Root access through TeamCity
GitHub was under the largest DDoS attack , discussed a bit in the general working chat in the evening. It turned out that few people know about the wonderful search engines shodan.io and censys.io .
Well, I'm interested for the sake of, right for the wow effect I looked for TeamCity (hereinafter ts), I remember a cool bug with regoy in older versions (it was fixed in version 9.0.2 of January 2015).
As it turned out, it did not even need to be applied, because in many ts admins did not close the registration, and on some access was available under the guest.
* pictures can be opened in the next tab for better quality
')
I took the very first IP and moved it to their vehicle.
Hooray, there is regga, and as a rule, she has more rights than the guest, see the comparison below.
a guest
And this is the way under the new registered account
In the parameters were clearly spelled out some access.
But logins passwords are also in another place - in artifact configs:
Judging by the names of the database, nothing interesting can be there, but still decided to try.
Lightweight and fast client for Monga under Windows - robomongo.org
Strongly rummaged on the database did not, because the word analytics casts boredom.
It was not possible to go to TFS, the login is definitely not web, it is also boring to smoke api, because it is not the most interesting project, but for demonstration it is enough).
The post of the developers was mined there - unsubscribed, no answer
If artifacts were not available - you can always see the change log:
Surprise projects where passwords are simple words, there is at least a prefix here.
I remember once I got a pass - look around , just funny.
Also, a certain category of people prefers to store any settings directly in the code:
I turn to the most interesting - there is a project triplay.com
Their products: emusic.com, estories.com, mydigipack.com, mymusiccloud.com and some other. Android application settings 1000000+ , ephelee - I did not understand where to watch the number of downloads.
And of course - their timiti was open outside, + regga opened:
120 assemblies, but artifacts were far from everywhere, probably to save space. But there is a Common project, where all the artifacts come together, but the server ones were quite good for themselves and that was enough:
Great, download the file and ... I'm not really surprised:
I had to put Java and check the connection to the Oracle (orakl for simple saytik in the prode, aah, damn, well, why not postgres):
Of course, despite the fact that the pred prefix was specified everywhere in the configs - without an explicit check this could not be said for sure):
And of course, I registered the mail with which I wrote to them about the problem (only I showed screenshots, not a script, because I didn’t want people from the support to get access to the database, where there are 691k accounts, I’ve downloaded it all at home and ... I can’t do that. The script is a bit far-fetched, but it’s better to ask for the admin / development contact).
In theory, full access to the database and you can safely replace someone's hash / salt pass with your own and enter under it.
But I just read the data and calmed down on this, unsubscribing to off. support, to which I was told that everything will be considered, transferred to a specialist who will answer in turn and ... silence
A few days later they closed access to the database, but not to the hardware, checked the mail - no questions, no thanks.
Well, ok, it's useful to check further and ... I found a project in the artifacts that contains deployment scripts, as if it gets into the vehicle from somewhere outside and then starts the build itself.
So it was, + another login / pass from the vehicle.
It was hard to believe it, well, ok, telnet 22 plows, I try sssh, but wait, what is the login ...
A little surprised at the availability of access, approx. I looked around in the console, looked at the hosts (35 machines were written) and some keys (I’m not very good with Nix, access to the root is already clear that it would make you want to do everything you want).
Found a test domain + specific machine (and ... it seems ssl cert).
Above the screen, by the way, when I go from one server to another, because that one from outside of ssh was not available. And there were, of course, such cars there, imagine what the infrastructure is there.
And put the file with special greetings (with errors, sorry, I already wanted to sleep).
After the next letter, they covered up the shop.
But it was not there, the guys had a test account. I entered under him. It turned out you can get the track for free ... well, I am on every F12 and ... what I see in the payload:
No, this is not an April Fool's joke - get the track for free or buy it is decided on the frontend with the freeTrackPurchase flag:
And now the nuance - apparently, it does not work for all accounts, but for specifically test ones)), but with access to it, you can “buy” all the tracks. Yes, and one FIG, they are all available without authorization (there is a special URL, info from the database, checked).
What mistakes the guys made:
Therefore - if you have any products that are accessible from the outside - think about how they can be misused by outsiders and prevent it.
And the main application should be designed, and assembled so that “the application code base can be freely available at any time without compromising any private data . ”
And know the products you work with, like this:
Well, I'm interested for the sake of, right for the wow effect I looked for TeamCity (hereinafter ts), I remember a cool bug with regoy in older versions (it was fixed in version 9.0.2 of January 2015).
As it turned out, it did not even need to be applied, because in many ts admins did not close the registration, and on some access was available under the guest.
* pictures can be opened in the next tab for better quality
')
I took the very first IP and moved it to their vehicle.
