2 minutes
Hacking the Dutch Government
The Dutch Government has a Responsible Disclosure program that rewards you with a T-shirt when you find a vulnerability in one of their websites. I’ve always wanted such a T-shirt, and I finally managed to get one!
Exploration
When working on projects like this I like to first gather a list of websites that are in scope. In this case it was pretty easy since the government already provides such a list at https://www.communicatierijk.nl/vakkennis/r/rijkswebsites/verplichte-richtlijnen/websiteregister-rijksoverheid which includes 1786 websites.
After reading an article about misconfigured webservers that expose the .git folder I decided to scan the list of government websites using a tool called httpx:
cat gov_urls.txt | httpx -path "/.git/config" -title -fr -sc -cl -mc 200,201,202 -ms "[core]" -t 100
This actually found an exposed git-folder on https://themasites.pbl.nl/winnaars-verliezers-regionale-concurrentie/.git
Vulnerability
Using the exposed .git folder it is possible to download the entire git folder with tools like dvcs-ripper or GitDumper. After the .git folder has been downloaded it is possible to run git restore . or a tool called GitExtractor to retrieve all the source code.
The source code often contains sensitive data like api keys, or passwords. Using a tool called trufflehog I was able to quickly find a Github Token in one of the source code files which allowed me to gather more information about the GitHub user:
curl -u ":ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" https://api.github.com/user/repos
curl -u ":ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" https://api.github.com/user/teams
Impact
The discovered Github token grants full access to all private repositories of both the user and the pbl-nl organization. This access allows:
- Downloading all source code, potentially exposing sensitive credentials
- Push access to most repositories, enabling injection of malicious code
Mitigation
- Block access to the
.gitfolder in the webserver configuration - Change permissions of the
.gitfolder so the webserver user can’t access it.
Timeline
| Date | Description |
|---|---|
| 24-05-2022 23:45 | Reported Vulnerability to NCSC |
| 25-05-2022 08:56 | NSCS confirmed the vulnerability and informed the organization |
| 25-05-2022 13:20 | Vulnerability resolved |
| 28-06-2022 | Received T-shirt |
