Bug in Secrets Attack

[ankushgoel27]

Describe the bug Traceback (most recent call last): File "/root/.local/bin/gato-x", line 8, in

[+] The authenticated user is: [+] The GitHub Classic PAT has the following scopes: repo, workflow [!] The repository has 1 accessible secret(s)! [+] Succesfully pushed the malicious workflow! [+] Malicious branch deleted.

• Waiting for the workflow to queue...
• Waiting for the workflow to execute... [-] The workflow failed! sys.exit(entry()) ^^^^^^^ File "/root/.local/share/pipx/venvs/gato-x/lib/python3.12/site-packages/gatox/main.py", line 6, in entry sys.exit(cli.cli(sys.argv[1:])) ^^^^^^^^^^^^^^^^^^^^^ File "/root/.local/share/pipx/venvs/gato-x/lib/python3.12/site-packages/gatox/cli/cli.py", line 82, in cli arguments.func(arguments, subparsers) File "/root/.local/share/pipx/venvs/gato-x/lib/python3.12/site-packages/gatox/cli/cli.py", line 250, in attack gh_attack_runner.secrets_dump( File "/root/.local/share/pipx/venvs/gato-x/lib/python3.12/site-packages/gatox/attack/secrets/secrets_attack.py", line 217, in secrets_dump res = self.api.retrieve_workflow_artifact(target_repo, workflow_id) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/root/.local/share/pipx/venvs/gato-x/lib/python3.12/site-packages/gatox/github/api.py", line 1122, in retrieve_workflow_artifact download_url = artifacts[0]["archive_download_url"]

  
  IndexError: list index out of range

To Reproduce

gato-x attack --target repo --secrets -d

Expected behavior Should fetch the secrets

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

• OS: ubuntu
• Python Version: Python 3.12.3

Additional context

Add any other context about the problem here.

[AdnaneKhan]

Can you confirm that the workflow finished or did it fail for some reason?

Definitely need to add a check for the artifact before trying to download, but there might be something else going on.

And thank you for all the bug reports - they help a lot in planning where to increase the tool's stability.

[AdnaneKhan]

I added a check for the artifact which should prevent that error and it will fail gracefully.

Please let me know what behavior you still see in a new issue. There are some cases where protections will prevent exfil such as:

• Push protection rulesets
• Workflow test.yml is disabled (you'll have to set a custom one then)

Currently Gato-X does not check for those protections prior to attempting exfil. It's on my roadmap to add better checks but if you are grabbing secrets as part of a RT assessment, etc. after compromising a PAT it's on you to check prior to running an automated exfil tool.