📚 h1-ctf: [H1-2006 2020] Exploiting multiple vulnerabilities to get hacker's payment ensured
💡 Newskategorie: Sicherheitslücken
🔗 Quelle: vulners.com
Last week, Hackerone’s CEO Marten lost his credentials for BountyPay. A tweet from hackerone’s official twitter account asked for help from ethical hackers and bounty hunters to help the CEO recover his credentials and insure May’s payments. As an active bug hunter on Hackerone, I decided to take on this challenge. Hey, in these times of pandemic induced quarantine, I can’t afford not to get payed for my BB hunting! Plus it’s a win-win: I get to get payed for my due bounties through the platform, and Marten gets the works done. And we can tweet the famous “togetherWeHitHarder” tweet again. So let’s get this done. Recon: As per the usual, I started by doing a subdomain enumeration on bountypay.h1ctf.com, since the scope is wildcard and we want to have a vantage point on all the subdomains available on that target. That is how I discovered the five subdomains: www, app, staff, api and software. I started a visual recon alongside with content discovery on each one of the subdomains. From what I saw, I could make the following assumptions: 1. www: is the main domain and doesn’t have any further access, it’s only for marketing and communication purposes; 2. api: a REST api with JSON output, that controls all BountyPay’s services in one place; 3. staff: is the area where BountyPay’s staff can login and communicate with each other; 4. software: is where the company shares useful software with its staff and customers and the access is IP-based; 5. app: is the main application... ...