How I Hacked Over 150k PII on a Program

So, well, well, well… I’m Abu Hurayra aka rootplinix maybe listened my name somewhere, I’m proudly a day-time hacker who hunts bugs to survive and a night-time writer spinning tales from my messy mind. You want the story of how I cracked into 150k+ PII? Sure thing, but don’t even ask for the program’s name or subdomain, ’cause it’s still on the hush-hush. For now, let’s call it: redacted.super-secret.com.

So here’s the gig: I start mapping out around 1,000 subdomains — huge, right? Nah, most of ’em were just 302 redirects to SSO login pages, with others sitting there with 200 OK, 403, and 404 status codes, staring back at me. My gut said, “Look for a subdomain takeover!” and I did, even found Gemfury hosting one. But no luck — ran EdOverflow’s tool, and the sucker wasn’t vulnerable.

Now, did I cry in the corner of my dark room like a defeated villain? Nah, I powered up — because, baby, when life gives you redirects, you dig deeper. I whipped out some of my personal tools — they’re super secret, so don’t ask — and thought, “Let’s automate this thing.” Why stress, right? I turned to Nuclei, hoping to shake out some low-hanging fruit bugs. But after hours of scanning and 3 cups of coffee, I got nothing. Worse? Rate limits kicked in, and Nuclei was skipping targets like a broken record.

Now, at this point, I’m thinking: “Why the hell am I grinding like a rat for swag rewards? This cheese ain’t worth it.” But then — boom! — an idea hit me. The target’s been around since 2016, so surely someone stashed a backup or two somewhere, right? Old servers, old habits. I took a trip down to the Nuclei templates repo and found one for hunting ZIP backups.

Now, here’s the fun part: I ignored those boring 200 OK pages and instead focused on the 302 redirects — because those login pages? Total pain in the ass. I filtered them out like this:

cat httpx_report.txt | grep 302 | awk ‘{print $1}’ | anew 302_status.txt

With the list in hand, I sent Nuclei to do its thing:

cat 302_status.txt | nuclei -t ~/private/zip-backup.yaml -c 40 -project armin -rl 400 -v | anew lowkey.txt

Two hours in — bam! — a hit. The terminal lights up with one word: uploads.zip. And yah, that’s when I knew something juicy was waiting inside.

Now I had to confirm it, so I ran it again:

nuclei -u https://redacted.supersecret.com/ -t ~/private/zip-backup.yaml -v -debug

The ZIP was a 1 GB beast, but my internet? Trash. Nuclei’s threads were choking my bandwidth, and I was about to lose it. But then — heh — guess what? My neighbor’s Wi-Fi was open (he’s stuck in a mental hospital), so I shamelessly hijacked his connection. Even then, though, it was just 5 Mbps. Do the math, 1 GB at that speed? Nah, too lazy.

Instead, I jumped onto Google Cloud Console on my phone and ran the magic command:

wget https://redacted.supersecret.com/uploads.zip

And just like that — poof! — the file’s on my cloud machine. I unzipped it and nearly fell off my chair: 150k+ PII records. I’m talking:
- Phone numbers
- Locations with lat/long
- Emails
- Names

That wasn’t all. I found Excel files named sales_january.xlsx, sales_december.xlsx, and — get this — dealers_india.xlsx. No MS Excel on my rig (yeah, I’m poor), so I threw them into Google Sheets. And in the dealers file alone? 14k cleartext records. I sat there, staring at it, thinking: “Critical AF.”

I reported it ASAP. Two days later, the triager slapped a Critical (9.3) rating on it, and the program resolved it in no time. I didn’t get cash, just some swag, but hey — my reputation on the platform shot up, so not all bad.

And that’s how I stumbled across a massive data leak from an old backup file on a redirecting subdomain. Lesson? Never leave backups lying around on 302 redirects. Yah, you’ll end up in one of my stories.

1. Can I Take Over XYZ?
2. Nuclei Project
3. Nuclei Templates Repository