Why I paid 3.5K to become a TLD registrar reseller when doing bug bounty

I was looking for a new bug bounty target and found an interesting TLD registrar target, after doing some recon there was no decent scope until I saw that there was some reseller platform, i looked at the prerequisites to become a TLD registrar reseller and my mood went down. You needed the following requirements:

  • Have a web hosting company website
  • Have a support center so your customers can call you
  • Paying an initial 3.5 K upfront

After some chatting with a 2 other bug bounty hunters on slack we had a great idea! We were joking to set up a web hosting company and to pay for this and split the costs…

After some discussing we gave up on this idea

This idea kept in my mind for a few months and I decided to give it a go

I did set up a website https://hgrealhosting.com and bought myself some webhosting company template and I was ready to go

Signed up and paid the initial 3.5K and got a mail that i would receive my password in my physical mailbox within 2 weeks.
2 weeks I patiently waited and then the mailman arrived with a letter containing my password 😎, ready for some bug hunting!

After doing recon on this reseller dashboard they were very secure
But I’m not giving up, doing some more research and went reading the EPP docs

an example can be found here https://docs.dnsbelgium.be/gtld/epp/

It is basicly an XML based protocol so I sent some XXE payloads and it wasn’t vulnerable.

When i was giving up on this target I went looking on every page again on this reseller dashboard and then I spotted some /etc/passwd output.

Why was this here, how the heck did I trigger this, apparently there is something called Second-order IDOR. when you make an IDOR request you don’t see the results, but you see the results on another page or a few requests later. actually when doing this XXE attack my results where seen on my reseller dashboard

I wrote a python script to sent XXE payloads to scan their server and web scraping the contents of these files on the reseller dashboard after every XXE request I finally I got some server passwords and much more.

I told this at my bug bounty comrades and gave them access to my account.
We got a few other bugs

All of a sudden my account got blocked and I got a call from their CISO

My reaction

Everthing went better than expected and we got 7.5K for our submissions and a refund.

Thanks for reading and happy hunting !

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store