Full structure takeover to many brands of company
Notic: this private program is hosted on bugcrowd platform and have many brands
While testing this program I made a brute-force directories and found this directory listing http://sub.target.com/scripts
While analysing this files I have found interested token in [install.sh] file
This is Github access token, [d42e9078e94930************] , but first I want to verify this token valid or expired , because when developer create this token can choose time to expired it automatically like this ..
Lets try to verify
https://api.github.com/orgs/<username>/repos?access_token=<token>You should request like this URL by browser or curl, and then matches the response repositories or it was expired ..
Amazing!! I can list private clone repositories, But I can’t report it without make sure that data related to company or not, because maybe this developer just work part-time in company, so I will clone private repositories and analysis it, lets goo
curl https://api.github.com/orgs/<username>/repos?access_token=<token> | grep '\"name\"' | cut -d ":" -f 2 | cut -d '"' -f 2 > privare_repos_name.txtfor repo in $(cat privare_repos_name.txt); do git clone https://<access-token>@github.com/<username>/$repo; done
This bash code to clone all private repositories at my VPS and then go to analysis it
I have found 5.4G size of repositories OMG..
I can’t analysis this size of data in short time, so I will use grep command to get sensitive data
# Grep private ssh key command
grep -r -R '(?=[-]*(?=[A-Z]*(?=[-])))(.*)(?=[-]*(?=[A-Z]*(?=[-])))'
This regex to extract private ssh key from all repositories , very nice
This file I have found many of creds and I have found many of docker connections but I cant make this because its out of scope from program, because the program say that not to try connect databases or internal structure
But I have larger than 15 private repository related to 15 brand :)
I found at every repo [ panel passwords , backup databases , full application code , cloud creds] and I can connect and takeover all brands
Also Business impact
I reached to all [product architecture , products layout] but sorry I cant share this, to preserve the confidentiality of company data
