Adam Jon Foster evildaemond Hunting in the Safari Zone

And most people with fresh user credentials can somehow reach HR's information in two clicks. Um, those default Snafler rules kind of suck, so I kept making my own rules and patching Snafler. Mike, please add compressed file support. I swear. Um, but one of my favorite ones are these ones. These are beautiful compressed files and virtual disc files. They're everywhere on the internet, everywhere. And I like to find weird ways of getting impact. So, virtual disc files are really common because you pull out credentials out of them all the time. Most of them are actually just the image of a Windows machine. Um, sometimes you literally just have people put NTDS in a zip file. I'm not going to announce what point

that was, but boy, it happens. Um, sometimes you just have offline media as well, ISO files for SECM. That's always fun. But there's a lot of different ways that you can find weird data in stuff you just don't expect. And uh I get bored a lot. It's a chronic problem. Terminal for some places. Uh we'll get to why in a sec, but um I like to just find weird stuff and dig into it. And you know, I like to dig into random stuff. And recently I've been looking around at public file shares, which is always fun. And open storage blobs are basically just file shares on the internet half the time. If you just consider it the same thing,

it'll make your life 100 times easier. If you haven't dealt with this sort of stuff before, stuff like Open S3 buckets, services like Rahhat Warfare automatically index all of it. And I love to use it as a jumping off point. You just search up a couple of interesting phrases, you dig in, you go, "Wait, they put one on the internet." Um, yeah, easy to use. It's basically just Google. I'm I'm not here to promote a particular tool. But look, what if we used it like Snafler, right? We just search for extensions, keywords, download it, pass it locally, um, see if we can find some fun stuff with it. Cool part that makes my life easy. They offer an API. The API sucks

sometimes though. Like seriously, do not like try and build your own version of passing this API. It is a nightmare. Um add some post-processing just because Azour file locks have a whole story behind it where if you have a mounted file system running or try and open a file that's already open in another Azour instance, it it's a whole weird stupidness. Um, anyway, I drew the rest of the owl and just added tools that did all this and it came out with some really interesting stuff. Uh, you can't see the extensions very well, but that's all VHD files. So, virtual discs of random people online. Um, now we're going to get into some actual stories of how this stuff happens. And

I'm being very careful about what I say with some of this because some of these are still in disclosure. Uh, I'm being very general, vague, and I am actively putting disinformation in this talk purely so you can't figure it out. Um, but we're gonna start with my first personal favorite one. I was over at Y and I was able to have really fast internet. I have really bad internet at home and I decided to download massive files of VHDX files and one of them spoke to me and it was just a fast food restaurant name. And my favorite hacker tool, 7zip. You just open it up. It's great. Opened up. Oh, look. That's a full Windows

directory. Uh, this was just one file for a single branch of one fast food location uh in the US. And you know, it had some interesting stuff inside. build scripts, hardcoded credentials for loading users in there, HR information, payroll with social security numbers, some fun things. Um, and some weird software. What's that weird software? Well, this is where we get to the fun stuff. I I like hunting weird software because every vendor has their own weird software that's made in house and it's always the best. Uh, so we're going to call this one instance service and it's basically like a middleware service. The idea is that restaurants don't want to deal with all of the back of house stuff. They just

want to get things done. Uh, it's all written in net xi.config files, dumped FTP, creds, azour file storage, and web endpoints in there. The web endpoints made me really interested though. waiting for people to realize. So, turns out that the credentials in there were for every instance that they've ever had on the internet and it was hardcoded. So, anyone can just take these file this username password, look up an instance that's currently running for this and connect to it. I'm sure there's nothing bad that could happen from this. Anyway, there's a bunch of stuff earlier there. S3 credentials as well, database backups. I mean, this this file name says it all. Um, some cloud formation scripts and

logs. The fact that I'm just passing over all of that should really say how bad this kept going. Um, and stuff like SSH credentials, and I'm not crazy enough to go and test if those work. not in the slightest. Anyway, partway through this, I started seeing the [ __ ] keys getting rotated. So, immediately I started reporting it as fast as I physically could. I didn't even completed the full research into it. I was about maybe four or five days in and went, "Yeah, I probably need to go get this dealt with." Um, part of why I'm calling out is that there was no response to these. This happens a lot if you deal with vulnerability research.

you will find that a lot of people don't want to talk to you. They just want to get the thing shoved under the rug for now. Um, but now we're coming back to Australia. Uh, this one's a little bit more interesting. Uh, I love to search up keywords for very specific things. And I was looking at Intune cuz I thought me maybe if I look at in treat it like SECM. Um, but one that popped up was this just said deploy. Um, deploys are always fun. And this one's a major company. I'm I'm intentionally not listing who they are. They're it's this just happens. Anyway, you download an unzipper and it's the entire Jira instance.

