March 14, 2019
Hi, I’m Sparkle Redberry!
Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.
I mean, I may have uploaded something sensitive earlier, but it’s no big deal. I overwrote it!
Care to check my Cranberry Pi terminal and prove me right?
Finding Passwords in Git > Search Git for Passwords
Git Cheat Sheet
1- Using ls command list all files and directories :
ls -la
2- Navigate to kcconfmgmt
directory then list all files and directories :
now we have our .git
folder
3- Let’s use log option to see commit logs :
git log
We found logs for add/remove action done by Sparkle Redberry And the modified file is: config.js
:
commit 60a2ffea7520ee980a5fc60177ff4d0633f2516b
Per @tcoalbox admonishment, removed username/password from config.js, default settings in config.js.def need to be updated before use
commit 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3
Add initial server config
4- Let’s use diff
option to see commit modifications specially config.js file :
git diff 68405b8a6dcaed07c20927cee1fb6d6c59b62cc3
We found password from add/remove actions :
- ‘url’ : ‘mongodb://sredberry:[email protected]:10073/node-api’
+ ‘url’ : ‘mongodb://username:[email protected]:27017/node-api’
The mongodb Standard Connection String Format :
mongodb://[username:[email protected]]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]
So the mongodb password is : twinkletwinkletwinkle
5- Let’s enter the answer twinkletwinkletwinkle into runtoanswer
:
Oh my golly gracious - Tangle was right? It was still in there? How embarrassing!
Well, if I can try to redeem myself a bit, let me tell you about another challenge you can help us with.
I wonder if Tangle Coalbox has taken a good look at his own employee import system.
It takes CSV files as imports. That certainly can expedite a process, but there’s danger to be had.
I’ll bet, with the right malicious input, some naughty actor could exploit a vulnerability there.
I’m sure the danger can be mitigated. OWASP has guidance on what not to allow with such uploads.
CSV Injection Talk
Somehow Brian Hostetler is giving a talk on CSV injection WHILE he’s giving a talk on Trufflehog. Whatta’ guy!
OWASP on CSV Injection > OWASP CSV Injection Page