L02 — Code & Secret Hunting

BRIEFING
MISSION: Code & Secret Hunting
=============================

Quantum Holdings (target) fired their internal security team last
quarter. Crown-jewel secrets — AWS access keys, the prod database
password, the JWT signing secret — are scattered across public
code-hosting and code-indexing surfaces.

Your job:
  1. Harvest the live secrets.
  2. For each secret, demonstrate you can recover it via at LEAST
     TWO independent tooling stacks. Recording your work is part of
     the deliverable — the operator who can only use one tool dies
     when that tool is deprecated.
  3. Identify the deactivated-key canary the SOC team planted.
     Submitting it as a real secret triggers a soft-rejection.
     Submitting it in the canary slot earns the level.

Deliverables — write to /tmp/intel.yaml then run
/opt/verify-code-hunter.sh:

  aws_access_key:        <live AWS access key ID>
  prod_db_password:      <live prod database password>
  jwt_signing_secret:    <live JWT HS256 secret>
  deactivated_canary:    <the SOC-planted decoy you identified>
  tool_paths:                # for each LIVE secret, list ≥2
    aws_access_key:      [<tool-stack-1>, <tool-stack-2>]
    prod_db_password:    [<tool-stack-1>, <tool-stack-2>]
    jwt_signing_secret:  [<tool-stack-1>, <tool-stack-2>]

Notes:
  - "Tool stack" means a distinct family. Two queries against the
    same code-search engine do NOT count as two stacks. Verifier
    rejects dependent-source clusters.
  - The obvious tool will rate-limit you mid-session. Plan for it.
  - 30-50% of plausible "leaked" secrets are wrong — rotated,
    typo-squat repos, or sister-org confusion. Cross-check before
    submitting.

REFERENCE READING (if you get stuck):
  - bellingcat.com — open-source investigation methodology
  - berkeleyprotocol.org / OHCHR Berkeley Protocol PDF — chain of custody
  - osintcurious.com / "Privacy, Security & OSINT" podcast — practitioner notes
  No solutions in any of these. Methodology only.

Ephemeral session — no persistent state.

照例，先枚举一下内网

10.13.68.40 -> quantum-holdings.local.

同时基于域名枚举，确定内网服务

github.com -> 10.13.68.70
gitleaks.io -> 10.13.68.72 
sourcegraph.com -> 10.13.68.73

并对这些服务进行枚举

specter2@fe18a5b91e05:~$ curl -s 10.13.68.70
{
  "service": "github",
  "version": "1.0",
  "usage": "GET /search/code?q=<query>; /<o>/<r>/raw/<b>/<p>"
}
specter2@fe18a5b91e05:~$ curl -s 10.13.68.71
{
  "service": "wayback",
  "version": "1.0",
  "usage": "GET /history?url=<url>; /snapshot/<id>?url=<url>; /diff?url=<url>&from=<id>&to=<id>"
}
specter2@fe18a5b91e05:~$ curl -s 10.13.68.72
{
  "service": "gitleaks-saas",
  "version": "1.0",
  "usage": "GET /scan?org=<org>"
}

1. 环境侦察

curl http://10.13.68.70 → GitHub Mock: 返回 API 使用说明 GET /search/code?q=<query>; /<o>/<r>/raw/<b>/<p>

curl http://10.13.68.72 (gitleaks.io) → Gitleaks SaaS: GET /scan?org=<org>

curl http://10.13.68.71 → Wayback Machine: GET /history?url=<url>; /snapshot/<id>?url=<url>; /diff?url=<url>&from=<id>&to=<id>

2. GitHub Code Search 查询

/search/code?q=AKIA → 4个命中: payments-api/prod-bootstrap.sh, legacy-deploy/aws-bootstrap-2024.sh, quantumholdings/payments-api, prod-bootstrap.OLD.sh

/search/code?q=quantum → 同上 + test-fixtures/jwt-test.yaml

/search/code?q=secret → 同上

3. 拉取原始文件 (GitHub Raw)

/quantum-holdings/payments-api/raw/main/deploy/prod-bootstrap.sh → 发现 live AWS key: AKIAQH4FIN8CR0WN7EYS

/quantum-holdings/legacy-deploy/raw/main/scripts/aws-bootstrap-2024.sh → 发现 canary: AKIA_HONEYPOT_DEAD_K3Y_2024 (DEACTIVATED/SOC honeypot)

/quantumholdings/payments-api/raw/main/deploy/prod-bootstrap.sh → 不同组织的假 key: AKIAQH4FIN8WRONG0RG12 (排除)

/quantum-holdings/payments-api/raw/main/deploy/prod-bootstrap.OLD.sh → 已轮换的旧 key: AKIAQHROTATEDKEY11AA22 (排除)

/quantum-holdings/test-fixtures/raw/main/configs/jwt-test.yaml → 发现 JWT secret: qh-jwt-hs256-9a2f4e1d8c7b6a5f

4. Gitleaks SaaS 扫描

/scan?org=quantum-holdings → 5条发现: live AWS key(验证通过), prod DB password(Qu4ntum_Pr0d_DB_2026!), canary(403失效), 旧key(已轮换), JWT secret(验证通过)

/scan?org=quantumholdings → 1条: 不同组织的假 key(排除)

5. Wayback 快照 & Diff

/history?url=.../prod-bootstrap.sh → 3个快照: snap-001(2025-09), snap-002(2026-01), snap-003(2026-04)

/snapshot/snap-001 → 初始 key: AKIAQH4FIN8INITIAL01ABC /snapshot/snap-002 → 轮换 key: AKIAQHROTATEDKEY11AA22 /snapshot/snap-003 → live key: AKIAQH4FIN8CR0WN7EYS

/diff?url=...&from=snap-002&to=snap-003 → 确认 key 轮换过程

/history?url=.../actions/runs/4812 → CI 日志快照

/snapshot/snap-ci-001 → CI日志暴露 DB password: Qu4ntum_Pr0d_DB_2026!

6. DNS 发现的服务

github.com → 10.13.68.70 (GitHub Mock) gitleaks.io → 10.13.68.72 (Gitleaks SaaS) trufflehog.io / gitguardian.com → 10.13.68.72 (同上) sourcegraph.com → 10.13.68.73 (不可达) web.archive.org → 10.13.68.71 (Wayback Machine)

综上，最终答案为

aws_access_key:        AKIAQH4FIN8CR0WN7EYS
prod_db_password:      Qu4ntum_Pr0d_DB_2026!
jwt_signing_secret:    qh-jwt-hs256-9a2f4e1d8c7b6a5f
deactivated_canary:    AKIA_HONEYPOT_DEAD_K3Y_2024
tool_paths:
  aws_access_key:      [github-code-search, wayback-diff]
  prod_db_password:    [gitleaks-saas, wayback-diff]
  jwt_signing_secret:  [github-code-search, gitleaks-saas]

1. 环境侦察​

2. GitHub Code Search 查询​

3. 拉取原始文件 (GitHub Raw)​

4. Gitleaks SaaS 扫描​

5. Wayback 快照 & Diff​

6. DNS 发现的服务​