Smart recon to PWN the panel

بسم الله الرحمن الرحيم

Hello everyone, this is my second write-up, and I will be talking about one of the most interesting findings I discovered this week.

Let’s start with the reconnaissance phase.

In this finding, I used Netlas.io, an internet scanner and search engine.

I began by using a specific dork to discover all the company’s subdomains across various top-level domains (TLDs).

Here’s Example of the dork: Domain:*.uber.*

https://app.netlas.io/domains/?q=domain%3A*.uber.*&page=1&indices=

I dug into the results and applied some filters to discover new assets.

There are two types of filters available.

The first is ‘Zones,’ which refers to the top-level domains (TLDs).

The second is ‘Levels,’ which represent the different parts of a domain.

For example, if we select level 4, it would display domains with four parts, such as admin.root.uber.com, while level 3 would show domains like root.uber.com, and so on.

“Additional Tip: You can search for third-party domains, such as uber.rood.io, if the program allows it.

Here’s an example dork to find third-party domains:https://app.netlas.io/domains/?q=domain%3Auber..&page=1&indices=

Now let’s move to hunting part

My reconnaissance process ended with an interesting domain.

The first thing I did was register a new account, but unfortunately, it required admin approval. So, I inspected the requests to see what was happening in the backstage. ;)

Here’s the response from the login POST request, and the role parameter looked interesting. Naturally, the idea of response manipulation came to mind. So, the first thing I tried was manipulating the response—LOL!

I tried using match and replace, but it wasn’t vulnerable with response manipulation. So, I continued by analyzing the JavaScript file.

I found some Interesting paths, and try to access it directly

And guess what? I gained access to this path: /manage/settings. The full URL was:
“https://uber.root.io/#/manager/settings”

The first thing I did was navigate to User Management to check my account.

Than click to manage

As you can see, the status is inactive and the role is empty. I activated my account and assigned the admin role to it.

Now, I logged back into my account, and guess what? I had admin privileges, and I had full control of the panel!”

In conclusion, I hope everyone found value in reading my write-up. Thank you, and I wish you all the best in your own security explorations!