After digging through the downloaded files, I found something interesting 😅 and now you know, what most hackers will do right away 😁
Introduction:
Hello Fam, It’s been a long time but I do remember you😌 and today, I’m back again with an interesting write-up on “How I hacked a Cyber-Security company and took full control”. But before starting out,
This is Gowtham Naidu Ponnana, an 18y/o Security Researcher based out of India. Working as Security Researcher at CryptoForce and part-time Smart Contract Auditor(Lemme get good at it first🥲).
Background Story:
If you don’t know I took a 2months gap from all social media as I need to prepare for my boards😖 but I somehow diverted from my preparation and thought of applying for some “Internships” for the role of Smart Contract Auditor.
I was actually looking for the top Security Firms in the web3 sector and selected a few companies and finally, I applied to some positions(I know I won’t get selected🥲).
Now, what should I do special to get attention?
We Never Change:
Meanwhile, I can hear some noises in my mind saying “What if you can Hack the Company and get yourself close to the recruiting process?”
Umm, It’s really a great idea but I’m damn sure that “They are not dumb and they care of securing themselves before securing others…”
So I thought it would waste few hours of my preparation and It was not worthy enough🥲 but who thinks like this?
Come on dude, let’s fire up the Macbook😌
My Unusual Methodology:
If you’ve read my previous blog on “How I made $10000 within the past 7 months”, you know that my favourite part is always “Authentication Vulnerabilities” but just like other firms, they do not have any Authentication System except “Contact-Us” page.
NOTE: Due to some personal as well as some official reasons, I’m not going to say the name publicly as it will damage the reputation of the respective company. Let’s call it “company.xyz”
Now what most of us will do? Try for XSS. As I’m so good with XSS🙂(Sarcasm) I skipped it.
I just took a very unusual way of my methodology where I fired up my terminal and ran the “FFUF” tool to find some hidden subdomains as well as some directories. Additionally, I also searched in “crt.sh” to find some subdomains and found this, (along with dev.company.xyz)
At this stage, I was pretty sure that there will be something interesting here by just looking into the names “development/dev”.
So as usual, I quickly opened the “dev.company.xyz” and as you expected, It’s a big “403 Forbidden Error” 🙁
Now, Most of us just try to bypass this 403 page by various methods like Changing the Request Headers, finding the origin IP, etc… To add, Just think “there will be always VPN Access” to these big cybersecurity firms and they know we will try these silly tricks to bypass them. So I ultimately skipped it 🙂
I really thought, it was better to leave and just go back to prepare for my boards. And my bad, I opened the subdomains (development.company.xyz) and I can see a pop-up notification on one of my extensions named “DotGit” which basically shows the publicly accessible .git or .git/config pages.
For those who don’t know, Use GitTools to dump all the sensitive information and it only works if “.git” is publicly accessible (at least if it shows 403 forbidden error or .git/config is accessible)
I quickly fired up my terminal and ran the Gittools to dump all the contents. And I actually never expected this output! 🥲
At this stage, I was pretty sure that I’m going to get some juicy information and patiently waited for 10mins so that I can actually run “Extractor” on the .git to extract the information.
-> Command: ./Extractor/extractor.sh “folder where .git exsists” “output folder”
And Now I got tons of information and I know that I need to give some hours to actually dig through these files/folders.
“ Why the fuck you save everything in github? “
Now, I could directly report this issue to the respective company but how can I escalate this further? Let’s dig deeper…
After couple of hours, I understood the whole backend code and how it works and I was pretty sure on how I can actually bypass so many things. (Talking about Admin Panels…)
But what bothered me more is this🥲…
You may ask, how can I use these credentials as it is localhost and I don’t know the IP… Actually, the origin IP is saved in one of the hidden files and I just ran the nmap scan and it opened up with tons of information…
Nothing excites me more than this
I don’t know why, but this didn’t gave me any hype/satisfaction even though I was in full-control over the company(Admins creds, SQL Data, Sensitive data of Audited Companies etc…)
I left everything and once again deep dived into the files and found email-handler.php file which consisted of some critical information. And I ended up doing this 😅(I loved this more than anything…)
Now Coming to the question, what’s in my control?
After doing all this, I realized that I screwed up my preparation for my boards🥲 and I was pretty sure that I gonna get low marks in my boards…(Please send some positive vibes on Twitter🥹)
Conclusion:
Now this is where the final twist comes into play. After doing all this, I reached out to the team and reported them about the issue. But without contacting me, they blocked me on all social-handles and patched this issue.
Literally I was like…
That’s being said, I’ll leave you here…. Thanks for reading so far and I just love the way you support me.
you can always reach me out: