A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.

1. Owning a company through
their logs
Aseem Shrey
Security Engineer ( Grofers )
@AseemShrey

2. Can logs be that useful ?

3. How did I get here ?
● Passive Reconnaissance - Shodan
● Searching for Jenkins and Sonarqube open instances

6. Automate Them All

7. Leaking Secrets

8. Slack Channels --> AWS creds
● slack channel list
● aws s3api list-buckets — query “Buckets[].Name”

9. Key Takeaways
● Know your boundaries : If you think that the data you’ve got access wasn’t meant to be
accessible to you and was meant to be private, STOP. Take written permission from the company
before testing any further.
● Automate them all : Let machines take over ( The mundane tasks only ). While I had
automated the screenshot part, I was also checking for RCE on Jenkins on these instances ( i.e.
Jenkins instances with open Script Console and I did get quite a few )
● Don’t presume anything : Now, usually Jenkins replaces secrets with asterisks but it can’t
mask the tool output and as in this case the zookeeper was leaking the credentials.
● No secret sauce : Bugs are simple, persistence is the key.

10. The Blogpost