A simple post auth bypass leads to unauthorized web server access
Hi all, I hope u are doing well. I’m Hein Thant Zin and juat a noob bug bounty hunter from Myanmar.This is my third write up about one of my recent findings on h1.
The story began after local CTF had finished.It was about Sept 1, I did want to go back bug bounty for 1 month . So I decided to hunt bug on AT&T with my fri.
After some days and some duplicate reports passed. The night has come.
It was look like custom developing subdomain there is nothing interesting , just a simple login page for internal user .I’ve tested for auth bypass bug but failed.
After some recons, He said “bro three is a pop-up login page saying “weblogic””.
I did’t even know what the hell is weblogic before.So I found out google and tried to login using default login credentical but failed. Then I got this link https://github.com/lanjelot/kb/blob/master/weblogic
After many attempts failed , I was able log in using one of these credenticals. Unfortunately , the response was look like
Well , I couldn’t fingure out how the hell is that. I stucked for a while and did’t know how to do then it was about 2 am so I was going bed to sleep.
The next day , I wake up at 1 pm and picked up my laptop and tesing again. Tried to bruteforce directory , changing http request methods but all failed.
I had almost to give up but suddendely I remembered that why I should not give a try “weblogic” as a directory name.It does make sense right?
I put the name as directory and Boom!!! I was completely accessed in their weblogic server. I was able to view all server informations and their internal development app and other sensitive informations.
Then I reported to HackerOne. They triaged and rewarded after the report resolved . I hope you enjoyed by reading this . Follow me for more write up there.
Sept , 14, 2019 -Reported
Sept, 15, 2019 -Triaged by h1 team
Oct , 22 , 2019 -Fixed and Bounty awarded $750.
See ya guys. I’ll be back with the next finding soon…… Thank u.