Dorking around
So I recently saw Maia Crimew’s (in?)famous blog post, How to completely own an airline in 3 easy steps. In this, she describes how she managed to get ahold of confedential data from major airlines, using little technological knowlege, or actual hacking.
Sh used the zoomeye internet search engine, somewhat an analogue of google, except rather than searching all websites, it searches all internet connected devices — including insecure ones.
I was inspired by her, to do my own “dorking,” or search engine based hacking, trying to find vulnerable public services. She searched for public jenkins servers, which is a build and deployment system, that seems to be able to leak secrets if not configured correctly.
I decided to search for something even easier. I searched for xterm, a browser based terminal. It took some tinkering with the terms, but eventually I found some publicly exposed servers. People had left an xterm session running, sometimes even with root privileges enabled.
I decided to search further. I searched guacamole, a web based connector to remote desktop protocol sessions to see if anyone had left any exposed. There is a service called webtop, which creates a browser based desktop environment. By default, docker punches through the users firewall, and it also mounts the docker socket inside the container. Often, users would leave instances of these exposed, docker socket and all.