In the month of march, I was learning bit more about github dorking. I was going through writeups, blogs, videos to learn about it. After spending some time, there was a itch inside me forcing me to try it in the real world target. Then I searched for the responsible disclosure program with the following google dork:
site:com intext:reponsible disclosure
I just randomly choose the target & started github dorking based on the given scope. After trying bunch of the following dorks:
“
target.com
” password
“target” password
“
target.com
” path:env
I just landed on the var.tf file on the github. Navigating inside the file, I just found the domain admin username, password & the vsphere_server IP address disclosed associated with the organization tld.
Since , I realized the credentials are used inside the organization infrastructure & also without the strong evidence that the github repository belong to the organization employee it’s a baby-cry thing in the bug-bounty. Also, reading their responsible disclosure it was clearly mentioned that actively auditing their infrastructure based on the credentials found on the internet is strictly prohibited.
Anyway, I decided to report it anyway. After, some days they just reply with this.
I just accepted the invitation & proceed further.Some days later, a hackerone triager replied that the repo doesn’t belong to the organization and If I managed to provide the proof, they will proceed further.
I just left it right there after reading the reply. Next day from this reply, I received another message.The report was triaged with the medium severity. Now , long story short on the march 21st they fixed the issue removing the github repo & closed the report as Resolved.
Although , it was VDP but the experience was quite good. At last, I just want to put some resources below to learn the github dorking.
https://orwaatyat.medium.com/your-full-map-to-github-recon-and-leaks-exposure-860c37ca2c82
https://gist.github.com/jhaddix/2a08178b94e2fb37ca2bb47b25bcaed1
Thank you everyone.