P1 Vulnerability in 60 seconds

On January 2018 i was invited to privat program on Bugcrowd with *.bountydomain.com scope.

I found 12 vulnerabilities on subdomains of this company and decide to look on the main site which located on www.bountydomain.com. I run Wfuzz (i love wfuzz much more then dirbuster) and found that on https://www.bountydomain.com/blog/ was run Wordpress blog.

First think was like: “Men, this is new version of Wordpress and blog on main site => no vuln”. But, i decide to check this resource… and BINGO!!!

Wfuzz told me that following URL have 200 code status: https://www.bountydomain.com/blog/_wpeprivate/config.json

This file disclosure API key from WPEngine, DB username, DB password and so on.

Bounty: 1500$

Twitter: https://twitter.com/Wh11teW0lf