Hello to readers,

This article is about the funniest remote code execution that i have ever found in a public program on bug crowd. Off course for privacy purposes, we will not disclose the name of the program, so lets call it

So as always, I was following the regular Recon steps.

Step No#1: Information Gathering

Firstly, I visited the Bugcrowd platform and checked for a program. For a change, I tried a public program this time.

I saw their scope is wide * (Which is the greatest relief for a bug hunter. Wide scope = more bugs :P )

Step No#2: Subdomain Mapping

Next i used the amass tool to look for sub domains for this host.

From the scan result, I found a number of unused sub domains which led me to narrow down my search to one in particular . Let’s say that was

Step No#3: Vulnerability Identification

After looking into that, I was shocked to see that the website which i found is hosting the Damn Vulnerable Web Application . That looked weird.

Why should a website host something like DVWA, that has a mother-load of vulnerabilities.

Step No#4: Penetration

I continued with the testing and I used the default login password “ admin “ “admin” and logged in to the website and uploaded a php shell and got a reverse shell . I found that it was still exploitable, but stopped it here and reported to the program.

It was a quick response that I got back from the program. I have never seen a bug getting fixed this fast. Within, one hour everything got addressed and fixed.

Well, it was one of the weirdest and funniest bug I have ever found. It was shocking to see a big reputed company making simple mistakes like this. 
Thanks to Bugcrowd and team in helping to resolve the issue fast!!