My personal favorite was when you for people who haven't tried to like export Jira and go through it. It gives you multi- gigabyte XML files that you have to go through. If you try and read through that with a standard text editor, it's going to crash 90% of the time. So you have to pagnate it every time and it is not fun to go through. Some of the fun stuff though was stuff about supply chain security and chats about the IR playbooks for this exact situation. Um, so found the issue Wednesday afternoon. I emailed their head of risk. Uh, got a response. Uh, sent an email back and the issue was all sorted out. I

actually wrote the email while I was taking off on a plane, which was uh a very fun time because I was like typing it and hoping that it sent and then I landed in Amsterdam went, "Oh, good. It actually sent like hours ago. Um, but you know, you get bored and you go to check things again." And I checked back a month later. And there were still files there, a couple of other extra ones. Some interesting ones that I didn't bother to validate. Um, mainly because I find that if you start using credentials for enter from a random location, you trigger off a couple of incidents, just a couple. Um, but yeah, Jiren, Surface Now, GitHub, all just in a JSON

blob, couple of gigs. Uh, you can actually probably still find the location for this, but it's been removed now. Um, emailed them the I made sure to include the recommendation to please remove all of these files off the internet. I got a response making sure that I didn't keep a copy of all of the GitHub repos. That was the only response I got that and a brief thank you. But this is Yeah. There's a whole lot more to that story. It's a lot of fun. Um, but yeah, it really does just show that like this is not isolated. It's not one company doing this. A lot of people have it and it's really hard to notice.

Now, this one I'm going to preface with this is still in disclosure, this next one. So, uh, it's going to be fun. Uh, so the other fun one I like to look for is deployment because people love to just put deployment buckets out there. A lot of random S3 files. Uh, one of them was a K8's deployment script. Uh, for preface, this is an AI based company. Basically take all of your uh, data from different locations, shove it into the LLM because this is a good idea. Um, and you know, it's the classic company goes [ __ ] fast, breaks stuff. Um, anyway, they just hardcoded the ECR credentials in there. Um, it was quite literally just in a

read me, but technically had full scope as admin on AWS as well. Um, don't know why they chose to do that. That was a choice. Um, but you know what? I prefer finding better vulnerabilities than this. I'm better than this. So, I dug in more. And you know, I like to look at what's there, what's available, what's in the software, how does it work, and you know, between all the hard-coded credentials that they put in for K8s, and the fact that they use Erlang, who uses Erlang in the world, seriously. Um, yeah, there was a bunch of weird stuff in there, but luckily it's a K8 stack where they just had a middleware service in the front and that covers most of the

stuff. So, I had limited access. Even though they hardcoded the JWT token for authentication, it wasn't really abusable because the way they did it was something a little bit interesting. They referenced a GID in there and every time you log in, it will send you a GID and check, hey, is that UU ID logged in or not in the database? and then say no. So, at least they did that, right? For some of you, if you can't tell, I love to lead people into this stuff. Um, so this one little bot login request that you can send is one of the few middleware exposed services. I don't know why this was exposed. It's never meant to be exposed, but it is. And all

you do is you supply a hard-coded orth credit uh header and a good of the user that you're trying to sign into. And this bypass the full login orth. You just get straight through to it. But how do you get a good? Because you know I'm I might be pretty smart but I can't predict goods. Um for some reason they exposed a path for airflow DAG manager. Um so this was hardcoded as well for the username password again. And inside of there, there was IDP secrets for being syncing across users, uh, login and sync accounts and the data sources being synced, but it always had the good inside. That made life a lot easier. So

now that we were able to log in, you can do some interesting authenticator requests. First ofress, the users and return all their goods once you've authenticated once. Then you've returned all of the IDP secrets and API's API key from a simple web request. I've never seen a software in my life where you can return the IDP secret from a web request. Um, return SMTP credentials. And something that was weird was when you requested the data sources, they returned in an encrypted format, just the for no reason. And that made me question, how does it actually do that? How is it encrypting something on the server side and then it's outbounding with unencrypted credentials? What was the JAR file on the same S3

bucket? And if you just pulled it out, it had the hard-coded AES key and null IV. And yeah, then you get to write a fun endto-end exploit where you just log into Airflow, view all the logs, return the good of that user, return the request for all of the other goods, and then log into each user, decrypt their uh secrets for data connections locally, and extract the IDP secrets and SMTP configuration. And I'm sure there's no thread actors who are abusing, you know, IDP configurations or trying to log into locations from IDP secrets. Absolutely not. I did try to find a way to redact this enough where I could show a PZ video, but I can't. I've tried. I I

spent like 8 hours in After Effects trying to censor everything and I couldn't. Um, all I'm going to say is the next rack's going to be fun. Anyway, at this time, disclosure is still in progress. Uh, Caesar's basically just like, "No, unless you email this to the vendor, we're not going to deal with it anymore." It used to be that you could just throw stuff at Caesar and they would just disclose it for you, which was annoying. Uh, 30 days with no vendor response. And I've started going directly to the affected companies and saying, "Hey, your software is on the internet. Here's your IDP secret. It's a fun way to do it. But a big thing out of this that I'm

going to try and highlight is disclosure is hard. Anyone who's done vulnerability disclosure knows this. And none of us are lawyers. If you are a lawyer in here, oh boy. And if you ever find a lawyer who says they know exactly that you are doing everything legally, don't hire them. There's a fun anecdote in the US which is uh that there are references in law that state other laws in other countries that reference other laws in other countries. So there's no way to know that every jurisdiction that you're following the law for is correct. And that exists everywhere. Um, and there's a lot of different ways that you can disclose things. Uh, at the moment, this is what

