Hacking Dutch for Lousy Tshirts: Dutch T-Shirts for Dutch Hacks
In an increasingly interconnected world, cybersecurity remains a paramount concern for governments, organizations, and individuals. This report delves into a journey of discovery, where I stumbled upon four vulnerabilities within Dutch systems. Choosing a target among 1500+ domains was a hard part to me. With almost all the domains checked by the researchers, I decided to pick one.
Target was the Dutch national weather service whose primary tasks includes weather forecasting and monitoring of weather, climate, air quality and seismic activity. With more than 300+ subdomains, I started probing for the live subdomains using httpx tool. Collected around 155 live subdomains, started playing with each subdomain manually with Burpsuite running in background.
With limited features and functionalities, I started clicking each features one by one. The first vulnerability I encountered lies at the climate explorer tool. So there was a feature of previewing the annual report of climate change. The full URL looks like: “http://target.nl/something.cgi?field=somevalue” Tried few XSS payloads and also SQLI but nothing worked. Then, checked command injection with payload “||cat %2Fetc%2Fpasswd||”. And the response eventually contained the value of etc/passwd. Was it only a file read or full OS command injection? Then I tried “%7C%7Ca%20%23%27%20%7Csleep%205%7C%7C%20%23%7C%22%0A” and the server delayed for 5 sec. So it was a full OS command injection. Reported to the team and received my first dutch swag.
After finding this command injection, I searched for other endpoint with extension “.cgi” in Waybackurl. Found another url, but the parameter was different. The full url was “http://target.nl/annual_overview_world_weather/index.cgi?mon1=somevalue.” Again tried the same payload and the response was also the same with the data of passwd. This was my another OS command injection on a same target which gave me second swag from the dutch government.
The third vulnerability was on a different target. After some valid subdomains, I individually started checking each domain on Waybackurl. And found one URL with parameter ‘object’ in it: “http://target.nl/object.html?object=value”The value of object parameter was directly reflecting on the page. So I tried some XSS payloads and the alert popped up. Thought it would be duplicate but the team triaged my report after couple of days and I recieved my third Lousy Tshirt.
With three Dutch vulnerabilities with three dutch tshirts, I decided to check another target. And I was visiting the target manually, and a alert appeared. The alert was from the trufflehog extension. Many researchers are familiar with Trufflehog extension. This extension looks for API keys and credentials on websites visited, and alerts you if there are any present. The alert contained Google Maps API key. To check whether if the API key was valid or not, I paste the API key on each services at “https://github.com/streaak/keyhacks#Google-Maps-API-key”. And found that the key was vulnerable to Geocoding and Streetview. I was confused whether to report it or not because many similar reports of mine had been closed as N/A before. But decided to submit it and with great favor of luck the report was accepted and I received my fourth Dutch Lousy Tshirt.
Thanks for reading till the end. You can connect with me on LinkedIn & Twitter.
