How I Get my first P1 (Sensitive Information Disclosure) using WPScan

بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيمِ

Background

Hello,

I was started to do bug hunting on October 2019. I spent almost 4 months to learning on common vulneralibility and focusing on how to do Recon. Until I found my first P1 with using basic recon technique. In this article, I would like to share with you about my very first P1, hope you like it, enjoy!

P1 Resolved Submission on Bugcrowd

Reconnaissance Phase

I was invited to a Private Program on Bugcrowd with a huge in-scope target (wildcard). So the first step to do is finding all the subdomains. I used crtsh combined with httpprobe (By Tomnomnom), run this command on my VPS:

curl -s https://crt.sh/\?q\=\%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe | tee -a ./alive.txt

This command is about :

1. curl -> searching the target domain on crt.sh and save the output to json
2. jq & sed -> slicing and filtering the output, so we got only the domains;
3. sort -> eliminating duplicate domains;
4. httprobe -> check that the subdomains is active or not;
5. tee -> breaks the output from httprobe to two part , so it would be displayed on terminal and also write on to the output file.

Btw, did I type that very long command every time I do recon ? Absolutely No. I use .bash_profile to do this by shortcut, I learn to using this by Youtube video of Behrouz Sadeghipour on https://www.youtube.com/watch?v=YhUiAH5SIqk . Thanks Nahamsec!

I also got that command from Nahamsec’s recon_profile . Thanks again Nahamsec! :D

Check all the subdomains

I’m a GUI-guy, so after I get all the subdomains, what I do is check one by one the subdomains. Open it in the browser, and see what features in there. But, there is no way I can do it one by one, copy the url one by one, paste it into the browser, wait until the page is fully loaded. It’s very wasting time bro. So I use these very helpful extensions on Firefox (also available on Chrome):

1. Open Multiple URLs (We can open multiple url in just one click)

Open Multiple URLs

2. Wappalyer (Tells us about what technologies are use on the website : CMS, Web Server, Database, Programming Language, etc.)

Wappalyzer - Identify technologies on websites

For all the subdomain I got, usually I open 20–30 subdomains in one click, so my computer did not process too much. And then I check it one by one.

Open Multiple URLs Extension

By using this technique, I found that more than 50% of the subdomains is using wordpress (including the main domain). Without thinking too much, I try to wpscan the main domain first.

Output from Wappalyzer

WPscan Finding

After waiting for the wpscan be done, I found a very interesting alert. It say that wp-config backup file (wp-config.php.bak) was found! So I try to access it from URL, like https://redacted.com/wp-config.php.bak . Boom! Found db_name, db_password, and other sensitive information!

wp-config file

Resolved after 2 days.

Awarded with 40 points!

Thats all, thanks for read this write up!

Regards, Harrmahar.

Credits

1. Behrouz Sadeghipour (Thanks for bash_profile, and live recon + all amazing videos on Youtube! )
2. YoKo Kho (Thanks for the Bug Hunting 101 book and all the tips you gave to me!)
3. Crt.sh
4. TomNomNom ‘s httprobe
5. Open Multiple URLs extension on Chrome and Firefox
6. Wappalyzer