How I got RCE on 403 admin.redacted.org
I got a RCE on an admin subdomain with status code of 403.
I didn’t have imagined of that before starting onto this target.
subheading1:
I don’t have any framework or methodology that I use when starting with a target, and yes I know this isn’t a good practice.
I began with subdomain enumeration using these 5 tools:
Amass
Assetfinder
Haktrails
Subdominator
Subfinder
Filtered out subdomains with 200 status code, started hunting on those one by one, found some common bugs, but didn’t got anything big.
So I thought lets have another look on subdomain file (unfiltered one).
Then eventually, I found a subdomain:
admin.[redacted.org]
with status code 403
Visited that subdomain and got the classic Akamai 403 response 🕵
So I thought of collecting all the 403 subdomains from the subdomain file and fuzzing them, and did the same, greped out all 403, and used Dirsearch to fuzz all of them.
Dirsearch : Tool built with Python3, helps to fuzz on a list of domains one by one.
I found some very sensitive files on admin.[redacted.org]
I was amazed after seeing the count of sensitive files the tool found, like there were almost 63 files.
After that I searched each one of them meticulously.
In case you wonder what wordlist I use, It is a merged version of these listed below, with some extra added words that I found on linkedin posts, twitter posts and blogs:
Assetnote Wordlist
Godfather Orwa’s Wordlist
OneLisForAll
subheading2:
I came across a file name “gruntfile.js”
It was a huge file, I searched it thoroughly and found a path leading to a sensitive file “package.json”.
Just after seeing this file same thing came to my mind that just came to yours, NPM Package Dependency Confusion Attack, right? (Did I just break the suspense ? 🫢)
After opening the file path I found a package name let’s call it “Package123”
I searched for the package name on npmjs.com
and luckily there wasn’t any package listed with the same name.
But sometimes, packages listed on npmjs.com don’t show up when searched from the search bar, so just to confirm it I search it this way:
https://registry.npmjs.com/package123
And yes, this confirmed that there is no package with the same name.
So I straight went to https://npmjs.com made an account published the package containing the malicious code that gave me reverse shell.
Just after 5 minutes of publishing it I got the reverse shell, and at that moment I was like “I’m in! Now, where’s the Wi-Fi password?” 😂
Tip of the Blog: “Always Fuzz, Never Mind the Status Code”
If you wondered why I named the subheadings as “subheading,” it’s because, at the time of writing, I couldn’t think of any.