DevOps Fail
Location: Balcony
Problem
Coalbox again, and I've got one more ask. Sparkle Q. Redberry has fumbled a task. Git pull and merging, she did all the day; With all this gitting, some creds got away. Urging - I scolded, "Don't put creds in git!" She said, "Don't worry - you're having a fit. If I did drop them then surely I could, Upload some new code done up as one should." Though I would like to believe this here elf, I'm worried we've put some creds on a shelf. Any who's curious might find our "oops," Please find it fast before some other snoops! Find Sparkle's password, then run the runtoanswer tool. elf@9092171c76b6:~$
Hints
Sparkle Redberry introduces this terminal:
Hi, I'm Sparkle Redberry!
Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.
I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it!
Care to check my Cranberry Pi terminal and prove me right?
Sparkle also provides a link to a webpage on Git commands: https://gist.github.com/hofmannsven/6814451
Sparkle also provides a link to a webpage on finding passwords in git: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
Solution
Sparkle says he uploaded some sensitive data to the git repository, but removed it by overwriting it with other data. Unfortunately for Sparkle, we can view the change history of files that have been checked in. First thing I do is check to see what files are present, then see if the word password appears in any of them.
elf@b85bd43fa6ea:~/kcconfmgmt$ ls -la total 72 drwxr-xr-x 1 elf elf 4096 Nov 14 09:48 . drwxr-xr-x 1 elf elf 4096 Dec 14 16:30 .. drwxr-xr-x 1 elf elf 4096 Nov 14 09:48 .git -rw-r--r-- 1 elf elf 66 Nov 1 15:30 README.md -rw-r--r-- 1 elf elf 1074 Nov 3 20:28 app.js -rw-r--r-- 1 elf elf 31003 Nov 14 09:46 package-lock.json -rw-r--r-- 1 elf elf 537 Nov 14 09:48 package.json drwxr-xr-x 1 elf elf 4096 Nov 2 15:05 public drwxr-xr-x 1 elf elf 4096 Nov 2 15:05 routes drwxr-xr-x 1 elf elf 4096 Nov 14 09:47 server drwxr-xr-x 1 elf elf 4096 Nov 2 15:05 views elf@b85bd43fa6ea:~/kcconfmgmt$ grep -i -R password * public/bower_components/purecss/src/forms/css/forms.css:.pure-form-stacked input[type="password"], server/config/config.js.def: 'url' : 'mongodb://username:password@127.0.0.1:27017/node-api' server/config/passport.js: // change default username and password, to email andpassword server/config/passport.js: passwordField : 'password',
Looks like there are passwords stored in config.js.def and passport.js. Let's take a look at the commit logs and filter those specific lines with grep.
elf@71bcde2d228b:~/kcconfmgmt$ git log -p | egrep "(mongodb\:|passwordField)" + passwordField : 'password', + passwordField : 'password', - 'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api' + 'url' : 'mongodb://username:password@127.0.0.1:27017/node-api' - 'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api' + 'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api' + 'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api'
Note
Grep's -E option allows you to use extended regular expressions, which gives you additional capabilities like specifying multiple search strings.
There's nothing interesting in passwordField, but the mongodb connection string has Sparkle's username and password as sredberry:twinkletwinkletwinkle.
elf@b85bd43fa6ea:~/kcconfmgmt$ runtoanswer Loading, please wait...... Enter Sparkle Redberry's password: twinkletwinkletwinkle This ain't "I told you so" time, but it's true: I shake my head at the goofs we go through. Everyone knows that the gits aren't the place; Store your credentials in some safer space. Congratulations!