Repl.it - Secrets, Mysteries, and a New Update!
I decided (finally) to look into repl.it's structure, and see if I could find anything neat. The results are... interesting, but thankfully I don't see any gaping holes which is what I expected.
(Bonus message at the end - repl.it just did a very neat update)
I found these using the handy
recon-ng tool and a google dork (
o1.sendgrid.repl.it staging.repl.it api.repl.it eval.repl.it nextval.repl.it proxyval.repl.it images.repl.it status.repl.it replbox.repl.it www.repl.it
What, if anything, is on each of them
I was unable to connect to this one, but that's just visiting it as a website. I'd like to do a portscan but I'm concerned about the legality.
This one is pretty weird. It seems to be a mirror of the regular repl.it. Looking at the subdomain,
staging, maybe it's a redundancy for the main site? For them to upgrade then switch? I'm not quite sure as I haven't had much experience in the corporate world and I don't know how things are typically done. When you visit this site, you get prompted to login. Doing this with google doesn't work, and I havent been bothered to try sign up yet. You can, however, create anonymous repls that work, so yeah.
Edit: Thanks to @PaoloAmoroso for explaining what a staging server is for -
"A staging server is a server for testing a system or some of its features using a setup and configuration similar to the production server's."
Now, when I found this, I was reeeeeeaally hoping that they had a public API so I could automate some neat stuff, however it appears to either be closed off or down, as I just get hit with a cloudflare page.
Edit: Having just stumbled upon repl.sh, a project that appears to have been sadly abandoned, maybe this had something to do with it?
I cannot, for the life of me, imagine what this would be for. When visiting it, all it returns is
ヾ(*ФωФ)βyё βyё☆彡. Now, what's neat is that you get the same result when doing something like this. Maybe it's the default return for whatever google service repl.it use for running code.
Edit: after peeking into repl.it's abandoned cli npm module, repl.sh, this appears to be the default option for the
-G argument. It calls this the
goval host, which I can't seem to find any information about. For now, I'll just assume this has been abandoned along with repl.sh.
Google 404 page. As I suspected, repl.it use google for something, whether it be data hosting or server management.
Wasn't able to connect to it through my browser, judging from the name it may have some interesting ports open but I also doubt it.
Strangely, I wasn't able to connect to this either. I was sure that they were hosting all their images on it, but maybe you need some form of authentication that I'm too dumb to figure out. I have no clue what I'm doing.
This is pretty neat, it shows repl.it's uptime and other info.
This one is really curious. If you head to this url, it will just redirect you straight to repl.it, however, using the google dork
site:replbox.repl.it (just search that up in google) we can see what appears to be websites hosted on there. I'll look into that more later. They all appear to be under the
/data/web_hosting_1/ uri which I think means they're ready to expand, which is good.
Edit: Okay I think its for all the HTML,CSS,JS sites hosted on repl.it, but that can't be right as there is way more than them. Actually while I was typing this I now realise that it's for sites where people have connected a domain to. Repl.it must save the actual files somewhere static in order to have them connected to that custom domain. That makes sense to me.
Just the regular site, nothing interesting to see here.
Some sort of mirror for the doc pages of browserffy? Not sure why it's hosted on repl.it.
Edit: After a quick look, it seems to be browserify hosted on repl.it. From what I can understand, they must use it for their nodejs projects and what it does, is grab whatever requirement, install it, and serve it as a standalone module. Pretty neat!
I can't believe it took me this long to check for this. Also, something interesting, I think repl.it rolled out an update as I was typing this as they've started using a different tool to install packages in python, and repls are loading faster than they've been for the past day or so. Nice. It appears that now, instead of rebuilding each python package each time, they load them from a database of pre-built packages. I'm glad they did this because everything runs a lot quicker! Well done, repl.it!
Edit: This is actually probably only an update for those opted in to the beta lol which is good because they messed up one of my repls.
Okay actually I changed my mind, I'm not done with the new beta update. It broke one of my repls. Repl.it updated one of their docker packages, which they use to install requirements, two hours ago as of now. This update did something that changed how they install them for python. For some reason, they decided to now use the python
poetry module to install things, which is neat, sure, but doesn't seem to like having a git dependency in the requirements.txt. I don't even know how it works with a
requirements.txt file as from what I can tell from their github page, it should only work with their special
toml files which look too complicated and bothersome.
Furthermore, I had no clue they even had a docker profile, but it makes sense that they'd run stuff with docker as it's a good fit. I found an old post talking about how they use docker, but I guess I just never saw that.
So, many people seem to think that repl.it use docker for running repls, and while that is technically true, I think I might have just found out a bit more! While experimenting with getting the exact time a uuid was generated, I found the MAC address (a unique identifier) of the server where the repl was being run. After doing a google search for that specific MAC address, I found it in a github issue page for moby, and it appears that, unless I made a mistake, this is what repl.it use/have used.
A staging server is a server for testing a system or some of its features using a setup and configuration similar to the production server's.
Repl.it is hosted at Google Cloud Platform, so it makes sense to get Google error or status pages.
i work at repl.it and i dont know what most of those subdomains are for
okay i know like half
@timmy_i_chen also, I hope you guys have a security team of sorts? Doing internal and external pentests, etc. With so much PII it's pretty important lol especially considering how much repl is growing and how big it's become.
@MarcusWeinberger Yeah sure.
staging.repl.it is where we test soon-to-be-released-code. It seems like a clone of repl.it because it uses production data.
eval.repl.it is the domain for our infrastructure. Any repl that runs on a container will connect to eval.repl.it @turbio can probably go into more details here
https://eval.repl.it is a websocket, you can connect to it with double-base64 encoded data that looks something like this:
After connecting to it, i got 5 blobs with 5 weird Unicode characters each (the first one: \uFFFD\15\02\08\04)
Hey, thanks for writing this! It's neat to see someone is paying attention to even the work that we haven't released yet ^_^
You'll find out a lot more about package management updates soon when we launch and publish a blog post about all the changes.
Looking at your repls, I'm assuming the trouble you ran into is with pyCraft. This is a known problem and we're busy looking into it. I'll keep you posted once we have a solution.