{"id":21508566,"url":"https://github.com/nopcorn/rascalrunner","last_synced_at":"2025-07-08T08:35:16.001Z","repository":{"id":262818603,"uuid":"888456883","full_name":"nopcorn/RascalRunner","owner":"nopcorn","description":"A red team tool to leverage Github workflows and self-hosted runners","archived":false,"fork":false,"pushed_at":"2025-05-30T14:45:05.000Z","size":20,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-30T20:16:44.800Z","etag":null,"topics":["cicd","github","offensive-security","redteam","redteam-tools","runners"],"latest_commit_sha":null,"homepage":"https://nopcorn.run","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nopcorn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-11-14T12:38:09.000Z","updated_at":"2025-05-30T14:42:58.000Z","dependencies_parsed_at":"2024-11-14T13:31:04.452Z","dependency_job_id":"933b5afb-04ac-43fd-a082-7977c4d4c4a0","html_url":"https://github.com/nopcorn/RascalRunner","commit_stats":null,"previous_names":["nopcorn/rascalrunner"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nopcorn/RascalRunner","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nopcorn%2FRascalRunner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nopcorn%2FRascalRunner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nopcorn%2FRascalRunner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nopcorn%2FRascalRunner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nopcorn","download_url":"https://codeload.github.com/nopcorn/RascalRunner/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nopcorn%2FRascalRunner/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264232262,"owners_count":23576807,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","github","offensive-security","redteam","redteam-tools","runners"],"created_at":"2024-11-23T21:06:37.647Z","updated_at":"2025-07-08T08:35:15.993Z","avatar_url":"https://github.com/nopcorn.png","language":"Python","readme":"# RascalRunner ㊙️\n\nRascalRunner is a command-line red teaming tool designed to deploy malicious workflows to a Github repository covertly. The tool requires a GitHub personal access token (PAT) with `repo` and `workflow` permissions to function properly. \n\n**If you've found a PAT during a red team engagement, RascalRunner has a \"recon\" mode that will tell you what is possible with the token (see below)**\n\nIt creates a temporary branch, uploads your workflow file, gets it executed, captures the logs, and then automatically cleans up all artifacts - including the temporary branch, workflow runs, and any deployments. This makes it ideal for testing runner-based attacks, secrets leaking, or OIDC abuse without alerting blue team to your actions. \n\nCheck out the sister repository, [RascalRunner-Workflows](https://github.com/nopcorn/RascalRunner-Workflows), for some example workflows. Please keep in mind that RascalRunner is an advanced tool and you can easily mess up deployment and get caught if you don't know what you're doing.\n\n## Features\n\n- Given a PAT (classic or fine-grained), finds repositories you should focus on for pipeline exploitation by checking for available secrets, permissions, and runs\n- Uploads a workflow file and kick off a malicious run covertly on a temporary branch\n- Automatically downloads run logs when the run completes\n- Automatically cleans up evidence of the run, and removes potential deployments the event generated. Also supports only removing run logs but leaving the workflow to avoid some blue team detections.\n\nGithub actions are complex enough that if the `recon` or `run` steps fail, it doesn't mean you're cooked. There are also many ways to still mess up a deployment via RascalRunner and get caught by defenders. Be sure you understand the existing workflows in the repository you're targeting and look for clues to security and alerting measures in place.