Bug Bounty Show at BSides Ahmedabad 2022 feat. Satyam Gothi

all right let's move forward I would like to welcome Mr satyam to present his talk on finding p1s while every day thank you for being here so without wasting any time let's move on with how to find p1s at will well something about me I am a full-time Buck Bounty Hunter I mostly hunt at snack and I also create a content on YouTube and uh I've written some blogs as well and I also Amanda volunteer so that's basically it so let's get started and the lazy approach so basically I am one of the laziest guys you will ever come across and I procrastinate a lot like I made this PPT 4M today in the morning and if you still have any doubts meet me after the session I'll get you a chat with my parents and they will confirm you that I am so be keeping that aside uh the first thing is Thinking Inside the Box like as you see every every one of uh the talks the wonderful talks each one of them were very technical it was thinking something outside the box like changing the vulnerabilities or you know approaching uh SPF records everything was thinking outside the box but let's get a little lazy and we should not you know ignore the basics and Thinking Inside the Box is what I'll explain later as well and uh we need to process the info we can get a lot of information like everyone is talking about Recon these days right there are a lot of ways there are a lot of things you can find with Recon you can go in depth you can go vertical and horizontal as well but the main thing is what you are actually doing with that information even if it's Recon and even if you come across any endpoint or anything at all you need to know how to utilize that information how to utilize that particular endpoint and what to do what exactly to do with it and yes that's it and bounty so I'll explain a few bugs which I have just found uh using or you know manually exploring the JavaScript files and nothing else and let's move ahead so free food so this was uh uh multinational fast food company and this was uh for snack so I just uh you know moved across I just logged into the application I guess I did not log in as well I just went on to the home page and I saw some JavaScript files being you know passed in the background so I just have you know a habit of looking at JavaScript files manually as well so one interesting thing caught my eye was as you can see the order Dev settings so I just thought let's see what it offers moving on to that I found this sort of you know uh panel you can say where I was where we are as you can see there are a lot of features different for example Canary development GMS Dev Etc and there's an option as well to show hidden products so after I uh I just selected development and ticked on showed hidden products and moved back to the home page so what it did was it just redirect redirected me back to the home page itself but now what happened is uh whenever you are trying to place an order there are there were a lot of deals there were a lot of you know food items which you are able to order but now after checking the development option and turning that the feature on of showing the hidden products there was some of uh you know some of the deals or some of the products which did not have a price as you can see there so I thought to myself like I tried adding that to the cart and I was successfully successfully able to add that to the card as well moving on I also found that there are a lot of free you know uh these were like coupons you can say and these were not uh visible or available before uh turning on that Dev settings thing which we which I did earlier so there are a lot of free things as well as you can see free cookie free delivery a lot of free stuff which you can directly add and combine as well so this was basically the bug and I of course I did not you know try to move on explore it further and I I was successfully able to add everything to the cart and place an order as well but I actually did not place the order for obvious reasons and when I you know when I uh submitted the bug this was the reply that I got back and that wasn't quite sweet but yes so any guesses of for what I did next uh let me tell you so I just tried placing the order and I was successfully able to place the order so basically the KVA only caveat year was to that the minimum order amount should be 200 rupees for the Indian side so I had to if you order anything for 200 rupees and you can add any uh number of you know you can select this uh the deal or whatever food item it was multiple times you can even order 10 of those and your order cost won't increase and for 200 rupees you will be able to order anything uh itself so that was a bug I it took almost around you know 30 minutes from finding it to reporting it and it was very trivial so that was just it and so yeah next I just uh ordered the food I sent in the screenshot of the photo of the invoice and I saw a photo of the food as well to the vo so to just to ensure them that we were actually able to order the food and uh coming back to procrastination I just left it there I was you know over the moon that I found something nice but a few days later I realized there are a lot of sub domains for this particular website organization and I found that each and every subdomain for that particular organization were vulnerable to the same thing so you can basically order freeze food from any part of the world where the organization exists uh but yeah unfortunately I was awarded around uh 700 or so for that because welcome to synac so that was it now moving on next is uh RC so this was uh also very trivial I was manually uh going through the JavaScript files and I found uh and uh you know endpoint named as image uploader.aspx now moving on to uh when now I just tried logging it uh tried moving to the image uploader.aspx and uh I saw that there was basically nothing it was some error that was showing unfortunately I do not have the screenshot for that but the page basically did not show anything but uh the manual ID parameter as you can see we have so that was also a part of the JavaScript as well I found the same parameter in the same Javascript file and I was just trying different things only on adding just that just adding the parameter without any value give the give uh gave out a different result and I was just testing out different stuff like SQL injection part traversal and stuff like that on this and uh you know entering the C directory give the whole access of the server uh uh to me like I was very confused like uh and I mean like I was not sure if this is a bug or not I talked to two three friends of mine and I confirmed that this is not something which is Trivial and which should not be existing in the first place but again uh welcome to snack like uh they did not accept the bug because for uh for the rce uh the conditions on the neck is that you need to execute code somehow so my next step was to try try and figure out like how to execute code from you know uh remotely right we were and I figured that we were able to uh upload any folders on the on the server route