Access to page with default credentials that require authenticate $$$.

Hi guys! This is my second article about Bug Bounty Report writes up and I hope you will like it! I’m a bug hunter on hackerone and I think it’s cool to share what I have found.

While i was browsing the programs page at hackerone , I chose one program and started to do my recon on it we can call it REDECTED.com, Collecting subdomains, ips, and noticed that there was one subdomain requires authenticate, As you know best 3 things to do here is:-

1. Brute force the directory maybe there was some files left accessible.
2. Brute force username and password.
3. Try default usernames & Passwords such as admin:admin , admin:pass , user:pass and so on …..

I tried admin:admin , As user&pass and it worked i was able to access the directory contains unknown files, etc….

Aug 2nd 2021 Submitted the report

Aug 13th Triaged

Aug 18th Rewarded with $$$

Waiting til Resolved. :(

Note:-

Never forget default credentials when you see authenticate page.

Hope you learned something new, And here’s my profile at hackerone:- https://hackerone.com/doosec101