Curiosity part #2 with $5000 bounty.

Hello, after a long time of hibernation, I am back to write up. This time, I want to continue from the previous write up. Maybe this will not be long because the vulnerability is very simple, which is default configuration.

To start my search as usual, I use Shodan. I have repeatedly emphasized in my write-ups how important it is to use Shodan to start bug bounty hunting. I do this consistently every day because as I have explained in previous write-ups, there will always be changes in Shodan results, whether it’s new IPs, new domains, or new ports. Make it a daily routine to start bug bounty hunting, spending the first 1–2 hours repeating this process every day or every week is very reasonable.

Let’s go to the bounty part.

org: “redacted inc” or ssl:redacted.com

Many IPs, ports, and domains appear in the results. I see telnet port 23 but with a very unfamiliar banner.

The banner show up like this “password:”

root@nan:~# telnet <ip>

Trying <ip>…

Connected to <ip>.

Escape character is ‘^]’.

Password:

It’s connected and the same banner is the password on Shodan, I realize that it is a router box. The main thing is that this banner is still set with a blank password. Yes, don’t laugh. It’s really a blank password; you just need to enter, and this is a default configuration for old version software.

Password:

RTX1100 Rev.<redacted version> (Mon Aug 28 13:00:42 2006)
Copyright © 1994–2006 Yamaha Corporation.
Copyright © 1991–1997 Regents of the University of California.
Copyright © 1995–2004 Jean-loup Gailly and Mark Adler.
Copyright © 1998–2000 Tokyo Institute of Technology.
Copyright © 2000 Japan Advanced Institute of Science and Technology, HOKURIKU.
Copyright © 2002 RSA Security Inc. All rights reserved.
Copyright © 1997–2004 University of Cambridge. All rights reserved.
Copyright © 1997–2002, Makoto Matsumoto and Takuji Nishimura, All rights reserved.
Copyright © 1995 Tatu Ylonen , Espoo, Finland All rights reserved.
Copyright © 1998–2004 The OpenSSL Project. All rights reserved.
Copyright © 1995–1998 Eric Young (eay@cryptsoft.com) All rights reserved.

Memory 32Mbytes, 3LAN, 1BRI
> show config
# RTX1100 Rev.<redacted version>(Mon Aug 28 13:00:42 2006)
# MAC Address : <redacted>,
# Memory 32Mbytes, 3LAN, 1BRI
# main: RTX1100 ver=e0 serial=<redacted> MAC-Address=<redacted> MAC-Addr
ess=<redacted> MAC-Address=<redacted>
security class 2 on on
login timer 600
ip route default gateway pp 1
ip lan1 address <redacted>
pp select 1
pp always-on off
pppoe use lan2
pppoe auto connect on
pppoe auto disconnect on
pp auth accept pap chap
pp auth myname <redacted>*
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp mtu 1454
pp enable 1
syslog debug off
tftp host 192.168.11.2
dhcp service server
dhcp scope 1 <redacted>–<readacted>/28 expire 0:08 maxexpire 0:08
dns server <redacted> <redacted>

After accessing the router mentioned above, I immediately reported it to the private program on Hackerone. For severity, I applied critical because I managed to access the router and view the configurations inside.

For weakness, I applied Improper Authentication because the company did not create a new password for their router and left the router with a blank password.

Our lovely Idol Hackerone triaged “Still” response it and make the severity down to High 😔

I’m waiting almost 1 week to get 1st response and program team make it Triaged.

Nevertheless, I remain consistent in marking it as critical and providing a CVSS score to the program team.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Instead of changing the severity, after 1 month the program immediately awarded a bounty of $5000 for this report, which is equivalent to a critical severity, meaning the maximum bounty.

I cannot provide detailed information on which version is vulnerable, but from the clues I have given, you can search and explore on your own keyword using Shodan, hunter how to find it.

So this is the end of the newbies bug hunter writeup that using familiar tools for cyber security. Consistency is the key to all of this, do it every day and the results $$ will follow.

Happy hunting.

Nan