and we were able to upload any images or whatever it is but we are we were not able to upload it uh on the location where the website was hosted where the vhost actually existed so for that I had to you know go through the files and try to figure out uh where was the upload allowed and uh for that uh I I numer I you know tried uploading stuff on various different folders but on some of them it just did not allow to upload on some of them it did not execute so then I tried to you know upload a web and the it was an IIs server right so the verbose error and stack traces were turned off so what I thought of was I uploaded a web.config file and I manually turned the debug mode on for any of the folder I tried to so that I could actually know what kind of error I'm getting what is actually missing uh and what how the shell needed to be uploaded right so that way I figured out to upload a normal basic Powershell shell on the side and that was it so now I again sent in the POC and everything and after around 15-20 days they finally accepted that was RC now uh let's talk about our SQL injection so this was also uh this same exact approach I just went on to the home page and I was proxing everything through Bob and I came across various JavaScript files I was just manually moving through them and I found uh this sort of endpoint and parameters which were mentioned in the Javascript file so uh mind well that this was not you know available anywhere on from the UI or from you know directly from the web application itself so this was sort of a hidden endpoint you can say and the parameters as well which needed to be provided so that was very easy I guess I just added a single quote on that parameter and constructed a post query and it resulted in a you know in a sleep you know execution of the sleep timer right and this is not some payload that I personally constructed like I had tried a bunch of different payloads already available uh from you know from payload all the things also so that was also very trivial and this was basically easy this this was accepted in the first go right so that was nice and then we just dumped it to SQL map to find everything and that was it and next is improper access control or information disclosure so this is the most basic thing that uh you know you can find using JavaScript uh directly or manually you can say this uh again same approach I just went on to the particular website or Target web application and there were a bunch of JavaScript files being called I was traversing manually through the Javascript file and I found sort of some parameter which was the name of access and the value of the parameter was also hard-coded in the JavaScript itself next for further scrolling I also found that uh you know authorization header with its value was also hard-coded in the Javascript file as well so I finally found a way to construct the query I hit the API and point to the post request added the same thing which we found here and with the same authorization header which was already hard coded and we were able to generate a valid you know valid JWT token for that particular web application and we were able to bypass the Restriction login restrictions for the web application and directly access it uh so that was it again similar approach there was a data.txt named parameter or so uh sorry my bad endpoint which was mentioned in the Javascript file and I just tried to see what's it and it leaked a bunch of you know key values IDs and uh stuff like that which were basically critical uh to according to the logic of the web application the data was a bit old but it was still accepted and as a bonus uh this was an authenticated bug and uh there was a feature to book some flights and uh there were like you know two different portals the web application at the business logic of two different portals one was managed by admins and you know higher privilege people and another subdomain a different one was managed by the actual users so here uh we were we were able to log in with the admin panel and we were there was a functionality to actually see the users but there was no functionality to either you know reset their passwords or view their passwords or anything like that but just uh you know uh checking uh the normal a normal like this was a gate request which was triggering on the home page itself when after logging in and just enumerating through the response I found that uh the ID and passwords were like hard coded in the HTML for some reason I have no idea but they were present for each and I each and every account present each and every account and user present for the for for that web web application oh that was it and these are some tips which I would like to share or these are the takeaways which I want to share with you guys like stop assuming the obvious if I had assumed that everyone would have seen the JavaScript files or everyone would anyone would have you know visited this endpoint and it would it would have been reported then I would would not be able to you know find such bugs ah tools are the supplements like you can use a lot of tools like Yahoo link finder to find various endpoints and you know links within the uh with JavaScript files but each and every web application is developed in a different way and you do not know how the developer is thinking so if we uh if we think about some parameters if they are in the form of a Json or so and if it's written in a different way then link finder won't find that kind of thing or you know it won't be uh you know uh indexed on the search engines as well so manually is the way to go and you can use the tools just as a supplement and not rely completely on that don't over complicate stuff right so this was the gist of the whole thing like uh I did nothing fancy I just looked at the JavaScript files and visited the endpoints and the bugs were right there in front of my eyes ask stupid questions like I'll ask you if you have any questions but I know most of you won't ask so you can reach out to me on my Twitter or anywhere and I'll be more than happy to answer as well and don't just collaborate make friends a lot of the bugs which I you know uh showed here and which I did not uh I usually go back and forth with my friends a lot and all of those those with whom I have collaborated are very good friends of mine and it's it's always good to have someone to bounce ideas off it's not always about the Bounty right even if you have something trivial and that maybe that may get you like 500 but bouncing ideas of uh your friends and you know doing stuff together that might result into some chaining of bugs and escalate to a quite bigger Bounty and finally complete less and enjoy more there is a lot of competition in this field everyone is uh you know running behind dollars and bugs and stuff but if you do not enjoy everything uh the whole process then I don't think uh this field should be for you that's that's all from my side thank you very much and if you have any questions [Applause] all right great thank you so much satyam for sharing a pro tips and uh sharing us such a informative session