Github Attack Toolkit v1.6 releases: GitHub Self-Hosted Runner Enumeration and Attack Tool

by do son · Published April 6, 2023 · Updated January 7, 2024

Gato (Github Attack TOolkit)

Gato, or GitHub Attack Toolkit, is an enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.

The tool also allows searching for and thoroughly enumerating public repositories that utilize self-hosted runners. GitHub recommends that self-hosted runners only be utilized for private repositories, however, there are thousands of organizations that utilize self-hosted runners.

Who is it for?

Security engineers who want to understand the level of access a compromised classic PAT could provide an attacker
Blue teams that want to build detections for self-hosted runner attacks
Red Teamers
Bug bounty hunters who want to try and prove RCE on organizations that are utilizing self-hosted runners

Features

GitHub Classic PAT Privilege Enumeration
GitHub Code Search API-based enumeration
GitHub Action Run Log Parsing to identify Self-Hosted Runners
Bulk Repo Sparse Clone Features
GitHub Action Workflow Parsing
Automated Command Execution Fork PR Creation
Automated Command Execution Workflow Creation
SOCKS5 Proxy Support
HTTPS Proxy Support

What does Gato do?

Gato, or GitHub Attack TOolkit, is intended for security professionals to evaluate the security of GitHub organizations, focusing on self-hosted runners.

What Gato isn’t

Gato is not intended to be an all-encompassing enumeration tool for GitHub. Secrets stored and utilized for GitHub actions can also be accessed using a compromised PAT that can update workflow code. The topic of secret disclosure from GitHub Actions has been examined by many security researchers, and there are excellent resources that can be found online detailing how a threat actor could gain access to secrets.

Why release this tool?

During our red team assessments, CI/CD has been the weak link for many organizations. GitHub, in particular, is becoming one of the key players in enterprise SCM solutions as organizations move away from on-premises code repositories. We wanted to release a tool that allows organizations to assess the impact of developer credential compromise and provide a valuable tool for red-teamers and penetration testers to evaluate the access gained from GitHub PATs compromised during an engagement.

There is also a very interesting attack surface in the form of public repositories that utilize self-hosted runners. This tool provides some features to speed up the exploration of that attack path.