top of page

How Proper recon helped me find a Critical Bug on Hackerone Bug bounty program:

Hi and welcome to my latest bug bounty writeup! I’m thrilled to share my thoughts and insights with you today on How I used recon to find a bug easily. Since, the application is private program, I had to follow non-disclosure, and had to modify the poc, target details etc. For now, lets call the target redacted.com


 

This was a Wide scope program, and all the subdomains are in scope.


I started my recon script which gathers the subdomains of the target using different tools such as assetfinder, subfinder, harvester, amass etc and sorts it in a file subs.txt properly.


I will then use httpx to sort the subdomains of different status codes in different files.

example command:


cat subs.txt | httpx -tech-detect -title -mr 200 | tee -a 200_urls.txt

 

I will then navigate through each url and add interesting targets to my notes. After looking at the hosts, I have filtered out which urls I have to start testing first, and then started to fuzz for different files and directories in it.

example command:


fuzz -w files.txt -u https://redacted[.]com/FUZZ -v -mr 200,500,401,403

One of the urls disclosed server error logs for invalid urls in the response body, and each time I was getting different log response, which was wierd. After few minutes of searching through the response, I observed the database credentials being disclosed in the response, and made note of it.


Error Log Disclosure

After trying a lot of methods, I was unable to use these credentials anywhere including login pages and the mysql port on the target, and other hosts.



 

While I was disappointed, I initially decided to submit the issue to the program. however, My fuzzing returned 2 endpoints which had phpmyadmin login pages. I opened the urls, and found HTTP Basic auth page. I tried some default credentials and it did not work. Further, I tried with the db credentials I had with me, and IT WORKED. I was able to login as admin user, got access to phpmyadmin dashboard, and even perform SQL queries. I immediately reported the issue to hackerone program, and got the response in 2 days, and the issue was resolved the very next day.


 

Never give up on recon, without trying and testing all the test cases. Hope you got something new to learn from this bug bounty writeup, Adios

Comments


bottom of page