.png)
1 year ago
122 BOOK THIS SPACE FOR AD
ARTICLE ADIn the last 2 months, I have been testing a private program with a Big Scope. It includes multiple Domains and Brands. Testing in a large scope is fun and rewarding. Devs are constantly developing things and many bugs and holes are left by them.
The issue I found was a vulnerable Nacos Instance which allowed attacker to create new users with admin privileges leading access to Nacos Management panel which disclosed a Goldmine of Backend Credentials.Including Database creds, OSS Bucket creds, Blob Storage Creds, and more.
Recon is the key here. “The first rule of war and business is to know your enemy”.
It's critical to understand about what is the development structure of the company. I observed that REDACTED was divided into divisions based on countries and then different teams for those countries. It opens more attacking areas.
As the standard procedure, I ran Subdomain Enumeration on the Redacted. I found many subdomains. One that caught my attention was
The reason is the default page of the page.
What's a Baidu Search engine is doing as Default Page, Then I ran ffuf on the domain. The interesting endpoint I found was
https://crm-stg.REDACTED.com/nacos
I haven’t encountered Nacos Instance before so I did a quick google search.
“Nacos provides a set of simple and useful features enabling you to realize dynamic service discovery, service configuration, service metadata and traffic management.Nacos makes it easier and faster to construct, deliver and manage your microservices platform. It is the infrastructure that supports a service-centered modern application architecture with a microservices or cloud-native approach.”
Now above description is interesting as there is a possibility of disclosure of configuration files if somehow I get access to the management panel.
While doing a search on any exploits related to Nacos I stumbled upon a great blog.
https://unsafe.sh/go-56947.html
So apparently in version <= 2.0 of Nacos , attacker can view the accounts registered on the instance but passwords are encrypted.
curl -XGET -H ‘User-agent: Nacos-Server’ ‘https://crm-stg.redacted.com/nacos/v1/auth/users?pageNo=1&pageSize=900'
It was possible to register new users on the platform.
curl -XPOST ‘https://crm-stg.REDACTED.com/nacos/v1/auth/users?username=testing&password=testing' -H ‘User-Agent: Nacos-Server’
Via above I registered a new user “testing” and got access to the Nacos Panel.
What I found next blew my mind as it was literally a GoldMine. There was a total of 59 Configurations files in the panel which was disclosing Database Creds, OSS bucket Keys, Blob Storage SAS tokens, and many more secret keys.
Following is just one example of the creds i.e Blob Storage SAS token which got me access to all the transactions done across all the stores of the company in the world.
In Bug Bounties always be prepared to receive the unexpected.
Following is the reply I received from the company, disappointed as the issue was of P1 and got nothing for it. However, it was fun riding in the enemy territory xD
I hope the above write-up helps someone in finding similar issues in Nacos Instance.
Bengali (Bangladesh) · 
English (United States) ·