Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program.

Sahil Tikoo
Feb 9, 2019 · 4 min read

The only reason I am blogging about this finding is to help guys who are facing difficulty in setting up Gitrob since it has been rewritten in Go and not many people out there are familiar with go.So, lets begin:

Few days back I got a private invite on hackerone and started with some reconnaissance, lets assume it as I started to manually lookup repositories linked to it by performing a general search on as you can see below:-

Searching Github[OSINT]

Next thing I thought was to give my task some touch of automation.The only tool that I could think about at that moment was none other than Gitrob.So I quickly went to from where I was able to download the GO package for my linux machine.

Go package for Linux

After Downloading it I extracted it in the /usr/local folder of my machine’s root directory.

tar -C /usr/local -xvzf go1.11.5.linux-amd64.tar.gz

Now the final step left was to setup environment variable for GO so that I could easily run commands like go get and go run from anywhere on my bash terminal.

To do this I had to make sure that my /usr/local/go/bin directory that contained my go executable is present in the $PATH environment variable which contains the list of directories where the system searches for executable programs, scripts, or files when you want to run a command directly from your shell.

Most of the time people directly set their executable’s path in $PATH by running export PATH=$PATH:/../../../path/to/executable in their shell but this doesn’t work if u open a new shell.

So to make sure that you have a persistant system wide installation of GO for all users follow below steps:-

1. cd /etc

2. nano profile

3. Add export PATH=$PATH:/usr/local/go/bin at the end of the file

4. ctrl+x the save the changes.

As of now I was ready to run go from my command line as you can see below:

Running Go in bash

It was the time to fetch michenriksen’s repository so that I could now run gitrob on my machine

One thing to remember here is the `GOPATH` which is nothing but the default working directory of go.So, Once you install go this path will be automatically set to your $HOME/go directory for versions 1.7–1.11.

In case the above doesn’t work you can always follow the below steps:

Create a folder to store all programs written in Go and use go get to fetch Gitrob’s repository and get started with it.

1. mkdir $HOME/go ~/go

3. mkdir bin src

4.nano /etc/profile

5. export GOPATH=$HOME/go

6. export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin

7. Save changes made to the profile with source /etc/profile

8. go get

Now you have the Gitrob’s repository cloned in your go directory , checkout the final steps shown in the image below:-

Now I just ran go run main.go -github-access-token 1234 abc

Replace 1234 with your github access token and where abc is the name we gave to our private program.You can go through this link[] and find out how to generate your github access token.

After few minutes I got a lot of findings in which one of them got my attention , it’s shown in the image below:-

shell config file

So, First I confirmed that whether the author was the company’s employee or not?I searched the author’s name on Linkedin and found that the person was a software developer in that company.Next step was to parse the .zshrc file for some sensitive data.

Once I opened Up that .zshrc file in the dotfiles folder I found multiple Psql commands that contained the names of some aws instances and One Okta Api key using which I could get a SSO to all the accounts of that person which included abc as well[thought so].BINGO!!!

Okta Api Key can be seen in the Image below:-

Okta Api Key Leakage

Postgresql Commands for Aws instances can be seen below:-

Psql commands in shell config file

At last I reported this issue to the private program, they took down the repository but it wasn’t eligible for a bounty , you can find the reason mentioned in the below image:-

Hackerone response

Happy Hacking !!!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store