Owning an apk by gitlab exposure
"My latest Penetration Testing Project: I just had a mobile application (apk file) in hand to start. Starting the Project:
- Reverse Engineering the apk file.
- Checking the files (all JavaScript files were encrypted with extension .jsc).
- Searching for ‘xxtea’ key inside the files, found it and decrypted the jsc files.
- Reviewing the JS files and source code.
- Found Interesting IP Address.
- Port Scanning and Checking Open Source Intelligences.
- Found Open Port running GitLab.
- Gitlab allows to Register user with low privileges.
- Registered and accessed Gitlab with normal user.
- Found a vulnerability that allowed authenticated user to view all user’s usernames.
- Found the username of the Administrator.
- Bypassed Rate Limit and brute forced the password of the Admin Username.
- Found the password and accessed the Gitlab with High Privileged User.
- Found all Company Private Projects and Source Code.
- Downloaded all data from Gitlab.
- Started reviewing their Source Code of all projects.
- Found a password.
- Reviewed technologies that used inside the source code.
- Found Redis used with it’s port.
- Tried to connect to redis with the password I found before. Successful connection occurred.
- Searched inside Redis for any useful information.
- Found lot of user details.
- Found a Super Admin user with an encrypted password.
- Searched for the encryption type on the internet and decrypted the password successfully.
- Found another open port pointing to the Backend Management Panel.
- Tried to login with the username and decrypted password.
- Obtained successful login to the Backend management system.
- All Application information and user data found in this panel.
- I used Redis to escalate it into RCE.
- Successfully obtained Remote Code Execution to the Company Server.
- I owned the Whole Company 😎 Project finished! Duration: 5 days (5 hours a day)."
Advanced Reconnaissance and Web Application Discovery.
Dropping here some of my mindset relating to Reconnaissance.