Full Report
NCC Group performed a pentest against a web application, in which they leveraged anonymous access to discover a sitemap folder that turned out to be an S3 bucket with directory listing enabled. NCC identified a bash script containing a hardcoded Git credential, which granted a...
Analysis Summary
# Tool/Technique: Hardcoded Credentials in Script
## Overview
This technique involves storing sensitive credentials (such as API keys, usernames/passwords, or access tokens) directly within source code or configuration scripts, such as Bash scripts, making them easily discoverable if the storage location is compromised or exposed.
## Technical Details
- Type: Technique
- Platform: Linux/Unix (Bash scripts), CI/CD systems (Jenkins)
- Capabilities: Exfiltration of sensitive information upon discovery and access to linked services (e.g., Git, Jenkins, AWS).
- First Seen: N/A (This is a fundamental security flaw, but its application in this context was observed in early 2022 research findings).
## MITRE ATT&CK Mapping
- [TA0001 - Initial Access]
- [T1187 - Global Discoverability] (Related, as the initial access relied on finding an exposed bucket)
- [TA0006 - Credential Access]
- [T1003 - OS Credential Dumping] (In the subsequent step after initial foothold)
- [T1552 - Unsecured Credentials]
- [T1552.001 - Credentials in Files]
## Functionality
### Core Capabilities
- Storing sensitive static values (Git credentials) within executable scripts.
- Allowing unauthenticated or low-privileged entities to discover and read these secrets by accessing exposed configuration files.
### Advanced Features
- **Privilege Escalation Vector:** The hardcoded credential provided initial, limited access to a Jenkins server, which was subsequently leveraged to escalate privileges to administrative level.
- **Credential Chaining:** The compromised Git credential led to access to the CI/CD pipeline (Jenkins), where further high-value credentials (AWS tokens, SSH certificates) were held.
## Indicators of Compromise
- File Hashes: N/A (Specific to the pentest environment)
- File Names: `sitemap` folder, Bash script containing Git credentials.
- Registry Keys: N/A
- Network Indicators: Git service access, Jenkins login attempt.
- Behavioral Indicators: Accessing or downloading configuration scripts from publicly accessible or anonymously accessible cloud storage.
## Associated Threat Actors
- While this represents a common misconfiguration exploited by attackers, documented actors often leverage such exposed files when performing initial reconnaissance or automated scanning (e.g., various Ransomware groups, financially motivated groups).
## Detection Methods
- Signature-based detection: Searching for patterns indicative of hardcoded credentials in repositories or exposed file systems (e.g., patterns matching Git credentials, base64 encoded secrets that are readable).
- Behavioral detection: Monitoring unusual enumeration or download activity from S3 buckets with directory listing enabled.
- YARA rules: Rules targeting specific patterns associated with hardcoded Git tokens or API keys within text files.
## Mitigation Strategies
- **Prevention Measures:** Never hardcode secrets in source code, configuration files, or publicly accessible storage. Use secret management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault).
- **Hardening Recommendations:** Disable directory listing on S3 buckets unless explicitly required. Apply the principle of least privilege to all cloud storage buckets (deny anonymous access by default). Implement repository scanning tools (like GitGuardian or TruffleHog) to prevent secret leakage into Git history.
## Related Tools/Techniques
- Exposed S3 Buckets (Cloud Native Misconfiguration)
- Credential Harvesting from CI/CD systems (e.g., Jenkins, GitLab Runners)
- Use of secret management tools (as an alternative)