I've been saying for most of it. Caesar is basically not taking vulnerabilities if you do vulnerability disclosure unless you've already disclosed it to other ones. ASD won't return an email unless you pop a big four. DIBD seems to be trying to do good stuff. They have some interesting laws around basically just being able to hack things to verify as long as for the greater good. Uh, full disclosure, personally, I'm not a fan of just yeeting stuff on the internet and saying, "Here's a vulnerability. Good luck." And I don't want to go on LinkedIn and say, "Hey, I hacked this company. Please point a target at my back." But creating burner emails and yeing over the fence is always priceless.

Now, part of this was I spent a lot of time digging into VHDX files. And as much as I love the hacker tool known as sevenzip, I can't use it for everything because manually passing through every single VHDX file is a nightmare. So, as a fun note, this is still an area of research you can go right now and test yourself. This is 100% working. You can go onto anywhere and just download a bunch of VHDX files for fun. Um, so why not just take a system similar to Snafla? So going through a virtual disk file passing through all the contents with a basic rulesbased system because I like looking at both file system and

registry files. Do both of them at the same time. Uh there's a really interesting tool called a discreer written in Python that does most of this but it's a CLI tool. Therefore I hate it. I don't I it doesn't have a file close handler. It literally has a pass function for it. Um, impact read registry rich because I like nice output. Uh, read the file system without mounting the disc. So, just make your life easier. Uh, go through all of the reg all of the individual partitions of the disc. Pass through all of it. Extract the information. I'm just literally painting over the alpha this at this stage. uh full JSON schema still in work in progress but you

can extract load walk and dump the registry keys and values out of anything. So you get a nice little JSON rule like this where you've got a set of registry files for the SAM system security and software and this will just extract it directly into your local file system to make life easy. Now, when you're doing this at scale, let's say 2,000 virtual disc files in 4 hours, this makes your life a lot easier. And you can do things like this where you say, I want to pull the tenant information out of the local machine file and pull out where that machine is enrolled in for Azour. Anyway, it's already been released. It's on GitHub. And as the open source adage

goes, it's open source. If you want a feature, feel free to add it. Uh, I've kind of written enough spec in there that you can kind of figure out how this stuff is working. I've made it very open. Feel free to contribute. I don't mind. And as because I'm of course a thought leader, I need to offer the classic what did we learn? Please go check your file stuff. Like make sure you're not just leaving everything for public read. If you're a defender, I'm sorry. Good luck. If you're an attacker, enjoy the next six months of this being the rest of your job. Um, and seriously, stopping BHD files on the internet. The fact that I didn't even include the fact

that I just found a folds domain controller in here in this talk really says a lot. So yeah that's it.

[Applause] I think I did pretty good on time. Uh, any questions?

>> No. >> Any other questions? >> The legality is quite blurry. So you have just like doing this. >> No, the more that you try to anonymize yourself, the more likely you are to be perceived as an attacker. It's better to try and Most of my work here is all public interest. I'm trying to encourage people to go fix these problems. If you go out of your way to hide yourself and make it harder to find who you are and what you're doing, it makes it very hard to defend that you're doing something in the public interest.

So, are these decent sort of starter steps to actually take when you're wanting to have a hobby in this >> in safari zoning? >> Generally, >> uh I would not follow this as a guide for anything if you want to stay out of prison.

I thought this was a Pokemon talk in the future. >> Yep. >> Oh, I was going to make a joke. >> Now that you cracked military grade AES, what's the next step? People stopped putting their PKI certificates and all of their PKI servers on the internet. >> How did you get a QR code to the link to the slide deck in the slide deck? >> I exported as a PDF and had a static link.

>> Yes. >> Where can we find the slide deck? Yes. >> What is the funniest or weirdest thing that you found with all these images? Maybe weird configurations really bad or outdated software. >> I found a Nessa server. >> I wish that was a joke. Cool. >> Yep. >> Would you consider integrating your tool with Snap as like an optional model to to sort of like auto run? >> Uh, Snafler doesn't support compressed file uh stuff. In fact, I'm pretty sure if I last remembered the comment, it literally says todo from 2023. >> Harass Mike loss. Have you ever thought about public shining through journalism instead? >> That's a very fast way to find out how

quickly lawyers can get on to you. I prefer to just have an anonymous email that I try to do the best opsec I can to yeet it over the fence. Uh, and if that doesn't work, well, full disclosure is also an option, but I just don't like doing that first. >> Journalists always pay good money for good stories. >> I'm not in this for the money. I'm here for being able to laugh at things and go, "Why the hell is this on the internet?"

>> Oh, >> what size were the customers of that software? >> GDP of a country. You already know the answer to that one, huh?