Hello everyone, this is my very first writeup. Hope you enjoy it.
This is my last year in high school, so we have had the final exam last week; As you all know, bug bounty and programming took a very large part of my life, so I had no time and no intention to prepare to my finals. 7 days before the exam, I started looking for a website that gives free or paid lessons, and I have found this amazing website that explains lessons very well, the only inconvenient is they only sell early access, and it costs 120eur which is expensive for 7 days use; So I turned on my hacker mind and decided to get that paid access for free by the end of the day.
I can’t disclose the website address right now, so let the address be redacted.com.
The first thing I did was signing up and looking for an endpoint that is vulnerable to SQLi or NOSQLi, I end up with nothing the website was immune till this point. Then I went through the payment process, they were using Braintree to process payments, so I figured out there is no way to get free access from there by editing the amount or something like that because I hunted on Braintree like a million time.
So I decided to go to the next level, doing a proper recon. I started by extracting domains, I used Aquatone to do so. I ran aquatone-gather and I have got some pretty and cool endpoints. One of them was called dev.redacted.com, in first it wasn’t that cool, it gives me a 404 not found error, I didn’t stop there, so I ran a quick nmap check. I have got five open ports (22,80,443,8080,8081), I started with 8080 and again 404 not found, I ran dirb and gobuster and nothing new, while I’m fuzzing dev.redacted.com:8080, I was looking into dev.redacted.com:8081, things were getting a little wild there, I have got a basic authorization prompt
I tested the default users and passwords (Admin:Admin),(admin:admin)…. And I got nothing, I was a little disappointed, and I said Bruteforce can help. I downloaded a medium wordlist and set up Burp Suite to brute-force this Sign in page. After almost 3 hours I have got a successful response, when I saw the username and password I realized how dumb I am, the username was dev and the password also 😂 😂 😂, wasted 3 hours for nothing. As the URL describes, the endpoint was a dev version of the actual website. I started looking for new features there and end up with nothing. I went through the payment process again. Then I realized I have nailed it when I saw this
I choose Card and went through the payment process. I searched for “Braintree test cards” on google and found this in the documentation.
I tested one of those cards,
And Boom the payment was successful. And I got free access to all the lessons and exercises. But in the end, I flushed all this work down the toilet, and I didn’t use this website to prepare for my finals 😂😂😂 and went to pass them without even knowing the title of the lessons.
As a thank you (even if I didn’t use that website), I reported the bug to the site owner and I have no intention to get a monetary reward.
Lessons to be learned:
- 404 Not found doesn’t mean the end of the way.
- Bruteforce does help.
- If you don’t use Nmap you’re missing a lot.
- Don’t forget to use dirb and its alternatives.
- Searching for subdomains is primordial.
If you want to follow my work or to reach me out here is my twitter : https://twitter.com/mhamed_kchikech , my Facebook: https://www.facebook.com/mhamed365 and my HackerOne profile: https://hackerone.com/mhamed_kchikech