\n\n## Install\n\n```\nmkdir working \u0026\u0026 cd working\npython -m venv venv\nsource venv/bin/activate\npip install rascalrunner\n```\n\n## Usage\n\nUse in recon mode if you've found a Github PAT but are unsure how to leverage it. Output will show details about the token and curate a list of potential repository targets (ones that have workflows set up or with secrets)\n\n```shell\n$ rascalrunner recon --auth GITHUB_PAT\n\nToken Information \n┌────────────────┬───────────────────────────────────────────────────────────────────────────┐\n│ Key │ Value │\n├────────────────┼───────────────────────────────────────────────────────────────────────────┤\n│ Owner │ nopcorn (@nopcorn) │\n│ Account Type │ User │\n│ 2FA Configured │ Yes │\n│ Email(s) │ lol@lol.com, 143365389+nopcorn@users.noreply.github.com │\n│ Org(s) │ testorg │\n│ Token Scopes │ repo, user, workflow │\n└────────────────┴───────────────────────────────────────────────────────────────────────────┘\n \nRepository Targets \n┌──────────────────────────────────────────────────────┬───────────────────┬─────────────────────────────────────┬─────────────┬──────────┬────────────────────────────────────────────────────────────────────────────────────────────────┐\n│ Target │ Status │ Permission(s) │ Num Secrets │ Num Runs │ Last Run Info │\n├──────────────────────────────────────────────────────┼───────────────────┼─────────────────────────────────────┼─────────────┼──────────┼────────────────────────────────────────────────────────────────────────────────────────────────┤\n│ nopcorn/artifact-exploit-poc │ Public │ admin, maintain, push, triage, pull │ 0 │ 27 │ Vulnerable Workflow (Vulnerable Workflow) - 2025-05-27T00:01:33Z │\n│ nopcorn/auto-merge-test │ Private, Archived │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/CuteRAT │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/DuckDuckC2 │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/env_test │ Public │ admin, maintain, push, triage, pull │ 0 │ 10 │ Update env.yaml (Deploy Test) - 2024-10-31T11:40:45Z │\n│ nopcorn/gha-intercept │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/githubaudit │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/githubaudit-vulnerablerepo │ Public │ admin, maintain, push, triage, pull │ 1 │ 0 │ │\n│ nopcorn/hacktricks-cloud │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/nopcorn │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/nopcorn.github.io │ Public │ admin, maintain, push, triage, pull │ 0 │ 20 │ pages build and deployment (pages build and deployment) - 2025-05-27T00:54:15Z │\n│ nopcorn/RascalRunner │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/RascalRunner-Workflows │ Public │ admin, maintain, push, triage, pull │ 0 │ 0 │ │\n│ nopcorn/redteam-stuff │ Private │ admin, maintain, push, triage, pull │ 0 │ 51 │ try out linter temporarily (Test prior to running linter) - 2024-05-28T14:59:35Z │\n│ nopcorn/workflow-test │ Private │ admin, maintain, push, triage, pull │ 1 │ 24 │ deploy (deploy) - 2025-05-30T14:07:55Z │\n└──────────────────────────────────────────────────────┴───────────────────┴─────────────────────────────────────┴─────────────┴──────────┴────────────────────────────────────────────────────────────────────────────────────────────────┘\n```\n\nWhen you've found a target, invoke the `run` mode and supply a malicious workflow for inclusion into the remote target\n\n```\n$ rascalrunner run -a GITHUB_PAT -t nopcorn/githubaudit-vulnerablerepo -w ./dump-secrets.yaml\n\n2024-11-06 10:32:44,074 Pushed new branch to remote with provided workflow\n2024-11-06 10:32:51,345 Removed remote branch\n2024-11-06 10:32:51,345 Found a running job, waiting for it to exit\n2024-11-06 10:32:57,794 Job completed\n2024-11-06 10:32:58,633 Wrote workflow output to nopcorn-dump-secrets-1730907178.txt\n2024-11-06 10:32:59,357 Removed workflow from the github UI\n2024-11-06 10:33:00,191 Found 0 deployments associated with the workflow\n\n$ cat nopcorn-dump-secrets-1730907178.txt \n\u003crun output\u003e\n```\n\nRemember that failed runs will automatically send an email to Github repository admins. I recommend adding `continue-on-error: true` to each step in your workflow.\n\n## Some improvements to come\n\n- automatically add `continue-on-error: true` to all steps to prevent failed runs from alerting\n- add support for environments\n - find secrets in environments without protection rules\n - allow for injecting a workflow in an environment from the command line\n- add job and workflow ids to verbose logging\n- allow renaming the workflow file from the command line\n- support a max run time before the RascalRunner will kill the run\n\n## Contributing\n\nHappy to review and accept fixes and enhancements. Open a PR.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnopcorn%2Frascalrunner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnopcorn%2Frascalrunner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnopcorn%2Frascalrunner/lists"}