Root access through TeamCity

GitHub was under the largest DDoS attack , a little discussed in the general chat room in the evening. It turned out that very few people know about the remarkable search engines shodan.io and censys.io .
 
 
Well, I'm interested in the sake of it, right for the wow effect I looked for TeamCity (hereafter TC), tk. I remember cool bug with regus in older versions.
 
 
As it turned out, it did not even need to be applied, because in many cases, administrators did not close registration, and on some of them access was available under the guest.
 
robomongo.org
 
Root access through TeamCity
 
 
Strongly shiritsya on the database did not, because the word analytics brings boredom.
 
In TFS it was not possible to descend, definitely the login is not Web, smoking api is also boring, for not the most interesting project, but for demonstration it is enough)
 
Mail developers have been extracted there - unsubscribed, no answer
 
If artifacts were not available, you can always see change log
 

 

 
 
Surprised projects where passwords are simple words, here though the prefix is ​​
 
I remember once caught a pass - take a look around , it's just funny
 
Also, a certain category of people prefer to store all the settings of
right in the code.  

 
 
I turn to the most interesting - there is a project triplay.com
 
Their products: emusic.com, estories.com, mydigipack.com, mymusiccloud.com and more. Install the application android 1000000 + , eplovoe - did not understand where the number of downloads there is
 
 
And of course - their timsiti was opened from the outside, + the reg
is open.  

 
 
120 assemblies, but the artifacts were not everywhere, probably to save space. But there is a common project, where all the artifacts come together, but the server ones were quite self-explanatory and that was enough:
 

 
 
Ok, swing the file and I'm not directly surprised
 

 

 
 
I had to put it in and check the connection to the Oracle (for a simple sitayka in the aide, aah, damn, why not postgres)
 

 
 
Of course, despite the fact that the prefix prod was specified everywhere in the configs - without explicit verification of this it was impossible to say for sure)
 

 
And of course, I blocked the mail with which I wrote about the problem (only I showed the screenshots, but not the script, because I did not want the people from the support to get access to the database, where 691k accounts, pumped it all at home and I xs that I could do. The script is a bit far-fetched, but it's better to ask admin /developer contact).
 
In theory, full access to the database and you can safely replace someone else's hash /salt pass and enter under it.
 
 
But I just read the data and calmed down on this, unsubscribing to the off. saport, to which I was told that everything will be reviewed, transferred to a specialist who will respond in the order of the queue and silence
 
 
A few days later they closed access to the database, but not to the TC, checked the mail - no questions, no thanks.
 
 
Well, ok, I got to check further and in the artifacts I found a project that contains scripts, as if it gets into the TC somewhere from outside and after it starts the build itself.
 

 

 
 
So it was, + more login /pass from TC
 
It was hard to believe in this, well, ok, telnet 22 plows, I try ssh, but wait, what kind of login
 

 
 
wu la
 
ssh -p 22 -i triplay-deployer-priv [email protected]
 
 
A bit surprised by the availability of access, approx. I looked around in the console, looked at the hosts (35 machines registered) and some keys (I with the Nixs did not och, the access to the Route is already clear that it will do whatever you want, there would be a desire).
 
I found a test domain + a specific machine (and it seems an ssl certificate).
 

 
Above the screen, by the way, when I go from one server to another, because that from outside on ssh was not available. And there were such cars there, of course, dofiga, imagine what kind of infrastructure
 
And I put the file with a special greeting (with errors, I'm sorry, I already wanted to sleep).
 

 
 
After the next letter they closed the shop.
 
 
But it was not there, the guys had a test account
 
I entered under it.
 
It turned out you can get the track for free Well, I'm on every F12 and what I see in the pail:
 
{
"trackId": 155922934?
"quality": "SD",
"dailyDownloadPurchase": false,
"freeTrackPurchase": true
}

 
No, this is not an April Fool's joke - to get a track for free or to buy - is decided on the frontend by the flag freeTrackPurchase
 
The demo of the purchase is [/b]

 

 

 

 
And now the nuance is working, apparently, not for all accounts, but for a particular test)), but having access to it, you can "buy" all the tracks. Yes, and one FIG, they are all available without authorization (there is a special URL, info from the database, checked)
 
 
What mistakes the guys made:
 
  1.  
  2. Extremely internal resources were exposed to the whole world (DB, TeamCity, SSH)  
  3. Even if there is such a need - did not make a witlist for connections  
  4. Connect under the Route from the outside an even so-so idea  
  5. Moreover, in the project to add a certificate for this from the root!  
  6. All accesses and keys are stored in files and multiplied by projects (aws, paypal, etc., the template put here ), Rather than storing one connection to the configuration service  
  7. And most importantly - was allowed to rega in TeamCity, in fact, with what it all started  
  8. Well, up to the heap - there were also applications for google /apple storing and the corresponding certificates and source codes were in place  

 
Therefore - if you have any products that are available from outside - think about how they can be misused by outsiders and prevent it.
 
And the main application should be designed, and assembled so that "The code base of the application can be opened at any time in free access without compromising any private data"
 
 
And know the products you work with, like:
 
  •  
  • rabbit - default login pass /guest  
  • redis - generally without authorization by default and allows you to do such  
  • teamcity - by default, the reg is allowed.  
  • and the list can be continued, including the same memkesh, which is accessible from outside and filled up the githab)  

 
What is happiness for you"?
 
When as:
 
0. Silence, the book, the juice
 
1. Wife, table, cat,
 
2. Cafe, cider, friend
 
3. Code, work, root access
 
+ 0 -

Add comment