Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again

Mateusz Olejarka
Jul 3 · 2 min read

Long time no see. I will improve I promise. Maybe. NVM.

Staying in application development area as in previous post.
Some time ago I was interested in applications created in Ruby. I did some review of trending GitHub repositories and I noticed that some of them contain a Rakefile file. To quote the docs:

Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax.
Rake has the following features:
* Rakefiles (rake’s version of Makefiles) are completely defined in standard Ruby syntax. No XML files to edit. No quirky Makefile syntax to worry about (is that a tab or a space?)
* Users can specify tasks with prerequisites.
* Rake supports rule patterns to synthesize implicit tasks.
* Flexible FileLists that act like arrays but know about manipulating file names and paths.
* A library of prepackaged tasks to make building rakefiles easier. For example, tasks for building tarballs. (Formerly tasks for building RDoc, Gems and publishing to FTP were included in rake but they’re now available in RDoc, RubyGems and respectively.)
* Supports parallel execution of tasks.

Sounds cool, maybe some juicy information is hiding there. As in previous story I used simple multi-threaded Python code to check my domain list to see if there are any such files available.

I found several of those files and one interesting in particular:

require ‘rubygems’
require ‘bundler/setup’
require ‘rake’
require ‘rspec/core’
require ‘rspec/core/rake_task’
[ — CUT — ]
path = “conf/deployment.yml
[ — CUT — ]
task :spec => :build
task :default => :build

O.o a deployment.yml is a configuration file or so it seems. Probably accessing it will result in 403 response code but still it is worth to check I think.
Surprise surprise — it was accessible! Inside it were AWS keys.

production:
[--CUT--]
aws_key: AKIA[--CUT--]AR
aws_secret: vx[--CUT--]nIst


development:
[--CUT--]

This is it, another P1.

Lessons learned

  • For myself - further extend my list of application development related files
  • Bug hunters - search for Rakefile, Makefile, Dockerfile… (there is much more of those)
  • Developers - make sure you do not have any additional content in an application web root folder, which is not necessary and, of course, set proper permissions to the configuration folder.

If you enjoyed this story go and read three previous parts:

If you have any questions feel free to use comments ore find me on Twitter.

Mateusz Olejarka

Written by

Pentester @ SecuRing