Good good. I didn't quite “hack Facebook”. I achieved execution of a command of a level of an operating system on one of the Facebook servers.
Story how I did it.
Last September, I was in bed with a terrible flu. Just falling in bed was boring and started digging through the
Facebook Vulnerability Scan (Bug Bounty Facebook) program. I have participated in similar programs before, but never in the Facebook program.
By the way, this is not a complicated hack at all, but it worked.
')
I started with
nmap , scanned ports and limited to domains owned by Facebook. Found several services on different IP addresses. I also looked at the acquisitions that Facebook made. Conducted a similar scan of the standard ports of the detected services.
At one of the IP addresses acquired by Facebook was
Jenkins , working on a standard port. Having opened it in my browser, unfortunately, I received the Basic Authentication login window. I guess this is the place where most other vulnerability hunters and Facebook’s own security team end up testing.
I decided to make
nmap a full port scan. The results showed another
Jenkins service running on a less standard port. Having access to it, I did not expect authentication. Bingo!
For those of you who don't know,
Jenkins is a Continuous Integration Server (CI). Once authenticated, it allows you to run Groovy code through the Jenkins Script Console.
Using Groovy code and Jenkins Script Console, I could execute commands on the server under the
jenkins user.
A sample Groovy code to run the
whoami command :
def command = """whoami""" def proc = command.execute() proc.waitFor() println "stdout: ${proc.in.text}"
Reported this problem to Facebook, and they fixed it very quickly. I received
$ 7,500 through their vulnerability scanner. The payment took several months and a lot of letters back and forth. But ultimately I got it.
What is the result? Do not forget the basics. I found a rather risky mistake in one of Facebook's acquisitions, just lying in bed, just using
nmap .
I would like to say thank you to Facebook for the payment and I hope that I can tell them more about errors in the future.