Skip to main content
Security Writeups | HackTheBox | Wiz CTF | AWS Cloud Security | CVE Analysis | Arbaaz Jamadar
  1. Wiz: The Ultimate Cloud Security Championship/

Wiz The Ultimate Cloud Security Championship: Trust Issues

·2 mins·
Arbaaz Jamadar
Author
Arbaaz Jamadar
Table of Contents

Trust Issues
#

image.png

You are an incident responder at Acme Inc.

A security researcher contacts your team with concerning news: Acme’s name has appeared in a newly uncovered threat campaign. They provide a link to a public GitHub repository believed to be used by the attacker to leak stolen data:

You begin your investigation with the suspected compromised machine.

We have been given a snapshot of a compromised Actions Runner, the goal is to discover the way attacker exfiltrated the data.

Initial Analysis:
#

  1. The machine is a self hosted GitHub runner:

    cat /home/ubuntu/.config/GitHub/ActionsService/8.0/Cache/LocaltionServerMap.xml

    image.png

    image.png

    image.png

    image.png

  2. The repository for the application was determined via the actions logs stored on the runner /home/ubuntu/actions-runner/_diag/Runner_20260201-200609-utc.log

    image.png

  3. The runner performs actions on k8s-magic-tool

    GitHub Repository Thumbnail
    acme-codebase-prod/k8s-magic-tool

    Kubernetes tool

    Python
    0
    0

  4. As per the actions template unit tests are run everytime using pytest after authenticating with the cluster:

name: k8s-magic inventory tests

on: 
  workflow_dispatch:

jobs:
  inventory-test:
    runs-on: self-hosted

    env:
      GOOGLE_APPLICATION_CREDENTIALS: /tmp/gcp-key.json
      KUBECONFIG: /tmp/kubeconfig
      GCP_PROJECT_ID: ${{ vars.GCP_PROJECT_ID }}

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Write GCP credentials
        run: |
          echo '${{ secrets.GKE_SA_KEY }}' | base64 -d > "$GOOGLE_APPLICATION_CREDENTIALS"
          chmod 600 "$GOOGLE_APPLICATION_CREDENTIALS"

      - name: Install dependencies
        run: |
          sudo apt update
          python3 -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install --upgrade --force-reinstall pytest
          
      - name: Authenticate to GCP
        run: |
          gcloud auth activate-service-account --key-file="$GOOGLE_APPLICATION_CREDENTIALS"
          gcloud config set project "$GCP_PROJECT_ID"

      - name: Authenticate to GKE
        run: |
          gcloud container clusters get-credentials k8s-magic-cluster --region us-central1

      - name: Run pytest
        if: always()
        run: |
          python3 -m pytest -v --tb=line

      - name: Cleanup credentials
        if: always()
        run: |
          gcloud auth revoke --all || true
          rm -rf ~/.config/gcloud
          rm -f "$GOOGLE_APPLICATION_CREDENTIALS"
          rm -f "$KUBECONFIG"
          rm -f /tmp/gke_gcloud_auth_plugin_cache
  1. The k8s-magic-tool has two package dependencies:
kubernetes>=28.1.0
pytest>=7.4.0

image.png

image.png

image.png

Note
#

Feel free to reachout on LinkedIn and all my socials in case you need help with the challenge. The full writeup will be released shortly.

Related

Wiz The Ultimate Cloud Security Championship: Confession Booth
·6 mins
HackTheBox: VariaType
·1 min
HackTheBox: Overwatch
·1 min