How I hacked into a website to prepare for my finals

Mhamed Kchikech
Jun 20 · 4 min read

Hello everyone, this is my very first writeup. Hope you enjoy it.

This is my last year in high school, so we have had the final exam last week; As you all know, bug bounty and programming took a very large part of my life, so I had no time and no intention to prepare to my finals. 7 days before the exam, I started looking for a website that gives free or paid lessons, and I have found this amazing website that explains lessons very well, the only inconvenient is they only sell early access, and it costs 120eur which is expensive for 7 days use; So I turned on my hacker mind and decided to get that paid access for free by the end of the day.

I can’t disclose the website address right now, so let the address be redacted.com.

The first thing I did was signing up and looking for an endpoint that is vulnerable to SQLi or NOSQLi, I end up with nothing the website was immune till this point. Then I went through the payment process, they were using Braintree to process payments, so I figured out there is no way to get free access from there by editing the amount or something like that because I hunted on Braintree like a million time.

So I decided to go to the next level, doing a proper recon. I started by extracting domains, I used Aquatone to do so. I ran aquatone-gather and I have got some pretty and cool endpoints. One of them was called dev.redacted.com, in first it wasn’t that cool, it gives me a 404 not found error, I didn’t stop there, so I ran a quick nmap check. I have got five open ports (22,80,443,8080,8081), I started with 8080 and again 404 not found, I ran dirb and gobuster and nothing new, while I’m fuzzing dev.redacted.com:8080, I was looking into dev.redacted.com:8081, things were getting a little wild there, I have got a basic authorization prompt

I tested the default users and passwords (Admin:Admin),(admin:admin)…. And I got nothing, I was a little disappointed, and I said Bruteforce can help. I downloaded a medium wordlist and set up Burp Suite to brute-force this Sign in page. After almost 3 hours I have got a successful response, when I saw the username and password I realized how dumb I am, the username was dev and the password also 😂 😂 😂, wasted 3 hours for nothing. As the URL describes, the endpoint was a dev version of the actual website. I started looking for new features there and end up with nothing. I went through the payment process again. Then I realized I have nailed it when I saw this

I choose Card and went through the payment process. I searched for “Braintree test cards” on google and found this in the documentation.

I tested one of those cards,

Clicked Pay.

And Boom the payment was successful. And I got free access to all the lessons and exercises. But in the end, I flushed all this work down the toilet, and I didn’t use this website to prepare for my finals 😂😂😂 and went to pass them without even knowing the title of the lessons.

As a thank you (even if I didn’t use that website), I reported the bug to the site owner and I have no intention to get a monetary reward.

Lessons to be learned:

  • 404 Not found doesn’t mean the end of the way.
  • Bruteforce does help.
  • If you don’t use Nmap you’re missing a lot.
  • Don’t forget to use dirb and its alternatives.
  • Searching for subdomains is primordial.

If you want to follow my work or to reach me out here is my twitter : https://twitter.com/mhamed_kchikech , my Facebook: https://www.facebook.com/mhamed365 and my HackerOne profile: https://hackerone.com/mhamed_kchikech