Bug Bounty Challenge (final): Day 3–22/04/2024

At this point, you probably know what the first thing I did is, I began chasing after the “RCE” from yesterday, and deep into my research I discovered that this “RCE” detection methodology involves inspecting requests sent by the server for 2 packages if those packages are found to be in use and the service’s version is a version known to be vulnerable, that gets marked as a vulnerable endpoint, but I’m sure you can tell why this is a problem, even if the server gets patched, the vulnerability detection methodology will still give you the “vulnerable” results, hence my situation but our adventure simply does not end here.

I came across another endpoint, it had a login page and looked generic, I then decided to Google the name in the page’s title followed by “default login credentials” and I got the results. I went on and plugged those credentials in, and it worked, I looked around, Googled what the service is used for, and came across a YouTube video with the following message below

Turns out, this endpoint is used to monitor real-life equipment, not only that but the admin can modify its variables, these modifications come with consequences though (as you can tell by the screenshot above) making this one of my most interesting discoveries… As of now, I’m in the process of getting in contact with the company to verify whether the IP belongs to them or they’re just hosting for a third party, in which case, the vulnerability is still a problem. The more I keep looking around, the more Ideas I get about exploiting this access to achieve even more vulnerabilities, therefore I’d qualify this as a critical discovery, without a doubt.

I hope that the company owns this IP because that means this vulnerability will be mitigated, otherwise… a lot is at risk, not only digitally but physically too. (I can even switch off electricity, yeah, the type of stuff that APTs are into)

I discovered that this target provides a hosting service and considering what I’ve found so far, that explains a lot. I decided to stop engaging with the program so that I don’t break things I’m not supposed to.

Other vulnerabilities I found are — an open AWS s3 bucket (not worth reporting), XSS (via POST so self-xss/not worth reporting), and an SMB guest login with write permissions.

And a lovely message I found

I then had another endpoint that was using SMB, and I was granted “read, write” access as a guest user. Why is this bad, you ask? Easy, anyone can upload and retrieve whatever file is in this folder I came across a ransomware message, looks like a hacker out there has touched this before me but with a malicious motive considering the message

I was curious whether this hacker had received any payment, this helps me in determining whether this was a targeted/automated internet scan + exploitation process, regardless, they never received a single Bitcoin payment :)