From Recon to P1 (Critical) — An Easy Win

Harsh Bothra
3 min readApr 24, 2020

Reconnaissance is an important phase when you do an application assessment, especially to gather in-depth knowledge about your target application. For obvious reasons, Reconnaissance holds importance especially when it comes to a huge scope. From discovering more attack surface to getting critical data with no complexations, reconnaissance is always an easy win.
Hey Fellow Pentesters, I will be talking about an easy discovery for a critical severity (P1) security issue just with Recon. It was a private program on Bugcrowd, to keep confidentiality, let’s call it “target.com”

Bigger Picture

— — — — — —

  1. The application had a huge scope — *.target.com
  2. No specific application URL was out of scope
  3. Subdomain Enumeration to increase the attack surface
  4. Finding juicy domains to work on
  5. Discovering directories with directory Bruteforce
  6. Discovering hidden endpoints with Bruteforce
  7. Manipulating application logic to bypass Email Validation
  8. Critically Sensitive Data ~ Easy Win!

During the initial phase of testing, whenever I see something like “*.target.com”, I start subdomain discovery with multiple tools like Aquatone, Subfinder, Amass. (Multiple tools sometimes vary in 2–3 domains not discovered in others, so always ensure at least to run two tools).

While going through each of the subdomains, I found one interesting subdomain — “portal-intra.target.com”. Upon inspection, I came to the conclusion that this portal is meant to be used for the internal use of the company. Okay, so time to gear up. :D

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
I fired dirsearch and interestingly found a directory named “administration”. Visiting this directory, it had the login URL which looked like — “portal-intra.target.com/administration/login.php”. Again, tried some default credentials to login but failed :/

Next thing that came up in the mind was to find if the application by chance have the “registration page” and on further Bruteforcing, found the endpoint — “portal-intra.target.com/administration/reg.php”

and that’s where your blood starts pumping high.

I tried registering a new account but failed because there was validation which was allowing only emails with “@target.com”. Fired Burp Suite & captured the request, changed the email from “harsh@target.com” to my “Gmail account”, forwarded the request and, logged in.

I was logged in to their intranet portal which had all their customer sensitive information, inventories, marketing plans, and critically sensitive business information. It was surely going to be a critical and easy win :D ;)

Created a good looking report and submitted it to the organization on Bugcrowd.

{P.S.: This is my first public writeup, please share your views to improve}

Few Takeaways

— — — — — — -
1. Make your Recon Strong

2. Try to think out of the box while trying to exploit your target

3. I always start with Subdomain whenever there is a huge scope and I keep my notes, shortlist all the subdomains which feels juicy. I start parallel recon on those juicy subdomains like parameter search, directory Bruteforce, CVE, and exploit search.

4. If you know how to Recon properly, you will be a step ahead and it’s always an easy win. :)

Bug Timeline

— — — — — — —

Reported — 19th April 2020

Triaged — 21st April 2020

Accepted — 21st April 2020

--

--

Harsh Bothra

Security Engineer | Bugcrowd Top 150 & MVP| Synack Red Teamer | Cobalt Core Pentester | Bug Hunter | Author | Speaker | Learner | Poet | Twitter — @harshbothra_