Good things takes time | Story of my first “valid” critical bug!
Hello there, I am Krishna Agarwal ( Kr1shna 4garwal ) from India 🇮🇳. An ordinary bug hunter and So called security researcher :)
Let me tell you how I was able to find my first “valid” interesting critical vulnerability on a Vulnerability disclosure programme. I hope you will learn something new from this write-up :)
var domain.tld = target.com
One day I was hunting on a Public Vulnerability disclosure programme, they provides Hall Of Fame for valid submissions. It was a medium scoped target (*.domain.tld). So I started my private recon script for recon (I’m mentioning only 5% of it in this write-up).
Commands (Taken from my private recon script):
note: Medium prints double hyphen in a single line ( — ) so don’t be confuse, it is double hyphen.
subfinder -d domain.tld -all -o .temp/subfinder.txt
sublist3r -d domain.tld -e baidu,yahoo,google,bing,ask,netcraft,threatcrowd,ssl,passivedns -o .temp/sublist3r.txt
findomain -t domain.tld| sort -u | tee -a .temp/findomain.txt
assetfinder –subs-only domain.tld | tee -a .temp/assetfinder.txt
amass enum — passive -d domain.tld -o .temp/amass.txt
got 594 subdomains.
After this I combined all the results and passed it HTTPX
cat .temp/*.txt | sort -u | grep -i domain.tld | tee -a all.txt
cat all.txt| httpx -silent -ports 80,443,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090 | tee -a alive.txt
After HTTPX I got total 684 probed subdomains.
Now I started nuclei with my custom templates in background and moved all the subdomain to my Burp proxy configured browser (In 50 subdomains per window), while visiting the each subdomain I found many 403 subdomains, for bypassing these all shi**y forbidden subdomains I started 4-zero-3 in background, but no luck :(
Other 200 OK subdomains were feature less (No signup, Login, etc) So I left these subdomains for future.
If you notice, I run port scan with HTTPX, I got some 8080,8443,9090 and 8081 ports open, so while checking the subdomains with ports ( subdomains.domain.tld:<PORT>), I found one of the subdomain very interesting because it was running RAVENDB on port 8080 with no authentication :)
What is Raven DB?
→ RavenDB is an open-source fully ACID document-oriented database written in C#, developed by Hibernating Rhinos Ltd. It is cross-platform, supported on Windows, Linux, and Mac OS. RavenDB stores data as JSON documents and can be deployed in distributed clusters with master-master replication.
In short: RavenDB is an open-source No-SQL Database.
So when I open subdomain.domain.tld:8080 in my browser, I see no authentication on RavenDB, I was able to change settings, Dump full database, View System Configurations, Delete Database (Obviously I don’t have permission to do that).
I quickly create a Professional detailed report, And Send it to security team :)
later I got Some anonymous FTP, XSS and some common misconfigurations on same target. It is enough for me, So I stopped hunting on that target.
update (12:22 AM, 19 July 2022):
Shodan Dork for finding RavenDB:- http.favicon.hash:442225173
Takeaway: Want to speed up your Nmap Scan? Use this command
nmap 127.0.0.1 -sS -sV -Pn -n — max-rate 1000 — open -p 21 -oN Active_21.txt
Tip: Don’t forgot to scan the commonly open ports like 21,22,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090.
Apologies for any grammatical mistakes.
DM are always open for questions, help, Collaboration, and Suggestions :)
Be my Friend:
- Instagram — https://www.instagram.com/krishnaAgarwal_in
- LinkedIn — https://www.linkedin.com/in/kr1shna4garwal
- Twitter — https://twitter.com/kr1shna4garwal
Thanks for wasting your valuable time in reading my write-up ;)
If you found this valuable and have wasted your 5 minutes in reading this, then give some claps👏, Hit the Follow button for future write-ups and share this with your infosec friends and community.
keep Hacking, keep Learning!
Signing Off !
From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE! https://weekly.infosecwriteups.com/
