InfoSec LAB

Editorial_Git

Created: 4 min read

Git

After performing a basic system enumeration, I came across an interesting directory located at the home directory of the current user(dev)

dev@editorial:~$ ll
total 40
drwxr-x--- 5 dev  dev  4096 Jun 25 14:17 ./
drwxr-xr-x 4 root root 4096 Jun  5 14:36 ../
drwxrwxr-x 3 dev  dev  4096 Jun  5 14:36 apps/
lrwxrwxrwx 1 root root    9 Feb  6  2023 .bash_history -> /dev/null
-rw-r--r-- 1 dev  dev   220 Jan  6  2022 .bash_logout
-rw-r--r-- 1 dev  dev  3771 Jan  6  2022 .bashrc
drwx------ 2 dev  dev  4096 Jun  5 14:36 .cache/
drwx------ 3 dev  dev  4096 Jun 25 14:17 .gnupg/
-rw------- 1 dev  dev    20 Jun 25 14:09 .lesshst
-rw-r--r-- 1 dev  dev   807 Jan  6  2022 .profile
-rw-r----- 1 root dev    33 Jun 25 13:24 user.txt

There is the apps directory

dev@editorial:~$ cd apps/ ; ll
total 12
drwxrwxr-x 3 dev dev 4096 Jun  5 14:36 ./
drwxr-x--- 5 dev dev 4096 Jun 25 14:17 ../
drwxr-xr-x 8 dev dev 4096 Jun  5 14:36 .git/

Which contains the .git file This was also identified by PEAS earlier

dev@editorial:~/apps$ git log
commit 8ad0f3187e2bda88bba85074635ea942974587e8 (HEAD -> master)
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 21:04:21 2023 -0500
 
    fix: bugfix in api port endpoint
 
commit dfef9f20e57d730b7d71967582035925d57ad883
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 21:01:11 2023 -0500
 
    change: remove debug and update api port
 
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:55:08 2023 -0500
 
    change(api): downgrading prod to dev
    
    * To use development environment.
 
commit 1e84a036b2f33c59e2390730699a488c65643d28
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:51:10 2023 -0500
 
    feat: create api to editorial info
    
    * It (will) contains internal info about the editorial, this enable
       faster access to information.
 
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:48:43 2023 -0500
 
    feat: create editorial app
    
    * This contains the base of this project.
    * Also we add a feature to enable to external authors send us their
       books and validate a future post in our editorial.

Checking the GIT log shows that there’s been 5 commits One of them, b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae, was made to “downgrade” prod to dev The prod account was confirmed to be present

Commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae

dev@editorial:~/apps$ git show b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
commit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date:   Sun Apr 30 20:55:08 2023 -0500
 
    change(api): downgrading prod to dev
    
    * To use development environment.
 
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
 @app.route(api_route + '/authors/message', methods=['GET'])
 def api_mail_new_authors():
     return jsonify({
-        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
+        'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
     }) # TODO: replace dev credentials when checks pass
 
 # -------------------------------

Checking the commit, b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae, reveals the change that was made for the welcome message It contains a CLEARTEXT credential for the prod account; prod:080217_Producti0n_2023!@ Lateral Movement could be possible leveraging this information disclosure

Interactive Graph View

Backlinks