Hello amazing hackers, here we are with another amazing post, this time we are not going to talk about the effects of a vulnerability on users or even the database. This time we want to talk about taking over an entire organization. I can say that more than 90% of the process of finding this vulnerability is summed up in the calculation.

It was a private Pentest project, belonging to a government agency. They gave me two domains along with their subdomains. I started working on the main system to get started and was able to find a few XSS vulnerabilities. I spent some time on the subdomain but found nothing. A few days later I went back to Target again, but this time it wasn’t to find a vulnerability. I just wanted to do a very deep recon on the target.

To start extracting the subdomains of pairs of domains, I reached something close to 10 subdomains. Some of them were available. In the next step, I started phasing the subdomains with all kinds of backup files, but I didn’t achieve anything. Some paths were found, but they didn’t seem to be anything important.

I tried to find subdomains using ready tools such as subfinder and… but I thought to myself that it is possible that I have lost a subdomain. That’s why I started brute force DNS using other tools and then combined them with the DNSgen tool. After reducing the data, this time I reached 15 subdomains.

But again, nothing was found for us in these 5 new subdomains, but an interesting point in these 5 subdomains is that 3 of them refer to an IP, which the other 12 do not refer to. I was able to get 3 IPs from these subdomains using DNSX. I started my work with port scanning. the results of the portscan weren’t so interesting.

When I want to work deeply on a target, I always do virtual hosts discovery on the target using public wordlists and subdomains of the domain.

I did not achieve anything by using subdomains on the IPs, but when I phased the IP of our target, which I found with DNS Brute Force, with a public wordlist, I reached a virtual host named admin, and it was very attractive to me.

You can fuzz virtual hosts with FFUF:

FFUF -w ~/wordlist.txt -u http://127.0.0.1 -H "Host: FUZZ"

After opening the virtual host, I encountered a guacamole login panel, which defaults to the password and username: guacadmin. I entered the username and password and entered the admin account :)

I had remote connection access to the gate and monitoring server and many other things, the level of access was incredibly high and I could control the entire organization.

Thank you for following me here, Don’t forget to follow me for more write-ups.

Linktree 🌲