3. TL;DR: They route HTTP requests to different services.

Typically using the Host header and/or a path.

So, I started brute-forcing the host headers:

I got a hit:

> configurator-prod.apps.███.com

5. The /env endpoint didn't contain much.

I also couldn't POST to it to achieve RCE.

It did contain:

• A "config server" URL (config-server-UUID.apps.███)
• And an oauth2 endpoint + credentials (to authenticate to the referenced server)

But, the password was redacted.

6. Remember the "/heapdump" endpoint?

Heap dumps are a snapshot of objects in memory for an application.

That includes the credentials...

So, I grabbed the credentials by:
• Downloading the heap dump using wget.
• Running strings & grepping for the client secret

Got 'em.

7. Now, I wanted to:

• Use these oauth2 credentials
• Hit the newly found config server for "configurator-prod"
• Fuzz it for endpoints

So, I used the oauth2 endpoint (leaked in the accessTokenURI)

+ the leaked credentials and got an access token:

8. Then, I used it to access the config-server and fuzzed for endpoints.

Turns out, it was Spring Boot Actuator…

and misconfigured…again.

The /env & /heapdump endpoints were exposed.

9. In the /env response was Github credentials...

And the private key for the user.

I grabbed the password using the /heapdump endpoint:

10. I checked if the credentials were valid:

$ curl -u gops:abc123...

They were.

I could now access 30+ Github Orgs.

And I had read/write access to hundreds of repositories. github.example.com/api/v3/user

11. I reported it to their bug bounty program.

Unfortunately didn't get a cool new car 😢

But I guess $5,000 wasn't too bad.