P1 Vulnerability in 60 seconds
On January 2018 i was invited to privat program on Bugcrowd with *.bountydomain.com scope.
I found 12 vulnerabilities on subdomains of this company and decide to look on the main site which located on www.bountydomain.com. I run Wfuzz (i love wfuzz much more then dirbuster) and found that on https://www.bountydomain.com/blog/ was run Wordpress blog.
First think was like: “Men, this is new version of Wordpress and blog on main site => no vuln”. But, i decide to check this resource… and BINGO!!!
Wfuzz told me that following URL have 200 code status: https://www.bountydomain.com/blog/_wpeprivate/config.json
This file disclosure API key from WPEngine, DB username, DB password and so on.