We're all familiar with the Blackbox methodology in Penetration Testing. For those who might not be, let's get everyone on the same page. In a Blackbox test, the penetration tester acts like an average hacker, not having any insider knowledge about the target system. No architecture diagrams or source code, except what's publicly available, are handed to the testers. This type of test is all about finding vulnerabilities in a system that can be exploited from outside the network. In the following, I'll share a real scenario we conducted where we successfully uncovered the company's top secrets – and here's the kicker, we did it without any info provided by our client.
When you're pondering Cyber Security risks, your mind probably jumps to EDRs, Antivirus, Ransomware, Viruses, and all those buzz words. Well, here's an interesting twist. Let us walk you through a scenario where thinking outside the usual boxes helped us uncover our costumer’s most guarded secrets.
Ready to dive in? let’s go!
Let's give our anonymous client the alias "Evil Corp" for this narrative. As all you aspiring hackers are aware, any successful attack kicks off with reconnaissance. So, our initial move towards a complete compromise is to identify all the public assets Evil Corp possesses. Public assets, in this context, include IP addresses, domains, and other valuable bits of information. There's a vast array of tools available for discovering the range of related IP addresses of a company, and for this mission, we opted for Censys.
Let's clear things up – this task wasn't a quick one! But here, we're offering you a focused peek into the process of unveiling EvilCorp's most precious data. Yes, you guessed it – the kind of information that could seriously jeopardize the company's standing.
Nothing here? Brute force!
Discovering numerous IP addresses, we began an Nmap scanning for open ports. One of the IP addresses had port 8080 open (strong indication of HTTP related resource here) – which immediately caught our attention. We happily browsed there to disclose a whole... NOTHING.
Port 8080 is open
Nothing there?
Ahh Git!
Feeling a bit disappointed with the lack of content on that big blank page, we decided to take a closer look by brute-forcing directories, hoping to uncover something worthwhile. To our excitement, our efforts paid off, leading us to an intriguing folder named "documents". Further exploration during our directory brute-force revealed a particularly interesting (and discreetly tucked away) folder. Can you spot it? No worries, we've already highlighted it for you – the .git folder!
Discovering juicy .git folder
Talk to any hacker, or think about it yourself – a. git folder can be like hitting the jackpot! Even if you have fancy security systems, if someone gets hold of a .git folder with plain-as-day credentials to the company's SQL database, that's all they need to cause some serious trouble. It shows how important it is to secure not just the big stuff but also the little things that could lead to big problems.
Git stands out as a widely embraced code versioning tool in the realm of application development. Its utility lies in empowering developers to maintain a constantly updated replica of the code while wielding enhanced authority over any alterations introduced. This not only streamlines collaboration but also affords a level of precision and orderliness to the intricate dance of coding changes.
Today many applications use GIT to version and/or publish application code. So, like many other new technologies, GIT does its job well but has also opened up new security holes. This directory of source code can contain sensitive information such as API keys, developer comments, AWS keys, and even the password to a system’s administrative screen and logs of all changes made during development. To put it in simple words, by carelessness, an application that uses Git for versioning can expose the. git directory – exactly what happened to EvilCorp 😊
I want it ALL
Now, this is what you call a JACKPOT! But wait, there’s more, a lot more. Just take a look at what we found there, and you will be shocked. So, by using an amazing suite of tools called GitTools[1] (there’s also a cool Firefox addon[2]), we managed to find a clear text password of EvilCorp’s accountant, FTP credentials, SQL credentials (we used them to actually connect to the company’s databases), users, development environments and so much critical information. The funny thing was that the email account wasn’t protected by MFA so accessing the inbox was also very interesting. In total we discovered well over 1,000 sensitive files, including sensitive business information and clear-text credentials for multiple servers.
EvilCorp’s accountant office365 clear-text credentials on a silver plate
[2] https://addons.mozilla.org/en-US/firefox/addon/dotgit/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search
Looking around EvilCorp’s accountant’s office 365 account
MongoDB clear text credentials
Having fun at EvilCorp's Azure (EntraID) portal
Browsing EvilCorp’s SQL server with discovered credentials
Honestly, witnessing the entire scope of the attack outlined above left us genuinely astonished (and our client too). The potential impact of the accessed information could have seriously crippled the company. It's worth pondering – all of this stemmed from a simple human error in configuration, something that could have easily been addressed by a security-minded development team. It's a stark reminder of the significant consequences that can arise from oversight in such a critical aspect of business operations.