You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2024-11-14T14:29:05+01:00 info Fetching CVEs for this version version=17.5.1-ee
50
50
```
51
51
52
-
## Enumerating CI/CD Variables And Secure Files
52
+
## Enumerating Accessible Secrets
53
53
54
54
If you already have access to projects and groups you can try to enumerate CI/CD variables and use these for potential privilege escalation/lateral movement paths.
2024-11-18T15:38:08Z info Fetching project variables
68
-
2024-11-18T15:38:09Z warn Secure file content="this is a secure file!!" downloadUrl=https://leakycompany.com/api/v4/projects/60367314/secure_files/9149327/download
69
-
2024-11-18T15:38:12Z info Fetched all secure files
Abusing this access token grants you access to the `another-project` repository, thus you escalated privileges to this repository.
212
+
Abusing this access token grants you access to the `another-project` repository.
213
213
214
214
## Attacking Runners
215
215
216
-
Chances are high that if pipelines are used, custom runners are registered. These come in different flavors. Most of the time the docker executor is used, which allows pipelines to define container images in which their commands are executed. For a full list of possibilities [rtfm](https://docs.gitlab.example.com/runner/executors/).
216
+
Chances are high that if pipelines are used, custom runners are registered. These come in different flavors. Often times a container / docker based executor is used, which allows pipelines to define container images in which their commands are executed. For a full list of possibilities [rtfm](https://docs.gitlab.example.com/runner/executors/).
217
217
218
218
If you can create projects or contribute to existing ones, you can interact with runners. We want to test if it is possible to escape from the runner context e.g. escape from the container to the host machine or if the runner leaks additional privileges e.g. in the form of attached files or environment variables set by the runner config.
2024-09-26T14:26:55+02:00 info group runner description=blue-3.saas-linux-large-amd64.runners-manager.gitlab.example.com/default name=comp-test-ia paused=false runner=gitlab-runner tags=saas-linux-large-amd64 type=instance_type
232
232
2024-09-26T14:26:55+02:00 info group runner description=green-1.saas-linux-2xlarge-amd64.runners-manager.gitlab.example.com/default name=comp-test-ia paused=false runner= tags=saas-linux-2xlarge-amd64 type=instance_type
233
233
2024-09-26T14:26:55+02:00 info Unique runner tags tags=gitlab-org,saas-linux-large-arm64,windows,gitlab-org-docker,e2e-runner2,saas-macos-large-m2pro,saas-linux-xlarge-amd64,saas-linux-small-amd64,saas-linux-2xlarge-amd64,saas-linux-medium-amd64,saas-windows-medium-amd64,e2e-runner3,saas-linux-medium-arm64,saas-linux-medium-amd64-gpu-standard,saas-macos-medium-m1,shared-windows,saas-linux-large-amd64,windows-1809
234
-
2024-09-26T14:26:55+02:00 info Done, Bye Bye 🏳️🌈🔥
235
234
```
236
235
237
236
Review the runners and select the interesting ones. The Gitlab Ci/CD config file allows you to select runners by their tags. Thus we create a list of the most interesting tags, printed by the command above.
This example runs Pipeleek scan jobs as one-shot containers and forwards all JSON logs into Elasticsearch via Logstash. Kibana is provided for querying and dashboards.
4
+
5
+
## What this setup provides
6
+
7
+
- One shared Pipeleek config file mounted read-only in every scan-job container.
8
+
- One Elasticsearch instance.
9
+
- One Kibana instance.
10
+
- One Logstash instance that accepts newline-delimited JSON on TCP port 5000 and is tuned to 192MB heap for local/dev environments.
11
+
- One service definition per scan job:
12
+
-`scan-gitlab`
13
+
-`scan-github`
14
+
-`scan-bitbucket`
15
+
-`scan-devops`
16
+
-`scan-gitea`
17
+
-`scan-jenkins`
18
+
19
+
## 1) Prepare shared config
20
+
21
+
Edit `pipeleek.shared.example.yaml` and fill all token/url placeholders.
