Hacking the UK government ( FULL database access )

8 months ago 54
BOOK THIS SPACE FOR AD
ARTICLE AD

Ahmad Mansour

Hello everyone, its Ahmad mansour again, 18 year old penetration tester and sometimes a bug bounty hunter. Without further intro lets get into the main topic of today, hacking the UK government and finding, reporting multiple critical vulnerabilities.

NOTE: this is done ethically, its part of a legal bug bounty work.

First of all, as any methodology i started to enumerate subdomains of my target, using active/passive ways, tried to automate my process with some tools, but the main issue was that the domain was still nearly new ( < 3 years ), there is no really available passive info to gather from 3rd party services and tools.

So i tried to dig deeper in order to find a good subdomain to start testing it, rather than going to the main domain which was mainly an informative page. i gathered my subdomain wordlist ( custom one based on target keywords ) and start fuzzing on the subdomains, using ffuf:

./ffuf -w /root/Desktop/wordlist.txt -u http://FUZZ.ab.com -of html -o result

After a bit of fuzzing i got a subdomain that has a 200 response, which means a valid normal page, but it was empty blank page.

Never leave any blank, 404 page, no one would make an empty website and host it online, imagine making a subdomain or a domain for yourself and not uploading anything.

so i started directly brute forcing, which is brute forcing to find some directories or hidden files

and i found an API directory that caught my interest, which is /name related to app/ directory it was a 403 directory, i did another fuzzing and found

Feel free to reach me on Instagram for any inquiry or projects ( __ahmadmansour__ )

/path/app.php

it was really weird, i knew there is something hidden there, so i ran another brute force attack but parameters based, like trying parameters randomly using a script/tool ( yeah i love brute forcing targets, it uncovers unexpected hidden endpoints ), and found two parameters which are db and tbl

so i crafted my url

subdomain.target.gov.uk/path/app.php?db=information_schema&tbl=SCHEMATA

and guess what ? i was able to list the DB names

and i could recursively do this attack to list a specific db tables and escalating this attack.

Takeaways:

As a pentester, bug bounty hunter:

1- Stop brute forcing randomly, and using a wordlist that everyone is spamming on bb targets

2- never trust a blank, 404 pages, these contain hidden gems

3- always brute force parameters, you never know what's hidden

if you are a dev, website owner:

1- remove unwanted, beta, unused subdomains ( always check what you are hosting, maybe you forgot something )

2- remember that making hidden files or weird names of files does not mean no one would be able to reach them, some hackers think outside the box, expect that everything is exposed whenever you put it on internet

Read Entire Article