L01 — Search Engine Operator
BRIEFING
MISSION: Search Engine Operator
===============================
Client SOC at atlas-fintech.local has reason to believe scrapers
have indexed assets that should not be public. Surface what is
exposed, with proof. Pre-engagement passive only — NO active
scanning of corp infrastructure.
Collect 5 distinct deliverables AND declare which independent
sources you used to corroborate each one. Write them to
/tmp/intel.yaml in the format below, then run
/opt/verify-search-operator.sh.
YAML fields required:
exposed_admin_panel: <URL of accidentally-indexed admin/management UI>
exposed_iot_device: <hostname:port of an exposed IoT/RTSP device with corp banner>
leaked_api_key: <API key recovered from a historical snapshot>
shadow_subdomain: <internal-staging hostname surfaced via CT log + reachability>
dev_creds_in_indexed_doc:
user: <user from a publicly-indexed document>
password: <plaintext from same document>
sources: # ≥2 distinct families per field
exposed_admin_panel: [<family-1>, <family-2>]
exposed_iot_device: [<family-1>, <family-2>]
leaked_api_key: [<family-1>, <family-2>]
shadow_subdomain: [<family-1>, <family-2>]
dev_creds_in_indexed_doc: [<family-1>, <family-2>]
Notes:
- Single-engine answers will be rejected. Each deliverable must be
backed by ≥2 distinct source families. Two queries against the
same engine count as ONE family.
- Allowed families: google, shodan, censys, wayback,
github-mirror, ct-logs, web-recon, dns-direct.
- 30-50% of plausible hits are decoys: honeypots, expired entries,
sister-domain false positives, tarpit canaries.
- Submitting a canary triggers a SOC alert. Soft-rejected, retry
permitted.
REFERENCE READING (if you get stuck):
- bellingcat.com — open-source investigation methodology
- berkeleyprotocol.org / OHCHR Berkeley Protocol PDF — chain of custody
- osintcurious.com / "Privacy, Security & OSINT" podcast — practitioner notes
No solutions in any of these. Methodology only.
Ephemeral session — no persistent state.
还是惯例,看一下内网
10.13.67.10 -> google.local.
10.13.67.11 -> shodan.local.
10.13.67.12 -> censys.local.
10.13.67.13 -> wayback.local.
10.13.67.14 -> github.local.
10.13.67.15 -> ct-logs.local.
10.13.67.20 -> atlas-fintech.local.
并看一下各个接口的请求格式
# google
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.10
{
"service": "google",
"version": "1.0",
"usage": "GET /search?q=<operators+terms> \u2014 supports site:, -site:, inurl:, intitle:, intext:, filetype:"
}
# shodan
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.11
{
"service": "shodan",
"version": "1.0",
"usage": "GET /search?q=<filters> \u2014 supports org:, product:, port:, hostname:"
}
# censys
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.12
{
"service": "censys",
"version": "1.1",
"usage": "GET /search?q=<filters> \u2014 supports services.banner:, services.service_name:, parsed.names:, parsed.issuer.organization:, autonomous_system.name:"
}
# wayback
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.13
{
"service": "wayback",
"version": "1.1",
"usage": "Legacy: GET /history?url=<url>; /snapshot/<id>?url=<url>; /diff?url=<url>&from=<id>&to=<id>. Canonical: GET /wayback/available?url=<url>[×tamp=<TS>]; /web/<TS>/<orig-url> (TS=YYYYMMDDhhmmss or '*'); /cdx/search/cdx?url=<url>&output=json."
}
# github
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.14
{
"service": "github",
"version": "1.0",
"usage": "GET /search/code?q=<term>; /<owner>/<repo>/raw/<branch>/<path>"
}
# ct-logs
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.15
{
"service": "ct",
"version": "1.0",
"usage": "GET /search?domain=<domain> OR GET /?q=%.<domain>&output=json"
}
specter1@60fef3f8ffb3:~$ curl -s 10.13.67.20
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
google
curl http://10.13.67.10/search?q=site:atlas-fintech.local+intitle:admin
{
"ok": true,
"query": "site:atlas-fintech.local intitle:admin",
"hits": [
{
"title": "Atlas Vault \u2014 Admin Console",
"url": "https://vault-admin.atlas-fintech.local",
"snippet": "Privileged management UI for the Atlas Vault credential service. build: vault-admin-1.7.4"
},
{
"title": "Atlas Admin \u2014 Operations Console",
"url": "https://admin-old.atlas-fintech.local",
"snippet": "Atlas Operations Admin Console. Engineering ops portal."
