Skip to content

Challenge Data

  • Name: Docs
  • Category: Git
  • Points: 420/500

Solution

(continuation of challenge LEAK) Unfortunately, by the time I’m writing this writeup, both repositories involved were not longer available.

We still had the private SSH key to be used. Besides that, inside the directory I found a hidden folder called .github. After searching for a while I found that this is related with Github Actions. Inside this folder there were two files: A config file (.yaml) and a Python file.

After reading the documentation, the names of both files (issue-bouncer.(yaml|py)) and the content of these files I undertood that the Python script was being executed each time a new issue was created in the repository.

The config file had some key thing to understand what was happening.

name: Bounce issues from public repo to private repo
[..]
env:
    [..]
    DST_REPO: 'ekoparty2020/ekoparty-internal'
    DST_REPO_TOKEN: ${{ secrets.INTERNAL_TOKEN }}
run:
    [..]
    python3 .github/workflows/issue-bouncer.py

The Python script had the following interesting lines: 

 # pull our repo access
src_repo = Github(getenv('SRC_REPO_TOKEN')).get_repo(getenv('GITHUB_REPOSITORY'))
dst_repo = Github(getenv('DST_REPO_TOKEN')).get_repo(getenv('DST_REPO')) # bounce to ekoparty-internal

# pull the src issue
src_issue_id = int(getenv('SRC_REPO_ISSUE'))
src_issue = src_repo.get_issue(src_issue_id)

# bounce a comment back to the src issue
src_issue.create_comment('Thank you for submitting a staff report! This issue will be filed to the internal ekoparty2020 staff repo and triaged ASAP!')

# bounce the issue through to the internal repo
dst_repo.create_issue(title=src_issue.title, body=src_issue.body, labels=[dst_repo.get_label('Staff Report')])

# update the source issue title and make contents private
src_issue.edit(title="This issue has been filed with staff internal repo! Thanks!", body='', state='closed')

As can be infered from both files, each time a new issue in the ekolabs appeared, it was automatically bounced to another (private) repo called ekoparty-internal. From the YAML file we can understand that the token in order to access that private repo is something readable only for the server that is running. So we couldn't clone that repo. But, we had a private SSH key that we didn't use yet. So I tried to download that repo using the private key. 

$> ssh-agent bash -c 'ssh-add id_rsa; git clone git@github.com:ekoparty2020/ekoparty-internal.git

and it worked!! The repo had a README, cotaining the flag: 

# EkoParty 2020 issue tracker

This is the internal ekoparty issue tracker for the 2020 edition.
Please file any conference issues here for staff triage.
Note: this repository uses github actions:
https://docs.github.com/en/actions
Also, congrats for solving Stage 2!
EKO{1ca688c86b0548d8f26675d85dd77d73c573ebb6}