InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

The Subdomain They Forgot — How I Chained Bugs for a $1,000 Bounty

Akash Ghosh
InfoSec Write-ups
Published in
3 min readJan 11, 2025

--

The internet never forgets, and neither should bug bounty hunters. As hackers, we live for those quiet moments when something seemingly insignificant — a leftover subdomain, a misconfigured API — turns into a jackpot of vulnerabilities.

That’s exactly what I found during a late-night recon session: an old subdomain, neglected and forgotten by its owners. To them, it was harmless. To me, it was a ticking time bomb.

What followed was a cascade of discoveries: hardcoded credentials, exposed APIs, writable S3 buckets, and an outdated CMS riddled with vulnerabilities. One bug led to another until I had chained together a critical exploit worth $1,000.

Here’s how I turned this forgotten relic into one of my most rewarding bug bounty reports yet.

The Needle in the Haystack

It all started with a recon sweep using Amass and Subfinder:

amass enum -d company.com

Most of the results were standard, modern subdomains. But one stood out:

beta.oldsite.company.com

It had all the hallmarks of an outdated system:

  • No HTTPS — just plain HTTP.
  • An old-school login page with slow response times.

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Or, continue in mobile web

Already have an account? Sign in

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Akash Ghosh

Akash Ghosh|Ethical Hacker | Cybersecurity Expert | Web & Mobile Security Expert

Responses (4)

Write a response