Assume the build environment is already compromised.
Assume the attacker has obtained a GitHub token.
This post focuses only on GitHub Branch Protection bypass techniques, from an adversary mindset, after compromising a CI/CD environment and extracting a privileged token.
The application was vulnerable to a logical flaw in the password reset mechanism that allowed unauthorized password resets. By exploiting this flaw, we reset the admin user's password. This privilege escalation allowed access to an admin-only weapon dispatch feature, which included a command injection vulnerability via unsanitized curl execution in Markdown parsing. Combining both vulnerabilities led to command execution and flag retrieval.
This challenge involved client-side reconnaissance through JavaScript .map and .js files served by a Next.js application. By mining and crawling those files, we uncovered hidden API endpoints, enumerated users via an inquire endpoint, and eventually downloaded user-specific transaction PDFs to retrieve the flag.
The application has an IDOR (Indirect Object Reference) vulnerability which can be used to retrieve the flag.
GitHub Codespaces is a cloud-based development environment that allows developers to instantly spin up a fully configured, containerized VS Code environment directly from a GitHub repository. It eliminates the need for manual setup and ensures consistency across development environments by using devcontainers. With support for Visual Studio Code and browser-based editing, Codespaces enables fast onboarding, seamless collaboration, and streamlined CI/CD workflows, making it ideal for modern DevOps and remote development scenarios.
This research is heavily inspired by the insightful work published by the team at Wiz (https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities). Motivated by their findings, I conducted an independent assessment focused on Platform-as-a-Service (PaaS) environments—specifically targeting platforms that offer managed services in two primary categories: