitlab.com/frj1comp/secret-pipelines

It contains multiple secrets printed by "misconfigurations" in the CI/CD pipeline logs or stored in artifacts.

E.g find the AWS API Key which is `cat`ed in the output.

```yaml
build-job:
  stage: build
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
    - echo "ANPA6AAV91BQENOHPHAE"
    - echo "Truffle Hog AKIAYVP4CIPPERUVIFXG"
    - echo "https://gitlab-ci-token:$MASK_ME@gitlab.com"
    - cat canary_aws # find the output of this command
    - cat canary_kubeconfig
```



In [None]:
!/tmp/pipeleak gl scan --gitlab https://gitlab.com -t $GITLAB_PAT --owned --search 'secret-pipeline' --job-limit 10 --confidence high-verified

## Secrets in Artifacts

GitLab allows one to save files as Artifacts which are then available for download after the job has been run. E.g. used to pass files between jobs.

Example: https://gitlab.com/frj1comp/secret-pipelines/-/artifacts

In [None]:
!/tmp/pipeleak gl scan --gitlab https://gitlab.com -t $GITLAB_PAT --owned --search 'secret-pipeline' --job-limit 10 --confidence high --artifacts

## Special Case: Dotenv Artifacts

There is one special type of artifact called [Dotenv Artifact](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv). 
As the documentation state you should not use it to pass secrets beteween jobs.

> You should avoid storing sensitive data like credentials in dotenv reports, as the reports can be downloaded from the pipeline details page. If necessary, you can use artifacts:access to restrict the users that can download the report artifacts in a job.

People do it anyways 🤦‍♀️

Sadly, these Dotenv artifacts are only downloadable over the web interface, thus we must supply a GitLab session cookie: `_gitlab_session`

In [None]:
!/tmp/pipeleak gl scan --gitlab https://gitlab.com -t $GITLAB_PAT --owned --search 'secret-pipeline' --job-limit 10 --confidence high --artifacts --cookie $GITLAB_COOKIE | grep -i dotenv

# Abusing GitLab Personal Access Tokens (PAT)

Sometimes you might find personal access token e.g. with a basic user account in a company and you find a high privileged token of a bot.

In [None]:
!/tmp/pipeleak gl variables --gitlab https://gitlab.com -t $GITLAB_PAT

Another variant of storing credentials in variables are secure files. These are uploaded to your GitLab repository (not in Git) and then injected into the container during pipeline runtime.

In [None]:
!/tmp/pipeleak gl secureFiles --gitlab https://gitlab.com -t $GITLAB_PAT

# Version Scan

An outdated self-hosted GitLab instance can be vulnerable to certain attacks.

> Note: Usually you must provide an access token to enumerate the installed version.

In [None]:
!/tmp/pipeleak gl vuln --gitlab https://gitlab.com -t $GITLAB_PAT

# Runners

Sometimes organizations user their own custom runners. These can be attacked in a variety of ways, depending on the executor type (shell, docker, k8s etc.) and its configuration.

To enumerate and gain a shell in such an environment there are two helpers. First enumerate the availalbe runners.

In [None]:
!/tmp/pipeleak gl runners list --gitlab https://gitlab.com -t $GITLAB_PAT

Then you can select an interesting runner and create CI/CD configuration to gain a shell in and pursue further testing from there.

In [None]:
!/tmp/pipeleak gl runners exploit --gitlab https://gitlab.com -t $GITLAB_PAT --tags 'gitlab-org-docker' --dry