Internal Domain Admin Credentials Leaked in GitHub

Internal Domain Admin Credentials Leaked in GitHub

In the month of march, I was learning bit more about github dorking. I was going through writeups, blogs, videos to learn about it. After spending some time, there was a itch inside me forcing me to try it in the real world target. Then I searched for the responsible disclosure program with the following google dork:

site:com intext:reponsible disclosure

I just randomly choose the target & started github dorking based on the given scope. After trying bunch of the following dorks:

target.com” password

“target” password

target.com” path:env

I just landed on the var.tf file on the github. Navigating inside the file, I just found the domain admin username, password & the vsphere_server IP address disclosed associated with the organization tld.

Since , I realized the credentials are used inside the organization infrastructure & also without the strong evidence that the github repository belong to the organization employee it’s a baby-cry thing in the bug-bounty. Also, reading their responsible disclosure it was clearly mentioned that actively auditing their infrastructure based on the credentials found on the internet is strictly prohibited.

Anyway, I decided to report it anyway. After, some days they just reply with this.

I just accepted the invitation & proceed further.Some days later, a hackerone triager replied that the repo doesn’t belong to the organization and If I managed to provide the proof, they will proceed further.

The report was traiged with the medium severity. Now , long story short on the march 21st they fixed the issue removing the github repo & closed the report as Resolved.

Although , it was VDP but the experience was quite good. At last, I just want to put some resources below to learn the github dorking.

Thank you everyone.