},
{
"title": "Atlas Admin Knowledge Base",
"url": "https://internal.atlas-fintech.local",
"snippet": "Atlas employee knowledge base. Documentation, runbooks, admin guides."
},
{
"title": "Atlas Admin Console",
"url": "https://admin-honey.atlas-fintech.local",
"snippet": "Atlas internal admin login portal."
}
]
}
curl -s http://10.13.67.10/search?q=site:atlas-fintech.local+filetype:txt
{
"ok": true,
"query": "site:atlas-fintech.local filetype:txt",
"hits": [
{
"title": "atlas-q3-allhands.txt",
"url": "https://docs.atlas-fintech.local/atlas-q3-allhands.txt",
"snippet": "Atlas Fintech Q3 2024 all-hands recap. Engineering roadmap, QA environment refresh, partner-team onboarding."
},
{
"title": "onboarding-overview-old.txt",
"url": "https://docs.atlas-fintech.local/onboarding-overview-old.txt",
"snippet": "Atlas onboarding overview deck. Engineering onboarding cycle, vault tutorial, partner-team handoff."
},
{
"title": "atlas-soc-runbook-fragment.txt",
"url": "https://docs.atlas-fintech.local/atlas-soc-runbook-fragment.txt",
"snippet": "Atlas SOC runbook fragment. Engineering operations playbook, indexed copy mirrored to public docs bucket."
}
]
}
shodan
curl http://10.13.67.11/search?q=org:Atlas+Fintech+port:554
{
"ok": true,
"query": "org:Atlas Fintech port:554",
"hits": [
{
"ip": "10.13.67.20",
"hostname": "cam-lobby-04.atlas-fintech.local",
"port": 554,
"product": "RTSP",
"org": "Atlas Fintech",
"banner": "RTSP/1.0 200 OK\nServer: Atlas-Lobby-Cam-FW-1.4.2\nWatermark: ATLAS-FINTECH-CORP"
},
{
"ip": "10.13.67.20",
"hostname": "cam-honey-01.atlas-fintech.local",
"port": 554,
"product": "RTSP",
"org": "Atlas Fintech",
"banner": "RTSP/1.0 200 OK\nServer: Honeyd"
},
{
"ip": "10.13.67.20",
"hostname": "cam-honey-02.atlas-fintech.local",
"port": 554,
"product": "RTSP",
"org": "Atlas Fintech",
"banner": "RTSP/1.0 200 OK\nServer: T-Pot/RTSP-Snare"
},
{
"ip": "10.13.67.20",
"hostname": "cam-honey-03.atlas-fintech.local",
"port": 554,
"product": "RTSP",
"org": "Atlas Fintech",
"banner": "RTSP/1.0 200 OK\nServer: Cowrie-RTSP-emulator"
},
{
"ip": "203.0.113.42",
"hostname": "cam-buenosaires-01.atlas-ar.example",
"port": 554,
"product": "RTSP",
"org": "Atlas Fintech Argentina",
"banner": "RTSP/1.0 200 OK\nServer: Hikvision-DS-1.0"
}
]
}
censys
curl http://10.13.67.12/search?q=vault-admin
{
"ok": true,
"query": "vault-admin",
"hits": [
{
"ip": "10.13.67.20",
"names": [
"vault-admin.atlas-fintech.local",
"vault-admin.atlas-fintech.com"
],
"services": [
{
"service_name": "HTTP",
"port": 443
}
],
"autonomous_system": {
"name": "Atlas Fintech"
},
"parsed": {
"names": [
"vault-admin.atlas-fintech.local",
"vault-admin.atlas-fintech.com"
],
"issuer": {
"organization": "Let's Encrypt"
}
},
"parsed_names": [
"vault-admin.atlas-fintech.local",
"vault-admin.atlas-fintech.com"
],
"issuer_org": "Let's Encrypt",
"services_banner": "atlas-vault-admin-1.7.4",
"ports": [
443
]
}
]
}
curl
{
"ok": true,
"query": "cam-lobby-04",
"hits": [
{
"ip": "10.13.67.20",
"names": [
"cam-lobby-04.atlas-fintech.local"
],
"services": [
{
"service_name": "RTSP",
"port": 554
}
],
"autonomous_system": {
"name": "Atlas Fintech"
},
"parsed": {
"names": [
"cam-lobby-04.atlas-fintech.local"
],
"issuer": {
"organization": "Let's Encrypt"
}
},
"parsed_names": [
