Default Credentials Leads to $1200 Bounty Reward (Quest NetVault CVE-2017–17417)

Icon by freepik on flaticon

Program Background

Logo by HackerOne

This vulnerability was discovered on a private program on Hacker One, therefore I won’t be disclosing all the information and I will be redacting everything. The scope contains a lot of assets and wild-cards therefore I feel I am quite lucky to find an interesting CVE on this target honestly.

Disclaimer:

Icon by freepik on flaticon

All URLs/Endpoints/IPs in this write up were of redacted versions of their original URLs/Endpoints/IPs to maintain the confidentiality of these findings while still providing appropriate context for readers. The target of this Bug Bounty Write Up has been replaced with target.com, I won’t be explaining basic things in my articles as it is not targeted towards new comers. But Please ask me in the comments section anything. I will reply and explain to you as best as I can in the comment section. I am sorry for all the redactions, I do not want to have my article deleted as that would have no meaning sharing my bug bounty adventure so as best as I can, I will try to disclose the methodology and approach along with redaction as much as I can.

Reconnaissance

Icon by uniconlabs on flaticonFirst off I start off with subdomain enumeration via the following command with Subfinder:subfinder -d target.com -all > subfinder.txt

2. I use Shodan dork over here to collect all the IP addresses of the target company:

ssl.cert.subject.cn:"target.com"

3. Download the Shodan results and extract the IPs via the following tool:

https://github.com/jpiechowka/shodan-parser

Be sure to use a Linux command to cut out the ports from the IP results and pipe them into any of your own tools for results. Please note that I am using Shodan Premium here so I might have the option to download search results.

Download Shodan Results

4. After all these process I decided to combine the subdomains and the extracted IPs together in one text file IPs.txt in the format as shown below:

IPs.txt Content Format (Redacted Version)

5. From here onwards I just run nmap scan on the entire IPs.txt on a Virtual Private Server (VPS) for like 3–5 days depending on your VPS specification and speed via the following command:

nmap -Pn -p- -sV -iL IPs.txt

Nmap will scan the domain names and resolve them automatically as long as there is no HTTP Protocol in front of these domain names.

Nmap Auto Resolve Example

Exploitation

Icon by dwicon on flaticonAfter running the nmap scans. I went on to check them 1 by 1 to see anything interesting and looking through the service ports and version numbers for exploits. I came across this interesting service port and component.NetVault Component (Redacted Version)

2. Sorry for the redacted version as I do not want to be too specific so I will give a non specific version of this vulnerable component, the version is actually less than 11.4.5 as shown below:

8443/tcp open ssl/https-alt NetVault/11.1.2.9

3. After identifying this version, I just went onto google look for exploits and CVE just like how you do OSCP / Boot2root-CTFs.

CVE Found for NetVault Exploit

4. The following would be the exploit-DB link and full contents of the exploit:

https://www.exploit-db.com/exploits/46446

5. As we can see from the first portion of the code specifies default credential with just the username admin and blank for the password field.

NetVault Default Credentials

6. What I first did is browse the port manually and tried the default credentials which apparently it does successfully worked to my surprise!

NetVault Default Credential LoginNetVault Dashboard Successfully Login

7. So continue on to the CVE where it shows an SQLMAP command as shown below:

SQLMAP Command Exploit-DBsqlmap -r dellSqlmap --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batch

8. So based on this observation what I assume is I would need to send request a POST request to the /query endpoint and save the request on Burp Suite to be run on SQLMAP later on.

POST Request to /query

9. I re-logged out and re-logged into NetVault with the default credentials and capture the request via Burp Suite to be saved and to be ran in SQLMAP as shown below:

10. After running it through SQLMAP with the same command as shown in the exploit-DB link, apparently I notice it was not working?

SQLMAP Error

11. I noticed that the exploit had modified the request body with an SQLI payload instead which is shown below:

Request Body Payload

12. What I did was copy the request body from the Exploit-DB link and replace it on my request body instead when I re-log back in, so it will look like something below:

Modified Request Body From Exploit-DB

13. Once modified and save the request and run it through SQLMAP via the following command shows us a successful Injected Response!

sqlmap -r targetBurp --force-ssl --level=5 --dbms=postgresql --prefix='' --suffix='' --test-filter='AND boolean-based blind - WHERE or HAVING clause' --batchSQLMAP Successful Response

14. Eventually I managed to dump some sensitive data from the database for further proof-of-concept for the report:

Database Dump 1Database Dump 2

15. Finally I wrote a report and included all the steps required and POCs and submitted on the Hacker One Private Program and got rewarded with $1200 Bounty as shown below:

HackerOne ReportBounty Awarded

Time Line

Icon by freepik on flaticon

November 01, 2023 : Submit a report via HackerOne

November 12, 2023 : Triaged

November 17, 2023 : Bounty Awarded

Lessons Learned

Icon by itim2101 on flaticonPerform Deep Enumeration.Always check all component versions.Setup Automation if needed.Scan all ports via Nmap as the default tool since other tools might be too fast and will cause it to miss ports.

Bug Bounty Article Updates

Icon by surang on flaticonTwitter : https://x.com/ace9499Discord Server : https://discord.gg/7QAGpaRZTelegram Group : https://t.me/+T2Laz0Th_SZkZjM6Follow my Medium Profile.Subscribe via Email to my Medium.

If you guys would like to see more of my bug bounty write ups and my bug bounty and cyber security journey. I would appreciate some of the followings on each of my articles:

100+ ClapsCommentsFollow my profile

As this would give me more motivation to keep sharing my journey so as I would know there is a demand for it instead of wasting both of your and my time, I have a lot more critical reports that I want to share on my bug bounty and cyber security journey to you guys. Please do not hesitate to ask me questions in the comments, I will try my best to reply to you and answer your questions.