Hooray, there is regga, and as a rule, she has more rights than the guest, see the comparison below.
a guest
And this is the way under the new registered account
In the parameters were clearly spelled out some access.
But logins passwords are also in another place - in artifact configs:
Judging by the names of the database, nothing interesting can be there, but still decided to try.
Lightweight and fast client for Monga under Windows - robomongo.org
Strongly rummaged on the database did not, because the word analytics casts boredom.
It was not possible to go to TFS, the login is definitely not web, it is also boring to smoke api, because it is not the most interesting project, but for demonstration it is enough).
The post of the developers was mined there - unsubscribed, no answer
If artifacts were not available - you can always see the change log:
Surprise projects where passwords are simple words, there is at least a prefix here.
I remember once I got a pass - look around , just funny.
Also, a certain category of people prefers to store any settings directly in the code:
I turn to the most interesting - there is a project triplay.com
Their products: emusic.com, estories.com, mydigipack.com, mymusiccloud.com and some other. Android application settings 1000000+ , ephelee - I did not understand where to watch the number of downloads.
And of course - their timiti was open outside, + regga opened:
120 assemblies, but artifacts were far from everywhere, probably to save space. But there is a Common project, where all the artifacts come together, but the server ones were quite good for themselves and that was enough:
Great, download the file and ... I'm not really surprised:
I had to put Java and check the connection to the Oracle (orakl for simple saytik in the prode, aah, damn, well, why not postgres):
Of course, despite the fact that the pred prefix was specified everywhere in the configs - without an explicit check this could not be said for sure):
And of course, I registered the mail with which I wrote to them about the problem (only I showed screenshots, not a script, because I didn’t want people from the support to get access to the database, where there are 691k accounts, I’ve downloaded it all at home and ... I can’t do that. The script is a bit far-fetched, but it’s better to ask for the admin / development contact).
In theory, full access to the database and you can safely replace someone's hash / salt pass with your own and enter under it.
But I just read the data and calmed down on this, unsubscribing to off. support, to which I was told that everything will be considered, transferred to a specialist who will answer in turn and ... silence
A few days later they closed access to the database, but not to the hardware, checked the mail - no questions, no thanks.
Well, ok, it's useful to check further and ... I found a project in the artifacts that contains deployment scripts, as if it gets into the vehicle from somewhere outside and then starts the build itself.
So it was, + another login / pass from the vehicle.
It was hard to believe it, well, ok, telnet 22 plows, I try sssh, but wait, what is the login ...
wu la ssh -p 22 -i triplay-deployer-priv root@build.triplay-inc.com A little surprised at the availability of access, approx. I looked around in the console, looked at the hosts (35 machines were written) and some keys (I’m not very good with Nix, access to the root is already clear that it would make you want to do everything you want).
Found a test domain + specific machine (and ... it seems ssl cert).
Above the screen, by the way, when I go from one server to another, because that one from outside of ssh was not available. And there were, of course, such cars there, imagine what the infrastructure is there.
And put the file with special greetings (with errors, sorry, I already wanted to sleep).
After the next letter, they covered up the shop.
But it was not there, the guys had a test account. I entered under him. It turned out you can get the track for free ... well, I am on every F12 and ... what I see in the payload:
{ "trackId": 1559229346, "quality": "SD", "dailyDownloadPurchase": false, "freeTrackPurchase": true } No, this is not an April Fool's joke - get the track for free or buy it is decided on the frontend with the freeTrackPurchase flag:
Demo purchase
And now the nuance - apparently, it does not work for all accounts, but for specifically test ones)), but with access to it, you can “buy” all the tracks. Yes, and one FIG, they are all available without authorization (there is a special URL, info from the database, checked).
What mistakes the guys made:
- Very internal resources were open to the whole world (DB, TeamCity, SSH)
- Even if there is such a need - did not make the whitelist for connections
- Connect under the root from the outside ... even so-so idea
- Moreover, in the project add a certificate for this from the root!
- All accesses and keys are stored in ... files and propagated by projects (aws, paypal, etc., the template is put here ), instead of keeping one connection to the configuration service
- And most importantly - regga was allowed in TeamCity, where it all started
- Well and to a heap - applications for google / apple were going to the same place and corresponding certificates and source codes were in place
Therefore - if you have any products that are accessible from the outside - think about how they can be misused by outsiders and prevent it.
And the main application should be designed, and assembled so that “the application code base can be freely available at any time without compromising any private data . ”
And know the products you work with, like this:
- rabbit - default login pass guest / guest
- redis - without authorization by default at all and allows you to do this
- teamcity - rega allowed by default
- and ... the list goes on, including the memkey that is available from the outside and the githab)
""?
:
0. , ,
1. , , ,
2. , ,
3. , , root
Source: https://habr.com/ru/post/353504/
All Articles