A simple post auth bypass leads to unauthorized web server access

Hein Thant Zin
Nov 8 · 3 min read

Hi all, I hope u are doing well. I’m Hein Thant Zin and juat a noob bug bounty hunter from Myanmar.This is my third write up about one of my recent findings on h1.

The story began after local CTF had finished.It was about Sept 1, I did want to go back bug bounty for 1 month . So I decided to hunt bug on AT&T with my fri.

After some days and some duplicate reports passed. The night has come.

It was look like custom developing subdomain there is nothing interesting , just a simple login page for internal user .I’ve tested for auth bypass bug but failed.

After some recons, He said “bro three is a pop-up login page saying “weblogic””.

http://exapledevlopment.att.com/management/

I did’t even know what the hell is weblogic before.So I found out google and tried to login using default login credentical but failed. Then I got this link https://github.com/lanjelot/kb/blob/master/weblogic

After many attempts failed , I was able log in using one of these credenticals. Unfortunately , the response was look like

Well , I couldn’t fingure out how the hell is that. I stucked for a while and did’t know how to do then it was about 2 am so I was going bed to sleep.

The next day , I wake up at 1 pm and picked up my laptop and tesing again. Tried to bruteforce directory , changing http request methods but all failed.

I had almost to give up but suddendely I remembered that why I should not give a try “weblogic” as a directory name.It does make sense right?

I put the name as directory and Boom!!! I was completely accessed in their weblogic server. I was able to view all server informations and their internal development app and other sensitive informations.

Then I reported to HackerOne. They triaged and rewarded after the report resolved . I hope you enjoyed by reading this . Follow me for more write up there.

http://twitter.com/H3Lowr

Timeline -:

Sept , 14, 2019 -Reported

Sept, 15, 2019 -Triaged by h1 team

Oct , 22 , 2019 -Fixed and Bounty awarded $750.

See ya guys. I’ll be back with the next finding soon…… Thank u.

    Hein Thant Zin

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade