My Unbelievable Hack into HR Admin — A Bug Bounty Tale!!!

Hi Guys,🙂

I am able to access the HR Admin panel without any authentication.😄

I will explain all the steps on how I found this subdomain.

Let’s assume the company name is “bounty.com.”

I am doing recon on “bounty.com” and using my custom wordlist for active subdomain scanning.😅

One of the subdomains, “uat.bounty.com” grabbed my attention. However, when I opened the subdomain in the browser, it did not load, i thought that this subdomain might be for internal access only or has been removed.🤔

But I didn’t lose hope. I ran gau to gather all the URLs of “bounty.com” Then, I used `grep` on “uat.bounty.com” to check if this domain was publicly available earlier.🤔

I found 5 to 6 links of “uat.bounty.com,” confirming that this subdomain was accessible earlier, which is why this URL was fetched in Wayback.🤪

I tried every possible thing to access those links, e.g., X-Forwarded-Header: localhost & company IP, etc., but nothing worked.🙁

Then, I moved on from that target for some time and worked on other subdomains.😒

In my present organization, one of our clients gave us a web application for security testing, and I noticed a domain like this: “payuat.client.com”🤨

Suddenly, I realized I also found the “uat.bounty.com” domain a few days ago.😁

Then, I started looking into that program again.

I got the idea that if one of our client’s UAT environments is like “payuat.client.com”, then I started brute-forcing subdomains on “bounty.com”. I used Burp Suite intruder to enumerate subdomains $1$uat.bounty.com ($1$ is the injection point to brute-force the wordlist).😐

For example, I am showcasing an attack on php.vulnweb.com; see below screenshots.

After a few minutes later, I got valid hits from intruder. I checked each subdomain manually, but all subdomains returned 404 not found — bad luck.😐

Then, I decided to let intruder finish its work, and after a few minutes, the scan finished. I found a total of 7 subdomains.😁

I opened all subdomains in the browser; most of them were 404 not found and 403 forbidden. But one domain loaded some content with the name “selfserviceuat.bounty.com,” and there was a login panel.😌

There are only two ways to log in: “Sign in With Okta” & “Sign in With Office 365.”🤔

At first, I thought Okta and Office 365 are secure login methods; that’s why, when I got the subdomain, I started dir fuzz instantly. But I don’t know why I clicked on the “Sign in With Okta” button and directly gained access to the HR admin panel.🤩

Then, I was shocked for a second; my reaction was, “What just happened?” I made a video proof of concept for the same and submitted it to the security team. They fixed this issue immediately.🤗

The issue was fixed a month ago, but I didn’t receive any reply from bounty.com. Then I submitted more reports to them and asked politely about the status of the HR Admin panel bug. They said they are discussing it internally.

After 15 days, they rewarded me with 3000 USD for the same bug.

While reading, you guys may be thinking it’s an easy bug, easy money, lucky guy, etc. Yeah, I am, because I always think out of the box; that’s why it’s easy for me.🤗🔥

I’ll share one more admin panel write-up for the same site, which is currently in triage mode.😋

Follow and turn on notifications so that once I drop the write-up, you’ll get notified by email.😅

Thanks for reading my article.

Have a great day…🙂