I am Nitin yadav from India with my first ever write up so please ignore my mistakes. So without wasting time lets roll to the bug and how i found it.
So it was my first time hunting on a live website . I was so much excited to hunt on a program lets say site.com(cant disclose as per program rules). I don't know much about the bug types and was new to it. So after 3 or 4 days my excitement turned into boredom. But then i saw a tweet about recon and searched about recon.
Then i came with a video the bug hunters methodology and after watching that i followed every steps showed in the video by Jason Haddix
and got with a a subdomain terminal.epm.site.com.
At first I was like what’s this. And now am totally blank. But i wanted to find a bug so i thought to get the usernames and password for it but cant find. So I thought of password spraying attack. So first I need the internal domain name of the target. Which can be found quickly in the RDS login page source as the WorkSpaceId.
Now the challenging part was that i got the internal domain but from where do i get the user list. So for that i searched about the company on social media if i find something but it was of no use. But i thought of checking LinkedIn and found some names for the company. But the problem was that how can i get all the usernames from linkdin. Then i remembered about a blog about it and quickly cloned the tool (linkdin2usernames).
Now for the structure that the company uses for RD web access was first_last . And the tool does not create this format and from the blog which i got to know about the tool i modified the username list with the tip given there wit sed .
$sed -i 's/\./_/g' site-first.last.txt
Now its time for some action
Setting up burp intruder for the action-
There are many ways to perform password spraying but Burp suite gives us a considerable amount of flexibility and control. So i started by capturing the login POST request and leaving a placeholder for the username and using the list which i got from Linkdin2username. I launch a attack . But wait it is important to tune this to minimize impact and load on the service.
Launching the Password Spraying Attack
Now its the showtime. And i launched the attack. And after 2 hours i got 302 redirection. And BOOM…… Its what i was thinking about.
Accessing the RDS Service with the Obtained Credentials
I accessed the RD web service using the credentials i got from password spraying attack and the user has a little access but its not what i have concern about.
Without wasting time I reported the bug to company. And within some days i was awarded for that.