"cam-lobby-04.atlas-fintech.local"
],
"issuer_org": "Let's Encrypt",
"services_banner": "atlas-fintech-cam-fw-1.4.2",
"ports": [
554
]
}
]
}
wayback
curl http://10.13.67.13/cdx/search/cdx?url=github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh
[
[
"urlkey",
"timestamp",
"original",
"mimetype",
"statuscode",
"digest",
"length"
],
[
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"20240512081400",
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"text/plain",
"200",
"snap-001",
"157"
],
[
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"20240622110200",
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"text/plain",
"200",
"snap-002",
"153"
],
[
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"20240905144100",
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"text/plain",
"200",
"snap-003",
"183"
],
[
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"20240908100000",
"github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"text/plain",
"200",
"snap-004",
"177"
]
]
github-mirror
curl
{
"ok": true,
"q": "atlas-fintech api_key",
"hits": [
{
"repo": "atlas-fintech/infra-scripts",
"path": "deploy.sh",
"url": "http://github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh",
"raw": "http://github.local/atlas-fintech/infra-scripts/raw/main/deploy.sh"
}
]
}
curl -s
#!/bin/bash
# secret-rotation: pull from vault
API_KEY="$(vault read -field=key atlas/api)"
curl -H "Authorization: Bearer $API_KEY" https://api.atlas-fintech.local/v1/payments
ct-logs
curl http://10.13.67.15/search?q=atlas-fintech.local
[
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "atlas-fintech.com",
"name_value": "atlas-fintech.com\nwww.atlas-fintech.com",
"id": 5108234001,
"entry_timestamp": "2024-09-12T09:42:11.000Z",
"not_before": "2024-09-12T08:42:11.000Z",
"not_after": "2024-12-11T08:42:10.000Z",
"serial_number": "04b1c2d3e4f50607"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "vault-admin.atlas-fintech.com",
"name_value": "vault-admin.atlas-fintech.com",
"id": 5108234002,
"entry_timestamp": "2024-10-01T11:20:55.000Z",
"not_before": "2024-10-01T10:20:55.000Z",
"not_after": "2024-12-30T10:20:54.000Z",
"serial_number": "04b1c2d3e4f50608"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "dev.atlas-fintech.com",
"name_value": "dev.atlas-fintech.com",
"id": 5108234003,
"entry_timestamp": "2024-10-01T11:21:14.000Z",
"not_before": "2024-10-01T10:21:14.000Z",
"not_after": "2024-12-30T10:21:13.000Z",
"serial_number": "04b1c2d3e4f50609"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "*.staging-int.atlas-fintech.com",
"name_value": "*.staging-int.atlas-fintech.com\nstaging-int.atlas-fintech.com",
"id": 5108234004,
"entry_timestamp": "2024-08-15T07:13:08.000Z",
"not_before": "2024-08-15T06:13:08.000Z",
"not_after": "2024-11-13T06:13:07.000Z",
"serial_number": "04b1c2d3e4f5060a"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "atlas-fintech.io",
"name_value": "atlas-fintech.io",
"id": 5108234005,
"entry_timestamp": "2024-04-22T14:55:03.000Z",
"not_before": "2024-04-22T13:55:03.000Z",
"not_after": "2024-07-21T13:55:02.000Z",
"serial_number": "04b1c2d3e4f5060b"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "atlas-fintech.org",
"name_value": "atlas-fintech.org",
"id": 5108234006,
