GitHub Capture the Flag results

Earlier this month, a Capture the Flag (CTF) competition called "Call to Hacktion" was organized to test participants' GitHub Workflow security skills by challenging them to exploit a vulnerability in a private game repository. The objective was to escalate read-only access to write access through a GitHub Workflow vulnerability, while simultaneously learning about GitHub Workflow privilege models and security considerations. Nearly 350 GitHub community members participated, with 54 successfully solving the challenge. @Creastery, a CTF player and security researcher, was the first to exploit the vulnerability, completing the task in just over an hour and a half. The solution involved exploiting a templated JavaScript injection flaw to manipulate the Workflow commands and gain write access to the repository. The challenge emphasized the importance of treating GitHub Workflows as privileged code, particularly when handling untrusted input, to prevent security breaches. The event showcased a variety of creative approaches and highlighted the necessity of adhering to GitHub security best practices.