Open obheda12 opened 3 years ago
Hey @obheda12 - I think you just want to have run:
instead of welcome/run:
. Also, you will want an internet routeable address if you are using that technique to get the secret (CircleCI would not be able to reach your local 192.168.x.x address).
Sorry, that's bad advice on the run:
- I think you'll actually want to create a job with a step that is the run:
command, e.g.:
jobs:
build:
steps:
- run: echo hello
workflows:
build:
jobs:
- build
The echo hello
is where the curl
would go.
I've been trying to exfiltrate secrets but CircleCI keeps giving me pull errors when i try to make a pull request with the malicious step you mentioned in your writeup? I substituted the "attacker.com" for my IP where i was standing up a server to receive requests. Below is my config file: any advice would be much appreciated and awesome stuff man, really great read!