Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program.
The only reason I am blogging about this finding is to help guys who are facing difficulty in setting up Gitrob since it has been rewritten in Go and not many people out there are familiar with go.So, lets begin:
Few days back I got a private invite on hackerone and started with some reconnaissance, lets assume it as abc.com.So I started to manually lookup repositories linked to it by performing a general search on github.com as you can see below:-
Next thing I thought was to give my task some touch of automation.The only tool that I could think about at that moment was none other than Gitrob.So I quickly went to https://golang.org/doc/install?download=go1.11.5.linux-amd64.tar.gz from where I was able to download the GO package for my linux machine.
After Downloading it I extracted it in the /usr/local folder of my machine’s root directory.
tar -C /usr/local -xvzf go1.11.5.linux-amd64.tar.gz
Now the final step left was to setup environment variable for GO so that I could easily run commands like go get and go run from anywhere on my bash terminal.
To do this I had to make sure that my /usr/local/go/bin directory that contained my go executable is present in the $PATH environment variable which contains the list of directories where the system searches for executable programs, scripts, or files when you want to run a command directly from your shell.
Most of the time people directly set their executable’s path in $PATH by running export PATH=$PATH:/../../../path/to/executable in their shell but this doesn’t work if u open a new shell.
So to make sure that you have a persistant system wide installation of GO for all users follow below steps:-
1. cd /etc
2. nano profile
3. Add export PATH=$PATH:/usr/local/go/bin at the end of the file
4. ctrl+x the save the changes.
As of now I was ready to run go from my command line as you can see below:
It was the time to fetch michenriksen’s repository so that I could now run gitrob on my machine
One thing to remember here is the `GOPATH` which is nothing but the default working directory of go.So, Once you install go this path will be automatically set to your $HOME/go directory for versions 1.7–1.11.
In case the above doesn’t work you can always follow the below steps:
Create a folder to store all programs written in Go and use go get to fetch Gitrob’s repository and get started with it.
1. mkdir $HOME/go
3. mkdir bin src
5. export GOPATH=$HOME/go
6. export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
7. Save changes made to the profile with source /etc/profile
8. go get github.com/michenriksen/gitrob
Now you have the Gitrob’s repository cloned in your go directory , checkout the final steps shown in the image below:-
Now I just ran go run main.go -github-access-token 1234 abc
Replace 1234 with your github access token and where abc is the name we gave to our private program.You can go through this link[https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/] and find out how to generate your github access token.
After few minutes I got a lot of findings in which one of them got my attention , it’s shown in the image below:-
So, First I confirmed that whether the author was the company’s employee or not?I searched the author’s name on Linkedin and found that the person was a software developer in that company.Next step was to parse the .zshrc file for some sensitive data.
Once I opened Up that .zshrc file in the dotfiles folder I found multiple Psql commands that contained the names of some aws instances and One Okta Api key using which I could get a SSO to all the accounts of that person which included abc as well[thought so].BINGO!!!
Okta Api Key can be seen in the Image below:-
Postgresql Commands for Aws instances can be seen below:-
At last I reported this issue to the private program, they took down the repository but it wasn’t eligible for a bounty , you can find the reason mentioned in the below image:-
Happy Hacking !!!