Dropping root shell in a Crypto Exchange for Fun (and Profit?)
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later.
One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com
A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - firstname.lastname@example.org) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign in as guest" option available.
From my prior CTF experience, I knew that this would still be helpful for me. So, I signed in as guest and I could see many interesting data of changenow.io.
There were some error logs in the monitoring dashboard which led me to the discovery of another internal domain - eth-btc.net. Again, the same process as above - enumerate subdomains and scan for web ports 80/443.
While checking the obtained URLs one by one, most of them were returning 403 errors but one of them named argo-ws.stage.aws.eks.eu.1.eth-btc.net returned some kind of dashboard without any authentication. It was Argo workflow dashboard.
I've seen similar types of dashboards related to DevOps many times before while doing recon, and they weren't always useful to me. However, I lazily typed this exact keyword "argo workflow hackerone" to find any publicly disclosed reports on HackerOne related to "Argo Workflow". It didn't yield any report from HackerOne but a medium blog popped up with RCE and Container Escape as root. Niceeee.
Again, I didn't have any hope that it would actually work and I'd get a shell but I created a workflow anyway by adjusting the poc.yaml such that I would receive a reverse shell to my external server if the exploit worked. Upon setting up netcat listener on my server and running the newly created malicious workflow, root shell was immediately obtained.