Root access through TeamCity

GitHub was under the largest DDoS attack , a little discussed in the general chat room in the evening. It turned out that very few people know about the remarkable search engines shodan.io and censys.io .
 
 
Well, I'm interested in the sake of it, right for the wow effect I looked for TeamCity (hereafter TC), tk. I remember cool bug with regus in older versions.
 
 
As it turned out, it did not even need to be applied, because in many cases, administrators did not close registration, and on some of them access was available under the guest.
 
robomongo.org
 
Root access through TeamCity
 
 
Strongly shiritsya on the database did not, because the word analytics brings boredom.
 
In TFS it was not possible to descend, definitely the login is not Web, smoking api is also boring, for not the most interesting project, but for demonstration it is enough)
 
Mail developers have been extracted there - unsubscribed, no answer
 
If artifacts were not available, you can always see change log
 

 

 
 
Surprised projects where passwords are simple words, here though the prefix is ​​
 
I remember once caught a pass - take a look around , it's just funny
 
Also, a certain category of people prefer to store all the settings of
right in the code.  

 
 
I turn to the most interesting - there is a project triplay.com
 
Their products: emusic.com, estories.com, mydigipack.com, mymusiccloud.com and more. Install the application android 1000000 + , eplovoe - did not understand where the number of downloads there is
 
 
And of course - their timsiti was opened from the outside, + the reg
is open.  

 
 
120 assemblies, but the artifacts were not everywhere, probably to save space. But there is a common project, where all the artifacts come together, but the server ones were quite self-explanatory and that was enough:
 

 
 
Ok, swing the file and I'm not directly surprised
 

 

 
 
I had to put it in and check the connection to the Oracle (for a simple sitayka in the aide, aah, damn, why not postgres)
 

 
 
Of course, despite the fact that the prefix prod was specified everywhere in the configs - without explicit verification of this it was impossible to say for sure)
 

 
And of course, I blocked the mail with which I wrote about the problem (only I showed the screenshots, but not the script, because I did not want the people from the support to get access to the database, where 691k accounts, pumped it all at home and I xs that I could do. The script is a bit far-fetched, but it's better to ask admin /developer contact).
 
In theory, full access to the database and you can safely replace someone else's hash /salt pass and enter under it.
 
 
But I just read the data and calmed down on this, unsubscribing to the off. saport, to which I was told that everything will be reviewed, transferred to a specialist who will respond in the order of the queue and silence
 
 
A few days later they closed access to the database, but not to the TC, checked the mail - no questions, no thanks.
 
 
Well, ok, I got to check further and in the artifacts I found a project that contains scripts, as if it gets into the TC somewhere from outside and after it starts the build itself.
 

 

 
 
So it was, + more login /pass from TC
 
It was hard to believe in this, well, ok, telnet 22 plows, I try ssh, but wait, what kind of login
 

 
 
wu la
 
ssh -p 22 -i triplay-deployer-priv [email protected]
 
 
A bit surprised by the availability of access, approx. I looked around in the console, looked at the hosts (35 machines registered) and some keys (I with the Nixs did not och, the access to the Route is already clear that it will do whatever you want, there would be a desire).
 
I found a test domain + a specific machine (and it seems an ssl certificate).
 

 
Above the screen, by the way, when I go from one server to another, because that from outside on ssh was not available. And there were such cars there, of course, dofiga, imagine what kind of infrastructure
 
And I put the file with a special greeting (with errors, I'm sorry, I already wanted to sleep).
 

 
 
After the next letter they closed the shop.
 
 
But it was not there, the guys had a test account
 
I entered under it.
 
