Bug on ParrotCTF

ParrotCTF

Hello fellas, how are you guys doing!! Well, I am here with another bug write-up.

A little background details about me. I am a new bug bounty hunter still learning about the bugs and trying up new things. For which I am solving THM rooms, HTB rooms, and newly came across a website named, parrotctf which is a great room for intermediate hackers.

Now coming back to how I got the bug on their website.

DotGit

This is a Firefox extension used by hackers/hunters to get the hidden .git directory of the website if it is present.

Link to download: https://addons.mozilla.org/en-US/firefox/addon/dotgit/

Once downloaded just pin it to your extension bar, and the next time you will visit any site it will directly show if any is .git directory is present.

Bug Details

Exposed .git directory is considered as a security misconfiguration. It is significant because it can reveal sensitive information and lead to potential security vulnerabilities such as:-

  • Source Code Access.
  • Commit History and Sensitive Information.
  • Usernames and internal information.
  • Information on dependencies and deployment details.

How I found it

So, when I was reading on Active Directory (AD), I got a notification on dotgit extension mentioning about 2.git directories.

I decided to look it up over web, and got the following response.

and

Once I found it, I submitted it on discord server and the founder looked an confirmed that it was exposed. within 2–3 hours he updated me that it is mitigated and the site has patched.

So yup that is it. This is how I found a security information exposure on parrotctf.

Bug Found: 13–10–2024

Bug Reported: 13–10–2024

Bug Patched: 13–10–2024

I would like to end this write-up here I hope this write-up may come into some help of yours.

Keep learning, keep hacking.

0xkalki signing out.

Radhe Radhe


Bug on ParrotCTF was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

原始链接: https://infosecwriteups.com/bug-on-parrotctf-e64424b0d043?source=rss----7b722bfd1b8d---4
侵权请联系站方: [email protected]

相关推荐

换一批