I am Inderjeet Singh aka encodedguy. Today, I will share one of my recent findings where I pwned 10 admin panels and the team rewarded me with $8000+.
I was invited to a private HackerOne challenge this month. The total bounty pool for this challenge was $15K. I cannot name the program so let's call it "REDACTEDx1337". I cannot name the domains in the provided scope, so let's call the domain that I was targeting as *.redacted.com.
I started by doing a deep recon on the program. You can read about my recon strategies from this link: https://rashahacks.com/enumerate-root-domain-names/
Well, I started by picking up the main target of the program. Let's call this target *.vulnerable.redacted.com. The host is redirecting to another hostname which has a login panel for employees and no registration page. I tried fuzzing it with my custom wordlists and many other wordlists but nothing popped out which can give me registration access or some unauthenticated access.
I started reading js files from then, around 8 hours gone and I found nothing reportable. I found 60+ API endpoints in the js files of vulnerable.redacted.com. None of the endpoints is accessible unauthorized. I thought the API is pretty well secure.
Well, one of the API endpoints was /api/v1/config and it was 404 Not Found.
Catching up everything
The js files (main.js, app.js, etc.) were so big like 150k-100k lines. After giving a huge time to understand the API endpoints, it was clear that these panels have something huge behind them.
Well, I thought if that /api/v1/config endpoint is not accessible now, maybe it was archived in the Wayback machine some months ago. And, it was actually archived 2 years ago.
The configuration has a username and password required to gain access to the login panel. But, I have no idea about the path of this admin login panel. Well after a few minutes found that it is /signin, different than the default login page. Tried to log in at /signin and had no access.
I made a report for these leaked credentials, the company confirmed that these are already reported to them in their VDP program and the credentials are rotated. But, they still rewarded me with 100$ (some programs are just awesome).
One more day and I got nothing. Then, in the js files of the subdomains of this target, I have this same API endpoint but on the subdomain. So, I tried to look at this again in the web archive.
And, the credentials were different here and I tried to log in with these credentials on https://win.vulnerable.redacted.com/signin and got access to the whole admin panel. This panel existed in the production environment. I got a $5K bounty for this.
This one admin panel has an App button from where I can get into 9 more panels with the same authorization token. Triager confirmed that this one app is in the group of a bunch of apps and gaining access to one will give access to all of them.
I was just jumping in from one panel to another. That night, I couldn't sleep properly, haha.
More digging required
Well, I knew one more thing about this target from their subdomains' labeling. That there are development and staging environments present here.
So I tried accessing these hosts manually and I want to emphasize the fact that I didn't do any enumeration for these hosts. The dev and prod keywords were present in my subdomains.txt file at the third level, but I inserted them in 2nd level.
Gained access to development and staging environment. The credentials used in the staging and development environment were the same as those of the production one.
https://win.dev-vulnerable.redacted.com/signin (Dev Environment)
https://win.stg-vulnerable.redacted.com/signin (Staging Environment)
Apart from this, I got 500$ more for some unauthenticated points which were accessible after crawling these admin panels for 4 hours in Autorize. I am in the Top 1 Rank on the leaderboard on this challenge.
If you want to read my Autorize blog it's here: https://rashahacks.com/how-i-exploit-access-control-bugs/
What did I learn?
Look for inaccessible or 404 Not Found, 403 Forbidden, etc. endpoints in the Wayback machine. If you pwn some admin panel or any login panel, try accessing these same credentials on staging, dev, and other environments. Here, it was complete luck that I did put dev at 2nd level and I got in. But, use gotator, regulator, and dnsgen to do permutation subdomain enumeration.
I want to thank Nahamsec, GodfatherOrwa, InsiderPhd, StokFredrick, Bugcrowd University, Pentesterlab, Google, Stackoverflow, Web Archive Project, and many many mentors from whom I have learned so many new things.
Thank you for your time.