An OSINT Story: It’s late Friday evening…
Nov 25, 2021
Taking a little break from our regular OSINT-themed posts, we wanted to mix it up a little this time and talk about the power of OSINT through a little story, inspired by the amazing Stealing the Network volume of books.
It’s late Friday evening, the week before the gaming conference “G3: Games, Games, Games”. Hacktivision will be presenting their long-awaited sequel to Metal Duty (MD), the overwhelmingly popular first-person shooter from the 90’s, now in its 32nd release.
“Stop talking to me about security! I paid for that EV certificate; we don’t need anything more. I’ve spent 30 years in IT, I’m an expert at this point. I know what I’m doing!” Greg screeches across the board room, his voice breaking just a bit.
Kate rolls her eyes. “You’re certifiably insane. I heard we’re currently storing user PII in a public S3 Bucket. Just give me some AWS creds and I will fix it for you.”
Kate is the lead developer on the project. Recently, she found out through office gossip that the ‘security team’ consisted entirely of Greg.
Greg takes a deep breath. “Kate, there are literally millions of S3 buckets, you cannot magically guess the right one and you have no idea what you’re doing. I’m tired of you wasting everybody’s time. Go Home. HR will be in contact to discuss your contract with us.”
Everybody falls silent and looks at Kate, waiting for a reaction. Kate stares back at Greg, a little stunned. Contemplating how to respond to her not so subtle public firing.
“Good luck with that.” She says as she grabs her backpack and walks out of the board room, trying to hide the tears she’s holding back.
Kate is lying in bed, staring at the ceiling. Her alarm clock reads 2:31 AM. It was kind of a relief for Kate to get fired. She hated working at that company. Every day she’d be berated for sharing new ideas or belittled for caring. She certainly wasn’t paid enough to even attempt to put up with the toxic culture. None of the developers were paid anywhere close to market rate. Not to mention, the game is barely worth playing, it’s riddled with bugs and is horrendously unoriginal.
“They really don’t deserve any of the talented dev’s working there.” Kate thought to herself. “They’ll just keep churning out bad game after bad game and burning out dev after dev if they keep going like this. Just once I’d like to see some real consequences for companies that operate like that.”
Kate rolls over on her side and sees the soft red glow from her computer’s power button on the other side of the room and a thought starts to dawn on her. “I could leak the game. That’s a very serious consequence… I could definitely do that… Screw it, something needs to happen.”
She peels off the blankets and hops out of bed. Kate reaches for the power button and as her computer boots up, she grabs a hoodie for warmth and gets comfortable sitting cross legged in her chair.
She opens the AWS Console and tries to login using her corporate account, but her access is already gone. “Damn it. That was fast. Probably a good idea not to use my own credentials anyway.”
Kate starts to realize that she’d have to get crafty if she has to do this without her own credentials. Kate enters the text “find leaked credentials” into google and clicks the first link that comes up. It’s a website called haveibeenpwned.com. There is a search bar in the middle of the page. Kate enters Greg’s work email and receives back a dark red banner.
She scrolls to the bottom of the page and selects one of the “pastes” that Greg’s email was found in. A new tab opens to a site called “pastebin.com”, she hits CTRL+F to find Greg’s email. About halfway down the page she sees his email next to a password “BigMan9”.
She opens up the Hacktivision AWS Console and enters the credentials. No Luck. Kate remembers a joke Greg once made about just iterating the number at the end of his password every time he has to change it. She enters “BigMan10” and is immediately signed into the console.
Every other account in the business has MFA enabled but Greg found it annoying so asked a buddy in IT to disable it.
Now in the AWS Console, Kate navigates to the S3 bucket used by Jenkins, containing the game’s build artefacts. She makes the latest build file public, which includes the game executable. Additionally, Kate makes the user PII bucket private while she’s here.
She logs out and navigates to the S3 bucket to download the game executable for safe keeping on her own machine.
“Now I just need to get the word out about accessing the game for free I guess” Kate checks the time, its 3:11AM now. She yawns loudly and decides to retire for the night.
Kate dreams about watching Greg stumble onto the stage at G3, coffee stains on his shirt, half asleep, struggling to get his presentation to run.
The alarm on Kate’s nightstand beeps loudly. She fumbles to turn off the alarm, accidently knocking it to the ground. It stops beeping so Kate just leaves it as she rolls out of bed, making her way to the small kitchenette in her studio apartment to turn on the kettle for a coffee. As she leans against the kitchen counter, she starts to contemplate what her next moves should be.
“I need a platform to announce the game leak and expose Hacktivision. I can’t do it from my social media, my 20 followers would hardly notice. The best scenario would be hijacking Greg’s presentation. I wonder how hard that would be. God, that would be satisfying to watch.”
Kate remembers the dream she had last night. “Screw Greg, he deserves to be embarrassed and all the developers want to see it.”
