Exploring Wireshark network requests resulted in gaining access to the source code of both a game server and client. But how? This is a writeup of the full approach getting this access which was way too easy.

Wireshark

The game client did not allow me to sign in to my account without any logical error message, and as the curious soul I am I had to figure out why. In this situation wireshark is the goto tool to analyze the network traffic. I found the HTTP payload which sent my login credentials to an endpoint. What surprised me here is that there were no encryption in transit, meaning anyone on your network could find the username and password.

NMAP

To follow up on the login endpoint found, I ran a basic nmap scan, and the outcome was fatal; the .git repository were available. Here is the next steps:

Used wget -m to mirror the .git directory to my localhost

Ran git checkout master && git restore . to reconstruct all files in the git repo

The code base

The application reconstructed from the .git folder was a home brewed PHP application. After a quick glance here, it had secrets for basically everything. Instagram, Twitter, Discord, MySQL and the Github API.

Github API

By testing the token for the Github API there were no restrictions, it was possible to

  • List repositories
  • Download repositories

The key repositories

  • Game launcher
  • Game server
  • Game client
  • Discord bot
  • Login service

Take aways

As you can tell this is critical. Access to everything. If I were a malicious actor, I could have silently looked for RCEs, SQL injections, tried to add code to the repositories, and what not.

Four take aways

  • Use SSL/TLS
  • Do not commit secrets to git
  • Do not just git clone the application without removing access to the .git folder
  • Do use least privilege for the access tokens you create

Note I did not do all of this without permission. Always get permission.

..and, I figured out the reason I could not sign in was that I was rate limited 🙂