Closed ankushgoel27 closed 2 weeks ago
Can you confirm that the workflow finished or did it fail for some reason?
Definitely need to add a check for the artifact before trying to download, but there might be something else going on.
And thank you for all the bug reports - they help a lot in planning where to increase the tool's stability.
I added a check for the artifact which should prevent that error and it will fail gracefully.
Please let me know what behavior you still see in a new issue. There are some cases where protections will prevent exfil such as:
test.yml
is disabled (you'll have to set a custom one then)Currently Gato-X does not check for those protections prior to attempting exfil. It's on my roadmap to add better checks but if you are grabbing secrets as part of a RT assessment, etc. after compromising a PAT it's on you to check prior to running an automated exfil tool.
Describe the bug Traceback (most recent call last): File "/root/.local/bin/gato-x", line 8, in
[+] The authenticated user is:
[+] The GitHub Classic PAT has the following scopes: repo, workflow
[!] The repository has 1 accessible secret(s)!
[+] Succesfully pushed the malicious workflow!
[+] Malicious branch deleted.
To Reproduce
gato-x attack --target repo --secrets -d
Expected behavior Should fetch the secrets
Screenshots If applicable, add screenshots to help explain your problem.
Environment (please complete the following information):
Additional context
Add any other context about the problem here.