Today I’m finally doing my write-up on how I got my first bug bounty, what I learned from the experience and some tips on how, (with a little luck and perseverance) you may find one too.
Before we get started — Any video, blog or article I mentioned will be linked as a reference at the end of this post.
I had been working in the IT field in various roles for a few years (Service Desk, Sysadmin roles) but had barely dipped my toes in the Security space yet. I had always been interested but never had the confidence to pursue it.
I was watching a Github Recon video one night that was pulled together by @Th3G3nt3lman, when I decided to “follow along”. This particular video was about manual GitHub recon and included some key search terms that were likely to yield results.
I decided to try some for myself. The tutorial video focused on Tesla as a target, so I thought I’d do the same, starting with search terms like:
Nothing of real interest caught my eye.
I then remembered that when I write code I don’t always give my variables the best names (I’m surely not the only one). So I also tried:
Again, nothing really stood out to me. At this point I figured, “Hey, sometimes I barely even bother naming variables, let’s try something else…”
I see a repository that was 3 days old with the following code:
This told me 2 things -
1 — This was likely interacting with ServiceNow (An IT Service Management tool that I had become very familiar with through my role at the time).
2 — With some very basic tricks I may have just uncovered some usable credentials.
The Adrenalin Rush
The first step was actually testing the credentials to see if they were valid and of any use. This was easy enough as they were just Base64 Encoded — all that CTF practice had finally paid off! (Shout out to the team at WACTF). I used CyberChef to decode these from Base64 into plaintext and BAM! I had a username and password.
Now that I had what appeared to be a username and password I tried to login. I was immediately prompted with a Tesla ADFS login portal which redirected me to a MFA prompt once I tried to get any further.
What this meant was that although I had usable credentials, I would also need access to this user’s mobile phone if I wanted to log in to ServiceNow which makes thing a little difficult.
API Saves the Day!
At this point I figured it was a lost cause… but I had used the ServiceNow API quite a few times for reporting tasks at work and thought I’d try my luck at throwing the credentials at that. For this I used PostMan to see if I could get a successful response.
I requested a few rows from a table and BOOM! no MFA on the API — HTTP 200. We’re in business!
From here it’s worth noting that I did crash PostMan with a poorly crafted request for my PoC. This is because the tool had attempted to retrieve all the contents of a particular table. This was in error and is absolutely not necessary when making a PoC. I cannot stress this enough.
The Technical Bits
From here it’s worth taking a step back and noting something about ServiceNow installations. While it is a cloud service, it often includes the use of something they call a “MID Server” which is responsible for pushing information into your cloud instance. This information includes Active Directory data (Users, computers etc.). This is how ServiceNow is able to link an Incident or a Helpdesk Ticket to a particular user. This is also how it allows engineers to plan maintenance on production systems as they’re also imported and managed within ServiceNow’s Configuration Item DB.
What this means is that in this instance, by querying the right table (and having the right access), someone could effectively build a map of all internal servers, their internal IP addresses, specs and descriptions. Someone could also query all outstanding tickets for Change requests (You ITIL peeps know what I’m talking about) as well as any Incidents or Service Requests.
With this in mind I wrote a dirty PowerShell script that I then converted into a Python script that lives on my GitHub. With this script it’s possible to dump the contents of an entire ServiceNow instance if you have the appropriate access.
This was enough of a PoC to increase the severity of this disclosure from a P4 to a P1 (It’s all about impact!).
The repository was removed within about 3 hours (Honestly, the response from the Triage team and Tesla was amazing). With a bit of dodgy Python, I was able to create a tool that could demonstrate the real impact here (think about all the random helpdesk tickets you’ve come across in your time or potentially logged yourself).
This has now been patched and you’ll be prompted for MFA in both the PROD and DEV instances of Service Now for Tesla Motors.
Search Everywhere, Search often.
- This repository was 3 days old. If I had been a few days earlier or later I could have missed this entirely.
Automatic tools aren’t everything.
- I LOVE automation. I am a lazy IT person. But sometimes you just need to do the searching for yourself. In this case it was a combo of having the right search query as well as noticing something iffy about that repository that landed me this bounty.
Anyone can pursue bug bounties!
- This wasn’t overly technical. I certainly made it more technical than it had to be. Even if you think you don’t have the skillset for bug bounties this should be proof that there are things out there for you to find! You just need to know where to look :)