22
+
23
+
The file is mounted into each scanner as:
24
+
25
+
- Container path: `/config/pipeleek.yaml`
26
+
27
+
## 2) Start ELK services
28
+
29
+
Use the automated startup script that starts ELK and configures Kibana automatically:
30
+
31
+
```bash
32
+
bash start-elk.sh
33
+
```
34
+
35
+
This script:
36
+
37
+
1. Starts Elasticsearch, Logstash, and Kibana
38
+
2. Installs an Elasticsearch index template optimized for Pipeleek scan logs
39
+
3. Waits for Kibana to be ready
40
+
4. Automatically creates and configures the Kibana data view for pipeleek logs
41
+
42
+
**Manual alternative**:
43
+
44
+
```bash
45
+
docker compose up -d elasticsearch logstash kibana
46
+
```
47
+
48
+
Then manually setup the index template and Kibana data view:
49
+
50
+
```bash
51
+
bash setup-elasticsearch.sh
52
+
bash setup-kibana.sh
53
+
```
54
+
55
+
## 3) Run one-shot scan jobs
56
+
57
+
Run any individual scan job with:
58
+
59
+
```bash
60
+
docker compose --profile gitlab run --rm scan-gitlab
61
+
docker compose --profile github run --rm scan-github
62
+
docker compose --profile bitbucket run --rm scan-bitbucket
63
+
docker compose --profile devops run --rm scan-devops
64
+
docker compose --profile gitea run --rm scan-gitea
65
+
docker compose --profile jenkins run --rm scan-jenkins
66
+
```
67
+
68
+
Each job:
69
+
70
+
1. Runs its own scan command using the shared config.
71
+
2. Streams each JSON line to Logstash over TCP.
72
+
3. Prints periodic progress updates every 30s to the container stderr so you can see it is still running.
73
+
74
+
## 4) View data in Kibana
75
+
76
+
Once you've run `bash start-elk.sh`, the Kibana data view is automatically configured. Simply:
77
+
78
+
1. Open http://localhost:5601
79
+
2. Open **Dashboards** and select `Pipeleek - Hit Monitoring`
80
+
3. You will see:
81
+
82
+
-`Pipeleek - High Hits` (count of `scan.confidence: high` hits)
83
+
-`Pipeleek - High-Verified Hits` (count of `scan.confidence: high-verified` hits)
84
+
-`Pipeleek - Log Intake Over Time` (bar chart over the last 4 hours with fixed 10-minute buckets)
85
+
-`Pipeleek - Hits by Asset Type` (pie chart, for example hit logs vs hit artifacts)
86
+
-`Pipeleek - Hits by Confidence` (pie chart of confidence ratings)
87
+
-`Pipeleek - Last 100 Scan Entries` table (hit-level events only)
88
+
-`Pipeleek - Latest 100 Log Entries` table (sorted by newest first, no fixed filter)
89
+
90
+
4. Use the dashboard filter bar to filter by fields like `scan.platform` and `scan.confidence`
91
+
92
+
Hit-focused panels use hit events (`level=hit`). If no hits are present in the selected time range, those panels will show no results.
93
+
94
+
You can also use **Discover** with the same data view for ad-hoc investigation.
95
+
96
+
For better searchability, logs are also normalized into common fields:
97
+
98
+
-`scan.platform`
99
+
-`scan.level`
100
+
-`scan.confidence`
101
+
-`scan.job_name`
102
+
-`scan.target_url`
103
+
-`scan.asset_type`
104
+
-`scan.is_hit`
105
+
-`secret.rule_name`
106
+
-`secret.is_present`
107
+
-`event.kind`
108
+
-`event.category`
109
+
-`event.type`
110
+
-`event.outcome`
111
+
112
+
**If you manually started ELK**, run the setup script:
0 commit comments