Back to 2019: Disclosure Employers PII and Credentials

Hi! I start my series of articles where i will show bugs founded by me on different Bug Bounty programs (mostly from HackerOne and Bugcrowd). It was announcement in my Twitter. The next article will be released in Friday and will cover some non-technical aspects of Bug Bounty.

Recon

The scope of target program was like:

  • *.example.com

I like to do full recon on every target. This include ASN ranges, all company’s domains, opened ports, AWS IPs that belong to specific company, Github profiles etc. It can give to you internal paths, parameter names, filenames for “in scope” assets.

So i want to see a complete picture of the company. Time to use public data!

This story will be about how to find many company’s domains using WHOIS information. Lets take Paypal as example.

The most interesting part of a WHOIS response is specific entries that unique for company (it can be different for other domains of target). In this case is:

Registrant Organization: PayPal Inc.Registrant Email:hostmaster@paypal.com

What we can do with this information? Maybe we can ask about that on Google? Lets try.

As you see we found big amount of domains that registered for Paypal Inc. Easy!

With this i found domain that was registered for a target company which was called like exampleasia.com. Note that this domain is not marked as “in scope” so we cannot use big wordlists or actively scan hosts on this domain for vulnerabilities.On this case i always check Directory Indexing bugs. For this i use my wordlist with common directory names (1500 lines).

Scanning was completed and i start looking for results. From results i find that host bop.exampleasia.com have directory indexing on /webmaster/ filepath. On this folder was 2 another folders one of which called uploaded and located on /webmaster/uploaded/ filepath. This folder contained many PDF files which give to me username and password from the admin panel, personal information about employers (such as full name, personal telephone number and even address of living). Also, in this documents i was able to find usernames and passwords from other company’s assets (but not so critical). After my report company close this subdomain and reward me with 1000$ (as High).