Tuesday 18 August 2020

Escalating a GitHub leak to takeover entire organization

I was hunting on a private program. One of the common things I do is look for leaked credentials on Github. I give special attention to deleted files. Because many people are not aware that just deleting a file doesn't remove it from your repository. 

One of the YAML files caught my attention.

matrixbot-username: {{ .Values.matrixbot.username | default "some_leaked_username" | b64enc }}
matrixbot-password: {{ .Values.matrixbot.password | default "some_leaked_password" | b64enc }}

Initially, I had no clue what were these passwords. So I started searching about the matrix thing.
I stumbled upon https://matrix.org and realized this is a communication client.

Matrix is an open-source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache-licensed reference implementations.

So, here's the plan. Find the client and try to log in and see if I was lucky enough. I found a web-based client at https://app.element.io/#/login attempted to log in, but it didn't work.

I almost gave up, but then I noticed that there is an option to have a self-hosted server. And it somehow summed up my theory that a DevOps person might have used it for some automation, so there was a YAML file, and hence it should be self-hosted.

Now I had to find the hosted server. And the most obvious step was to look for subdomains.
There were multiple subdomains, and, one that caught my attention was matrix.thewebsite.com

Visting the URL showed this, which was very convincing I am at the right place.

So, I visited https://app.element.io/#/login again. Added the custom server. Entered the leaked username and password. To my surprise, I was in.

As I logged in, I understood the creds were of a matrix bot. There was a hell lot of information like Grafana passwords, server logs, private keys, etc. in channel description itself. However, I immediately logged out and filed a report.

Reward 4000$

Takeaway for hackers:
- Do not give up or conclude too early. Try and research more.
- Try to escalate leaks but with caution. Do not go very deep.

Takeaway for companies:
- Purge the files just deleting a file doesn't work.
- Implement 2FA for all accounts.

7th Aug: Filed the report.
7th Aug: Bug was fixed by removing the file as well as refreshing the credentials. Additionally, 2FA was implemented.
11th Aug: 4000$ bounty reward.