Shodan is your friend!!! If you ignore him you will lose many…
In this blog post, I would like to tell you about my recent finding and it will also show you how effective can be. As it is my first writeup please ignore all my grammatical errors. I have been focusing on my recon procedure from the last couple of months because I just got fed up with monkey testing. Stopped all my hunting for a period and just concentrated on recon. If you don't concentrate on recon you will end up in getting duplicates every time.
Coming to the point on how I discovered a critical bug on a known public program. I love Zseano words “A bigger scope program has the high probability of finding a bug rather than low scope”. I don’t want to mention program name so I will be mentioning it as redacted.com. As the program consists of wide scope and many got vulnerabilities rewarded almost 600 I thought I cannot find vulnerabilities in those in-scope domains. Then I thought maybe I can find on the IP’s which the company owns. Quickly went to the shodan.io did a query org:” redacted”. It nearly gave me 400 results. Shit, I’m not a robot to check all 400 IP’s. But I tried to find vulnerabilities in 14 results ended up finding nothing. I gave up over there. Oh my Zseano please help me I always believe your words. After a couple of hours, one thing got hit my mind “Does this redacted hosts any services on cloud providers like Amazon cloud, Google Cloud, etc.. I again did a shodan dork against every cloud service provider and I got many results. I found one IP belongs to redacted because I found that certificate belongs to redacted. To confirm this I quickly opened that IP it has redacted logo on it. It was a basic authentication page. The first thing that strikes me when I see the login page is authentication bypass using SQLi. Quickly I kept username: admin and password:’OR 1=1 — +. I got logged in as admin. I found some developers profiles and their project files in that domain. I didn’t confirm that those developers belong to redacted blindly. Searched for them on Github and Linkedin and I confirmed that they belong to the redacted company. I thought its enough actually and better to report.
Bug reported to redacted and they triaged it in 30 mins and they rewarded me in less than 3 hrs with $$$$🤑🤑🤑.
I would like to thank Nahamsec and Zseano for their recon streams on youtube and special thanks to my mentors Prameel Arjun and Vikash Chaudary for helping me throughout.
Connect to me on twitter