How i found credential enriched redis dump
Hello, Everyone
So, i was testing a program , and during my recon i came across tons of subdomains unfortunately there were wildcard.
Anyways, my eye got attention on a subdomain“redacted-redacted.redacted.com” and it was a static page just to download their mobile apps , as it was a beta version so i thought why not do some directory search,so i ran dirsearch on default list
python3 dirsearch.py -e <extensions list> -u http://redacted-redacted.redacted.com
and a file dump.rdb catch-ed my attention , it was 3mb in size
Now a question arise what is Dump.rdb?
To those who don’t know
rdb file is a binary representation of the in-memory store. This binary file is sufficient to completely restore Redis’ state. The rdb file format is optimized for fast read and writes. Where possible LZF compression is used to reduce the file size
so as we see it had LZF compression so it was hard to read , so i downloaded couple of things
- rdbtools
- python-lzf
sudo pip install rdbtools python-lzf
and now once they are installed , we run command in order to make it readable , and in order to read we have to convert it to json
rdb — comand json dump.rdb -f output.json
or you can also save the output in directly in a .txt file
sudo rdb — command json dump.rdb > out.txt
this will save all the json output in .txt
(somewhat direct output save makes the file readable in compare to original output rdbtools does)
and now you can open it in your fav. editor or use this service or whatever suits you.
Now when i opened it, i found smtp login creds, usernames, passwords,addresses, etc.
Unfortunately i cannot tell you the company name or any other detail, just this writeup gives idea what to do if you find anything like this.
So i reported to the company and they replied
“it is 3 years old but thank you for letting us know, Bla Bla Bla…”
unfortunately no Bounty yet.
“But its always great to learn something and experience from it.”
My DM is open for any questions.
Thank you for Reading