Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about a private bug bounty program and why you can always check public repos on GitHub, because you will be surprised.
If you like Bug Bounty writeups please check my handbook Bug Bounty Write Ups Collection
Hi REDACTED COMPANY team, I have found a private key exposed and a config file for ssh in some GitHub public repo from a REDACTED COMPANY employee that lead me to perform an RCE on AWS ec2 instance.
Proof of concept:
1.- On GitHub, after some dorks (/src/github.com/redacted_company IdentityFile was the winner dork), I have found this public repository https://github.com/redacted_employee/configfiles/tree/23114…51312/ssh/ that contains 2 files, config and pkey.pem file:
config: Host devenv HostName X.X.X.X User ec2-user Port 22 IdentityFile ~/configfiles/ssh/pkey.pem pkey.pem: (private key)
-----BEGIN RSA PRIVATE KEY----- - - - R E D A C T E D - - - SSBkb24ndCBrbm93IGFueW1vcmUNCkFyZSB0aGUgbmVpZ2hib3JzIHdhdGNoaW5nIG1lPyAoV2hvJ3Mgd2F0Y2hpbmc/KQ0KV2VsbCwgaXMgdGhlIG1haWxtYW4gd2F0Y2hpbmcgbWU/IChUZWxsIG1lLCB3aG8ncyB3YXRjaGluZz8pDQpBbmQgSSBkb24ndCBmZWVsIHNhZmUgYW55bW9yZSwgb2gsIHdoYXQgYSBtZXNzDQpJIHdvbmRlciB3aG8ncyB3YXRjaGluZyBtZSBub3cgKHdobz8pLCB0aGUgSVJTPw== - - - R E D A C T E D - - - -----END RSA PRIVATE KEY-----
2.- Then with any ssh client you just need to run:
# X.X.X.X was the IP of the Host that appears in the config file # you need to save the pkey.pem and change the key file permissions # with chmod 600 pkey.pem omespino@h0st:~# chmod 600 pkey.pem omespino@h0st:~# ssh -i pkey.pem ec2-user@X.X.X.X
3.- Once I got access I executed sudo su and id in order to confirm the admin privileges and we got root:
[ec2-user@ip-172-X-X-X ~]$ sudo su root@ip-ip-172-X-X-X:/home/ec2-user# id uid=0(root) gid=0(root) groups=0(root)
Environment and tools:
Any ssh client
My IP was X.X.X.X and I executed the sudo su and id commands to fingerprint the users and privileges and logged out immediately and I started to write this report, according to program terms no steps deeper were taken.
The attacker can gain access to this ec2 instance and perform arbitrary commands as root.
Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.