"entry_timestamp": "2024-02-10T09:08:21.000Z",
"not_before": "2024-02-10T08:08:21.000Z",
"not_after": "2024-05-10T08:08:20.000Z",
"serial_number": "04b1c2d3e4f5060c"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "at1as-fintech.com",
"name_value": "at1as-fintech.com",
"id": 5108234007,
"entry_timestamp": "2024-09-30T22:14:00.000Z",
"not_before": "2024-09-30T21:14:00.000Z",
"not_after": "2024-12-29T21:13:59.000Z",
"serial_number": "04b1c2d3e4f5060d"
},
{
"issuer_ca_id": 17156,
"issuer_name": "C=US, O=Amazon, OU=Server CA 1B, CN=Amazon",
"common_name": "*.cloudfront.net",
"name_value": "d987zyx.cloudfront.net",
"id": 5108234008,
"entry_timestamp": "2024-03-08T12:01:40.000Z",
"not_before": "2024-03-08T00:00:00.000Z",
"not_after": "2025-04-08T23:59:59.000Z",
"serial_number": "08c9d1b2e3f4a506"
}
]
web-recon
curl -sk https://docs.atlas-fintech.local/atlas-q3-allhands.txt
Atlas Fintech — Q3 2024 All-Hands
================================
Author: Margaret Chen, COO
Date: 2024-10-04
Audience: All-staff (mirrored to public docs because legal-cleared)
[Slide 1] Welcome
[Slide 2] Q3 financials (link to SEC filing redacted)
[Slide 3] Engineering roadmap
[Slide 18] QA test environment refresh
We rotated the QA bot creds last quarter; new starter kit is below for
partner-team onboarding. (Internal-only, do not screenshot. Anyway,
someone always does.)
qa-bot:Q4_starter_kit_2025!
Endpoint: https://qa.atlas-fintech.local/api/v1
Note: these creds reach the QA sandbox only. They cannot move money.
[Slide 19] Security reminders
[Slide 20] Q4 OKRs
[Slide 21] Thanks!
(End of deck export.)
curl -s http://10.13.67.13/web/20240905144100/github.local/atlas-fintech/infra-scripts/blob/main/deploy.sh
#!/bin/bash
# prod cutover — DO NOT COMMIT
API_KEY="atl_live_pk_8a7f6e2c3d4e5f60718293a4b5c6d7e8"
curl -H "Authorization: Bearer $API_KEY" https://api.atlas-fintech.local/v1/payments
dns-direct
specter1@02cde924a3d2:~$ dig staging-int.atlas-fintech.local
; <<>> DiG 9.18.39-0ubuntu0.22.04.3-Ubuntu <<>> staging-int.atlas-fintech.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35429
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;staging-int.atlas-fintech.local. IN A
;; ANSWER SECTION:
staging-int.atlas-fintech.local. 0 IN A 10.13.67.20
;; Query time: 0 msec
;; SERVER: 10.13.67.5#53(10.13.67.5) (UDP)
;; WHEN: Sun May 03 13:00:59 UTC 2026
;; MSG SIZE rcvd: 76
specter1@02cde924a3d2:~$ dig dev.atlas-fintech.local
; <<>> DiG 9.18.39-0ubuntu0.22.04.3-Ubuntu <<>> dev.atlas-fintech.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dev.atlas-fintech.local. IN A
;; ANSWER SECTION:
dev.atlas-fintech.local. 0 IN A 10.13.67.20
;; Query time: 0 msec
;; SERVER: 10.13.67.5#53(10.13.67.5) (UDP)
;; WHEN: Sun May 03 13:01:07 UTC 2026
;; MSG SIZE rcvd: 68
最终得到答案
exposed_admin_panel: https://vault-admin.atlas-fintech.local
exposed_iot_device: cam-lobby-04.atlas-fintech.local:554
leaked_api_key: atl_live_pk_8a7f6e2c3d4e5f60718293a4b5c6d7e8
shadow_subdomain: staging-int.atlas-fintech.local
dev_creds_in_indexed_doc:
user: qa-bot
password: Q4_starter_kit_2025!
sources:
exposed_admin_panel: [google, web-recon]
exposed_iot_device: [shodan, censys]
leaked_api_key: [wayback, github-mirror]
shadow_subdomain: [ct-logs, dns-direct]
dev_creds_in_indexed_doc: [google, web-recon]