To all the readers, this blog post is for beginners, there is nothing special trick here and also this is my first write up, so any suggestions or corrections are always welcomed.
Hello you beautiful people, I will be talking about how i was able to find easy p1(critical) bug just by doing Reconnaissance. i was invited to a private program on bugcrowd, let’s call it “target.com”.
The target had a huge scope(*.target.com). Whenever i see something like “.target.com”, I quickly start subdomain enumeration using multiple tools like Assetfinder, Findomain, Amass ( Always try to run more than two tools).
assetfinder -subs-only target.com
findomain -t target.com
amass enum passive -d target.com
Make simple bash script to automate the process.
After subdomain enumeration I was going through each of subdomains manually. But you can try aquatone to get screenshot of all the subdomains or you can also open all the subdomains in firefox for quick view using this simple bash one liner.
cat subdomains.txt | while read subs; do firefox $subs; sleep 8; done
During this process there were many subdomains i was unable to connect or it gives error. so i thought let’s try port scanning if i may found any other ports(like ftp,ssh or any other) are open for these subdomains. i quickly find ip address of all the subdomains and started nmap scan.
nmap -sV -iL ips.txt -oN nmap_scan.txt
or you can also try “naabu” tool by projectdiscovery. it is much faster than nmap.
cat ips.txt | naabu
By going through results of nmap i have found one subdomain(loadturn002.example.com) has port 5080(OnScreen Data Collection Service) is open. i quickly went to browser and type http://loadturn002.example.com:5080 it gives me error “File no Found” with some server information. I thought let’s try directory bruteforcing. then I fired dirsearch.
python3 dirsearch.py -u http://loadturn002.example.com -e * -w my_wordlist.txt -t 100 -x 403,404,301
And interestingly found a directory named “/etc/passwd” and i was like…
I opened the browser and type http://loadturn002.example.com:5080/etc/passwd and i got
- always try to find subdomains as much as you can.
- shortlist all the subdomains which feels juicy. Try hidden parameter search, Directory bruteforcing, Port scanning, js fils, CVE search.
- Strong and proper recon= sometimes easy win :)