Intro

I was recently rewarded a VERY generous bounty for finding an exposed /.git/config on a server owned by a fairly large name in the cryptocurrency mining scene. The vulnerability was trivial and any greenhorn infosec enthusiast such as myself could have found it within < 1hr. That said I’m still going to do a short writeup of my process for my fellow greenies out there.

Recon via DNS

From my previous article I’m sure you all know that I absolutely love using Aquatone. It gathers a list of subdomains by utilizing public sources and dictionary brute force. After gathering a list of domain names for a target I always run them through Aquatone to see whats what. In this particular case the vulnerable server was using subdomain test.target.org. From my experience test servers are prone to having all sorts of wonky configurations that developers seem to always forget about. With this in my mind I directed my efforts at this test.target.com subdomain.

Simply Nmap

Pfft, you’ve probably never heard of this obscure tool called Nmap. Nmap is a network scanner that does a little bit of everything. This includes having a built in script that detects .git directories. You can read up on the http-git nmap script here. I typically run nmap -A <target> when snooping around which does OS detection, version detection, script scanning, and traceroute as well as the regular port scan. To my surprise this notified me that a git repository had been found on test.target.org.

The Vuln

So I’ll save you from my horrible writing here and link a much much better article than mine right here that goes in depth about the vulnerability. They even show you how to retrieve git information when directory listing is disabled. The main issue with the particular case that I found was the target’s use of HTTP-Authentication for server-client communication. This means that the target’s credentials were saved in plaintext as protocol://user:password@host/repository in the /.git/config file. After obtaining this information I was able to login to the target’s Bitbucket as an administrator.

Conclusion

After finding the vulnerability I contacted the company’s staff and they promptly fixed the issue. I provided them with information about my process and they asked for my Ethereum wallet so they could reward me for my efforts. At this point I was just happy I had the experience under my belt but when 10 ETH hit my wallet I was one happy camper. I quickly converted it to USD which at the time equaled to just over $3000.

Disclaimer

The company that awarded me the bounty did not have an official channel for reporting vulnerabilities. With this in mind I did not include information in this article that could be used to identify the company. I recommend extreme caution if anyone plans to report a vulnerability in a similar fashion as it could very well land one in legal trouble.

Еду в магазин Gucci в Санкт-Петербурге