Kate pours her coffee and sits back down at her desk. She grabs her notebook and pen to write down her two goals:
- Modify Greg’s presentation.
- Ensure Greg doesn’t have time to check the presentation before he goes on stage.
“Greg was working on his presentation on his company laptop, so getting access to it and modifying it will be easy. I already have his credentials. I’m just not sure how I could ensure he’s late for the presentation. Maybe if I send an email from a spoofed domain saying his presentation has been moved to a later time? Even better, if I get access to G3’s email servers I could send an extremely convincing email… I guess I have all day, might as well try.”
Kate opens her browser and goes to g3conf.com, she selects the padlock next to the URL, and continues to “More information”. She’s interested to see if the subject Alternative Names in the certificate might hint at the email server’s name.
“m.g3conf.com? Maybe M stands for mail, seems a bit of a stretch but worth taking a look.” Kate opens her shell and pings the domain to identify the IP address. She uses that IP to search shodan.io for exposed services.
“Looks like there’s some sort of webapp here. There might be some interesting endpoints that are leaking data.” Kate sets up dirbuster, a tool for discovering directories and file names.
Her results show a .env file is publicly exposed, the server may be running in debug mode or maybe nginx is misconfigured. Kate downloads the file. It’s full of secrets and configuration options for the webapp.
“There’s AWS creds here, surely they’re using SES”.
SES is Amazon’s “Simple Email Service”. Kate opens her shell and attempts to authenticate to the endpoint: “https://email.ap-southeast-2.a...”. Kate is successful and starts to draft her email to Greg:
Kate opens her shell and loads the credentials into the AWS CLI. The credentials are still valid. From here she lists the email domains in the account and notices the [email protected] address is set up to email anyone. She writes an email to send to Greg and posts it to the API.
“Done. Email sent! Greg should end up being an hour late to his big presentation with no time for a test run.”
The anxiety of what Kate has just done slowly sets upon her. What if he misses the email? What if he wakes up early and does a test run at home? What if he replies to the email and ask why it’s been moved? Kate starts to bite her nails. This really isn’t enough. She knows she needs to do something more.
“Greg is always bragging about how his massive bonus this year went to setting up his smart home. Maybe he has an IoT alarm clock I can mess with or doors that I can remotely lock… but I don’t even know how I would get his IP address or anything like that!” Kate slumps her head into her hands and lets out a deep sigh.
“His GitHub Maybe? He may have leaked something there.” Kate opens LinkedIn and navigates to Greg’s profile. Surely, it’s on his LinkedIn account. Somebody who has been in IT for 30 years would certainly have a wealth of code to show off.
Kate decides to google his name just to see if she gets lucky with anything and stumbles across a Reddit thread labelled ‘AMA: I’m the project manager for Metal of Duty’. The AMA subreddit is a place where people can post threads where other users can ‘ask them anything’. Kate scrolls through the comments.
“What a liar… this new game is nothing like what he’s describing. He really doesn’t know this game at all.”
Kate realizes Greg has used an alias as his reddit account, “0xGregDev”. Kate plugs his alias into google and a stack overflow article comes up – “IoT devices DNS problem help”. The post contains a section of logs he’s copied from his router, containing an IP address. She browses to the IP address and is immediately redirected to a login page. She tries Greg’s alias “0xGregDev” with his password “BigMan10”.
“Incorrect Password – please try again or reset password.”
Greg probably hasn’t had to iterate the number on the end of his password outside of work. She tries “BigMan1” and is immediately redirected to a dashboard of Greg’s IoT Home devices.
“What the… an IoT toothbrush?? AN IOT WATERBOTTLE? Who needs that! What does it even do?”
Kate clicks on the settings. Next to the water bottles “Infrared color” setting is the “Alarm Time”. Greg’s IoT water bottle is also an alarm clock. Kate turns off the alarm.
“Serves him right for having a water bottle connected to the internet.”
After checking for any other alarms on Greg’s IoT toothbrush, coffee machine and toaster. Kate was satisfied that after pre-con drinks and no alarms, Greg was not waking up on time tomorrow.
The night before the con, Kate sets her alarm for 5:00AM. She wants to wake up early to modify that presentation in time. She tests Greg’s credentials one more time just to double check. The creds work and she can see his presentation sitting there on his cluttered desktop ready to be messed with. She logs out and goes to bed.
It’s 10:30AM the next day, Kate is sitting at the back of the audience at G3. Everything has gone perfectly. The audience is extremely restless. Kate modified the presentation this morning to provide details on the public S3 bucket with the game’s executable, along with information on Hacktivision’s abuse of employees. Greg, slightly disheveled, suddenly runs on stage and the audience cheers. Kate sits at the front of her seat waiting to watch all of her hard work unfold when suddenly, somebody taps her shoulder. She turns around to three police officers behind her.
“Ma’am – can you come with me please?”
Authored by Jess Williams.