It turned out you can get the track for free Well, I'm on every F12 and what I see in the pail:
 
{
"trackId": 155922934?
"quality": "SD",
"dailyDownloadPurchase": false,
"freeTrackPurchase": true
}

 
No, this is not an April Fool's joke - to get a track for free or to buy - is decided on the frontend by the flag freeTrackPurchase
 
The demo of the purchase is [/b]

 

 

 

 
And now the nuance is working, apparently, not for all accounts, but for a particular test)), but having access to it, you can "buy" all the tracks. Yes, and one FIG, they are all available without authorization (there is a special URL, info from the database, checked)
 
 
What mistakes the guys made:
 
  1.  
  2. Extremely internal resources were exposed to the whole world (DB, TeamCity, SSH)  
  3. Even if there is such a need - did not make a witlist for connections  
  4. Connect under the Route from the outside an even so-so idea  
  5. Moreover, in the project to add a certificate for this from the root!  
  6. All accesses and keys are stored in files and multiplied by projects (aws, paypal, etc., the template put here ), Rather than storing one connection to the configuration service  
  7. And most importantly - was allowed to rega in TeamCity, in fact, with what it all started  
  8. Well, up to the heap - there were also applications for google /apple storing and the corresponding certificates and source codes were in place  

 
Therefore - if you have any products that are available from outside - think about how they can be misused by outsiders and prevent it.
 
And the main application should be designed, and assembled so that "The code base of the application can be opened at any time in free access without compromising any private data"
 
 
And know the products you work with, like:
 
  •  
  • rabbit - default login pass /guest  
  • redis - generally without authorization by default and allows you to do such  
  • teamcity - by default, the reg is allowed.  
  • and the list can be continued, including the same memkesh, which is accessible from outside and filled up the githab)  

 
What is happiness for you"?
 
When as:
 
0. Silence, the book, the juice
 
1. Wife, table, cat,
 
2. Cafe, cider, friend
 
3. Code, work, root access
 
+ 0 -

Comments 10

Offline
master seo
master seo 11 November 2018 11:09
This is truly a great  read for me. I have bookmarked it and I am looking forward to reading new  articles. Keep up the good work!.  Portland  OR
Offline
morning world
morning world 12 November 2018 08:26
It was a  very good post indeed. I thoroughly enjoyed reading it in my lunch time. Will  surely come and visit this blog more often. Thanks for sharing. טיולים  מאורגנים
Offline
fuzailfaisal
fuzailfaisal 9 December 2018 18:29
This is such a great  resource that you are providing and you give it away for free. I love seeing  blog that understand the value of providing a quality resource for free. Oscar  awards 2019 venue
Offline
life time
life time 12 December 2018 15:42
This is my first time  i visit here. I found so many interesting stuff in your blog especially its  discussion. From the tons of comments on your articles, I guess I am not the  only one having all the enjoyment here keep up the good work Reliability  Improvement


Positive  site, where did u come up with the information on this posting? I'm pleased I  discovered it though, ill be checking back soon to find out what additional  posts you include. חופשת  פסח
Offline
fuzail faisal
fuzail faisal 13 December 2018 16:57
This is a  great article thanks for sharing this informative information. I will visit  your blog regularly for some latest post. I will visit your blog regularly  for Some latest post.  palomino  RV trailer in mo
Offline
morning world
morning world 20 December 2018 14:42
Thanks for providing  recent updates regarding the concern, I look forward to read more. Mywalmart
Offline
fuzail faisal
fuzail faisal 22 December 2018 14:32
This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. classic  rock
Offline
fuzail faisal
fuzail faisal 24 December 2018 10:54
Only aspire to  mention ones content can be as incredible. This clarity with your post is  superb and that i may think you’re a guru for this issue. High-quality along  with your concur permit me to to seize your current give to keep modified by  using approaching blog post. Thanks a lot hundreds of along with you should  go on the pleasurable get the job done. onlinemusicpromotion
Offline
voyance 15
voyance 15 12 January 2019 13:44
Interesting and amazing how your post is! It Is Useful and helpful for me That I like it very much, and I am looking forward to Hearing from your next..voyance 15


Offline
fuzailfaisal
fuzailfaisal 12 January 2019 15:59
Great  post, and great website. Thanks for the information! דילים  לחול

Add comment