Bug Bounty { How I found an Sensitive Information Disclosure( Reconnaissance ) }
Hello everyone, Welcome Back!
I am S Rahul, working as a Information Security Analyst at NUK 9 Auditors and A Bug bounty hunter at Hackerone, Bugcrowd etc. A well-rounded IT professional with 2+ years of cyber security experience.
Today I am going to discuss my recent finding, which is Sensitive Information Disclosure through Reconnaissance.
There are two ways to get the origin IP’s and internet IP’s of an organization:-
- Manual approach using Censys, Shodan, Securitytrails, FOFA, Zoomeye, etc. To learn more about the manual approach, you can refer to this blog.
- Automation approach using the uncover tool
What is uncover tool:
The uncover tool is a go wrapper that uses well-known search engine APIs to find exposed hosts on the internet quickly.It is built with automation in mind, so you can query it and utilize the results with your current pipeline tools. the uncover tool can Query multiple search engines at once. Available Search engine support such as Shodan, Censys, FOFA, Hunter, Quake, Zoomeye etc. To learn more about uncover and the installation process, you can refer to uncover.
Let’s begin with our main topic, i.e., how I found a Sensitive Information Disclosure through Reconnaissance.
I have selected a bug bounty program through Google Dorks. The Google Dork which I used is “responsible disclosure bounty r=h:uk”. Due to their responsible disclosure policy, I can’t disclose the program. Let us call the domain as target.com.
Before starting the manual pentesting, I will give some good time for good reconnaissance. I have collected all live domains and on different terminals I ran different tools such as nmap, webanalyze, waybackurls, naabu, 403-bypass tool on 403 forbidden domains, nuclei etc.. But I did not find anything interesting.
Now I ran the uncover tool on target.com.
uncover -q “target.com” -e censys,fofa,shodan,shodan-idb | httpx | tee ips.txt
cat ips.txt
After a few seconds, I got some IP’s and I started opening the IP’s manually in the web browser. We can use the Open Multiple URLs extension to open all IP addresses one at a time. To save our time!
After reviewing all the IP’s, I got one IP that contained some juicy files
the password_control file contains “Sensitive Information such as usernames and hash passwords of there some internal system”
Now we have to verify whether this IP belongs to the same organization or not. I quickly ran the whois command ( whois ip ) but I did not get much information, so I opened the IP in the Firefox browser.
In the Firefox Browser, I can see it is asking for credentials to access it 🤣 but In Chrome browser it gave me direct access. In firefox it showing some domain 🤔 but i have searched the domain and visited there home page and there is bug bounty page of that site, I clicked on it and it redirected to bug bounty policy page of my target.com
I got confirmation that IP belongs to the organization.I quickly made the poc and reported it to the bug bounty program.
Reported : Sept 5, 2022
Response : Sept 9, 2022 Hi,
Thank you for your help in finding this vulnerability.
We are ready to pay $$$. Please send us a link to the $$$ PayPal invoice, and we will pay it.
Tip: Always open the IP address in chrome and as well as firefox.Sometimes you will get some information from different browser
Thanks for reading guys.
Don’t forget to follow and connect with me through Instagram, LinkedIn, Twitter .
