Show HN: SmokedMeat, like Metasploit, but for CI/CD (open-source)

Posted by flexorium 2 days ago

A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.

Comments

Comment by flexorium 2 days ago

OP here, mini AMA.

Two years ago today, our small research team open sourced poutine, a SAST scanner for CI/CD pipelines (very similar to zizmor, but written in Go and customizable using Rego DSL). It finds the vulnerabilities in your build pipelines. As all security engineers know, running SAST and filing a JIRA ticket leads to nowhere.

Some weeks ago TeamPCP came on the scene and most were shocked to see the blast radius starting with Trivy then LiteLLM, KICS, etc. Trivy got pwn'd using textbook "pwn request".

I've been building SmokedMeat for the past 5 months to level the playing field. It's a Red Team framework for CI/CD pipelines. You scan a GitHub org workflows, pick from a menu of exploitable pipelines, you are guided through an exploitation wizard, wait… and you're in post-exploitation. Secrets already exfiltrated from runner process memory are in the Loot stash, ready to pivot into cloud accounts, private repos, and more. Live attack graph in the browser.

To try it: git clone https://github.com/boostsecurityio/smokedmeat.git cd smokedmeat make quickstart

Then you target the whooli GitHub org (https://github.com/whooli) a CTF playground to exploit (hint the final flag is in a Google Cloud Storage Bucket)

Happy to answer questions about the ethics, architecture, implant design, or CI/CD attack techniques.

Comment by gepeto42 2 days ago

The last year has shown that this vector is getting weaponized for real so it's great to see more tools to help defenders!

Is this something only companies with public repos should be worried about?

Comment by frothy-dashcam 1 day ago

I absolutely second the OP. I used to be a penetration tester and whenever I had low level contributor access to an internal repository I managed to break out into the cloud and in 99% of cases I was an administrator after that. CI/CD is remote code execution as a service and way too often way too misconfigured. When I say low-level contributor access, I mean the level you give an intern who joins your company for a two-week summer internship. They come as an unpaid intern, they leave as an AWS administrator. Pretty good deal in my book ;) Thank you so much for creating the tool. This might drive the point home just how easy it is to exploit this stuff.

Comment by flexorium 2 days ago

Absolutely not. The same TTPs apply almost 1-to-1 for Insider Threat scenarios. We've built the Deciduous Attack Trees (shout out to Kelly) for insider threats last year. It overlaps. So either you start with Initial Access that's purely public and pivot deeper or you already have a modest foothold (like intern with read only access) and off to the races.

Comment by guyle 1 day ago

Great offensive tool!

On the defensive side, we are pushing to OIDC short-lived tokens - eliminating the this risk altogather

Comment by flexorium 6 hours ago

That’s definitely part of the solution to limit the risk, but it does not eliminate it. That’s exactly something the tool demonstrates very well. If you can exploit , you can gently ask OIDC to mint you access on the fly. That’s what I call “dwell mode” where you hang for say 1 minute and you perform arbitrary thing with the OIDC access. So yes with short lived creds there’s no “offline access” and if leaves more traces but still.

Comment by bavarianbob 2 days ago

I think this is a killer project that's very needed to accelerate the learning of how to defend against the deluge of nascent CI/CD risks. Kudos Boost team!

Comment by flexorium 2 days ago

Thanks! I got tired of talking about it to defenders. I wanted to talk to Red Teamers too and SOC / detection engineering people. I wanted to build a tool that someone can just have the CISO try it directly.

Comment by mrene 1 day ago

That's pretty useful to get a clear picture of lingering threats that aren't immediately visible from existing scanning tools.