Skip to content

DevOps Fail

Location: Balcony

Problem

Coalbox again, and I've got one more ask.
Sparkle Q. Redberry has fumbled a task.
Git pull and merging, she did all the day;
With all this gitting, some creds got away.

Urging - I scolded, "Don't put creds in git!"
She said, "Don't worry - you're having a fit.
If I did drop them then surely I could,
Upload some new code done up as one should."

Though I would like to believe this here elf,
I'm worried we've put some creds on a shelf.
Any who's curious might find our "oops,"
Please find it fast before some other snoops!

Find Sparkle's password, then run the runtoanswer tool.
elf@9092171c76b6:~$

Hints

Sparkle Redberry introduces this terminal:

Hi, I'm Sparkle Redberry!

Ugh, can you believe that Elf Resources is poking around? Something about sensitive info in my git repo.

I mean, I may have uploaded something sensitive earlier, but it's no big deal. I overwrote it!

Care to check my Cranberry Pi terminal and prove me right?

Sparkle also provides a link to a webpage on Git commands: https://gist.github.com/hofmannsven/6814451

Sparkle also provides a link to a webpage on finding passwords in git: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/

Solution

Sparkle says he uploaded some sensitive data to the git repository, but removed it by overwriting it with other data. Unfortunately for Sparkle, we can view the change history of files that have been checked in. First thing I do is check to see what files are present, then see if the word password appears in any of them.

elf@b85bd43fa6ea:~/kcconfmgmt$ ls -la 
total 72
drwxr-xr-x 1 elf elf  4096 Nov 14 09:48 .
drwxr-xr-x 1 elf elf  4096 Dec 14 16:30 ..
drwxr-xr-x 1 elf elf  4096 Nov 14 09:48 .git
-rw-r--r-- 1 elf elf    66 Nov  1 15:30 README.md
-rw-r--r-- 1 elf elf  1074 Nov  3 20:28 app.js
-rw-r--r-- 1 elf elf 31003 Nov 14 09:46 package-lock.json
-rw-r--r-- 1 elf elf   537 Nov 14 09:48 package.json
drwxr-xr-x 1 elf elf  4096 Nov  2 15:05 public
drwxr-xr-x 1 elf elf  4096 Nov  2 15:05 routes
drwxr-xr-x 1 elf elf  4096 Nov 14 09:47 server
drwxr-xr-x 1 elf elf  4096 Nov  2 15:05 views

elf@b85bd43fa6ea:~/kcconfmgmt$ grep -i -R password *
public/bower_components/purecss/src/forms/css/forms.css:.pure-form-stacked input[type="password"],
server/config/config.js.def:    'url' : 'mongodb://username:password@127.0.0.1:27017/node-api'
server/config/passport.js:    // change default username and password, to email andpassword
server/config/passport.js:    passwordField : 'password',

Looks like there are passwords stored in config.js.def and passport.js. Let's take a look at the commit logs and filter those specific lines with grep.

elf@71bcde2d228b:~/kcconfmgmt$ git log -p | egrep "(mongodb\:|passwordField)"
+    passwordField : 'password',
+    passwordField : 'password',
-    'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api'
+    'url' : 'mongodb://username:password@127.0.0.1:27017/node-api'
-    'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api'
+    'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:27017/node-api'
+    'url' : 'mongodb://sredberry:twinkletwinkletwinkle@127.0.0.1:10073/node-api'

Note

Grep's -E option allows you to use extended regular expressions, which gives you additional capabilities like specifying multiple search strings.

There's nothing interesting in passwordField, but the mongodb connection string has Sparkle's username and password as sredberry:twinkletwinkletwinkle.

elf@b85bd43fa6ea:~/kcconfmgmt$ runtoanswer 
Loading, please wait......
Enter Sparkle Redberry's password: twinkletwinkletwinkle

This ain't "I told you so" time, but it's true:
I shake my head at the goofs we go through.
Everyone knows that the gits aren't the place;
Store your credentials in some safer space.

Congratulations!