How Automation Detected Default Admin Credential Worth $500
Hello hackers, I am back with a new bug bounty write-up. In this blog, I am going to show how my automation discovered default admin credentials in the company’s internal IT portal — Sapphire IMS. The company has a bug bounty program on Hackerone. I will be using redacted.com as the main domain.
*.redacted.com is in the scope. As usual, I started with subdomain enumeration and found approximately 70 subdomains out of which only 30 are reachable. I already spent a few days on this program and submitted a few IDOR and access control bugs on the main domain.
There are 10 subdomains that are not reachable, but their names are airflow.redacted.com, ims.redacted.com, etc. It seems that there is some internal portal running on them, and I assume that access to the portal is limited to VPN/Office IPs.
I assumed below test cases for all the internal portal:
- The portal is unauthenticated
- The portal is authenticated
- The portal may have a default login credential
Based on that, I assume that there is a possibility in the future that, by mistake, all the portals will be made public by the developer. Relying on my prediction, I added these subdomains to my automation. My automation runs every 10 minutes. I use some community-created and some custom nuclei templates to automatically scan the subdomains for default credentials. I…
