# Laravel Apps Leaking Secrets

**[thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/](https://thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/)**

February 28, 2021

An attacker logged in through RDP a few days ago to run a “smtp cracker” that scans a list of
IP addresses or URLs looking for misconfigured Laravel systems. These attackers are
looking for websites that have debug mode enabled, which allows the attacker to see their
.env (config) file. The .env file includes AWS, O365, SendGrid, Twilio credentials and more.

What is Laravel?

Laravel is a free, open-source[3] PHP web framework, created by Taylor Otwell and
intended for the development of web applications

_https://en.wikipedia.org/wiki/Laravel_


-----

Laravel provides drivers for SMTP, Mailgun, Mandrill, Amazon SES, PHP s mail
function, and sendmail, allowing you to quickly get started sending mail through a local
or cloud based service of your choice.

_https://laravel.com/docs/5.1/mail_

The debug option is turned off by default on Laravel systems, but it appears many users are
enabling debug and not understanding the consequences. Here’s an example of debug
being enabled (set to true) in the .env config file.

web response (not actual

config file)
You can check to see if debug is enabled by checking for .env in the web root (site.com/.env)
or by sending random data to the webserver and reviewing the response. In the response,
you will see the debug option as well as all the information from the .env file, which includes
the secrets.

Here’s an example of a web response with debug enabled:


-----

Here s an example of an .env file:


-----

The smtp cracker script, which by the way–is not a cracker, and grabs more than just smtp
credentials; it uses the above methods to crawl a list of IPs/URLs looking for specific strings
in the response such as PayPal, AWS_KEY, SES_KEY, Twilio, sendgrid, office365, zoho,
mailgun and others.

Here’s part of the script, where it looks for a string in mailhost and outputs the secret(s) to the
appropriate file.

The output of the script is saved in a folder named Results. The results are divided into
groups as seen above.


-----

Inside those files contain the secrets and method used to extract the information. This is a
partial example of the sendgrid file:


-----

This is a partial example of the office365 text file:


-----

We are in the process of contacting over 100 people/organizations who’s systems are
leaking secrets via Laravel debug in hopes that they will remediate the issue and change
[their passwords. If anyone needs help fixing this issue, please use the Contact Us form to](https://thedfirreport.com/contact/)
get in touch.

## MITRE ATT&CK

 Initial Access

RDP login as local admin from 64.86.198[.]22. No brute force attempts were seen from this
IP.

## Execution

The attacker installed and used Python 2.7 to execute the smtp cracker script.


-----

Pip was used to install 4 modules.
```
pip install requests
pip install colorama
pip install bs4
pip install tldextract

## Detections

```

-----

Web requests to root/.env or post data that includes 0x[]:androxgh0st (hard coded string in
smtp.py)

## IOCs

[If you would like access to our internal MISP and/or threat feeds please see here.](https://thedfirreport.com/services/)

## File

filename smtp.py

md5 39e1ec2c704bcdb57034da4ac288446e

sha1 352e9c78f08574adbaa0aaf49c19d5853bb4be36

sha256 478290f801dafc9086810f857c123d74690920a4c44fb573cd01463c1b6fb432

## Network

type value comment

ip-src 64.86.198.22 RDP Unauthorized Access
```
Valid Accounts - T1078  
Python - T1059.006  
Scripting - T1064  
User Execution - T1204  
Graphical User Interface - T1061  
Command and Scripting Interpreter - T1059  
Link to IOCs and artifacts

```

-----