Authentication Bypass | Easy P1 in 10 minutes

Hello there, I am Anirudh Makkar from India. This is my first write up and I hope you guys like it. In this write-up, I will explain the power of Recon and Google Dorks. Don’t worry I’ll keep it short and crisp.

It was a Bugcrowd private program so can’t disclose the name. Let’s say redacted.com. So *.redacted.com was the scope that means I have a pretty wide scope to hunt on.

I started with Subdomain enumeration and probing using assetfinder, subfinder, and httpx.

1 domain caught my eye which was https://git.infotech.redacted.com. I opened that sub-domain in the browser and saw it was a Gitlab instance which redirected me to its SAML Login page powered by Okta Login. So, only internal users are allowed to log in to that GitLab instance with their company email address (email@redacted.com). I tried some default credentials but no luck!

I didn’t give up and jumped on to google to find some juicy stuff. I tried many google dorks but only there wasn’t anything sensitive. After few tries, I used “site:git.infotech.redacted.com ext:env” and found some usernames and group names of that GitLab instance.

I immediately tried https://git.infotech.redacted.com/username and https://git.infotech.redacted.com/groupname and I was able to bypass the authentication flow and directly access the source code present there. I found lots of sensitive data there like SQL credentials and LDAP credentials.

Thank you to all supporting people helping me to achieve it directly and indirectly.

Here’s what you get from this write-up:

You can follow me on: Twitter, LinkedIn, Instagram for more bug bounty tips.