Hello everyone,
I would like to disclose one of my recent finding in which I was able to get the admin panel on a private program. The program is private, so call it private-site.com.
As many researchers believe in recon beforae hunting a target, same this law apply to me. Around two months ago I was invited in a private program, the first step I did to know all about the target.
I strongly believe that recon is incomplete without using censys and shodan search engine. I always use it at first whenever choose a target. Same on that day I searched about the private-site.com. I was lucky by using the certificate base query as below
https://censys.io/ipv4/help?q=80.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names%3Aprivate-site.com
When using the above query i got many open ports. So i directly hit the target with port and thinking something special will come in response. But with all ports i was getting reponse "ERR_CONNECTION_TIMED_OUT"
I used nmap and knew that all the port are filter/close which censys showing open, that's means the data was old or something has been fixed. One more thing i do is, i check all site which match the certificate. For example, by using the above query i also got some ip which resolved to different site but had the same certificate.
There was around 30 ip which i got and was opening every site. One ip which resolved to http://ip_detail.us-west-1.compute.amazonaws.com got my attention. The site opened with login page. At that point i was confused whether to test further or not because only the private-site.com was in scope.
To be honest i was not in mood to test it but i just put user:admin and password:admin and hit the button login and got internal access. All the information was there about user private information which was belong to private-site.com. So i repoted the bug.
The bug was fixed within an hour after reporting it. After two hour i got reply from security team.
"We’ve just been discussing this some more. One of the IPs we have been looking at in more detail shows some manual looking interactions where they are creating |||||||||||. We are still working out what these |||||||||| might do but the attempts feel like it could be a bugbounty researcher."
I do not know the exact matter but i made it clear about my ip and the duration in which i got access.
Bug reported : 25 Feb
Bug resolved : 25 Feb
Bounty awarded : 1500$ on 26 Feb
Reach me on Facebook or Twitter
Comments
Post a Comment