Hello,

My name is Ahmad Halabi, I do bug bounty hunting on my free time. I mainly hunt on HackerOne.

In this article I am going to share with you how I was able to access internal database management leading to Remote Code Execution.

Overview ::

While I was hunting on a public program, I found an interesting subdomain remoteservices.target.com, I said to myself that there should be definitely something hidden there.

Recon Approach ::

I love recon and I spend a lot of time doing it than actual hacking.

So browsing the target website https://remoteservices.target.com showed 404 code Nothing Found in response.

When you see 404 Not Found in the response, this means that there might be something hidden in that website, and the best thing to do here is directory brute force/enumeration.

Directory Enumeration::

One of the most common questions is which wordlist do you use ?

For me personally, I don’t use any specific one, it always depends on the target that you are hacking on. For example, if it is an IIS server then you should use a wordlist that contains IIS directories and files. If it is apache server then you should use wordlist that contains apache directories and files. And do this for any target you approach.
So I have multiple wordlists that I usually edit if I found a new interesting directory and file path. That’s how you optimize your recon, make it more fast and accurate.

I used FFUF tool to brute force the directories of the target subdomain and I got an interesting response 403 Forbidden for this directory admin (https://remoteservices.target.com/admin).

This looks cool, since Forbidden means that there is definitely a hidden content/section that they don’t want you to see or access.

Next Step to Bypass 403 Forbidden ::

The first thing that I thought about is brute forcing the admin directory as well and I got a sweet Adminer login panel https://remoteservices.target.com/admin/adminer.php.

Adminer is a database management tool that allows to connect and manage different Database Management Systems like MySQL and Oracle.

Getting Internal Access ::

First of all, I searched for CVEs and known exploits belonging to the version number identified by this Adminer Login panel but I had no luck.

Second thing I did, I checked the target program’s Github repository for any exposed credentials pointing to the Adminer Login Panel but I also didn’t find anything interesting.

Last thing I did, I searched Google for Default Adminer Login credentials AND for commonly credentials used for Adminer Login. I got quite cool results. Trying them all out after 2 hours I got successful access to the internal Database of the company leading to Remote Code Execution where I can manipulate their Database.

The username was: homestead

The password was: secret

Remediation ::

The program immediately removed access to the target website then fixed the issue and changed the credentials.

Sadly there are still some well known companies that use Default credentials or credentials that can be easily guessed. This sometimes lead to Critical issues that could cause harmful damages if they were discovered by criminals instead of ethical hackers.

Report Timeline ::

Sep 17, 2020: Initial Report.

Oct 18, 2020: Report Resolved & Bounty Awarded.

If you didn’t read my article yet about how I started bug bounty hunting, how I ranked 1st at U.S. Dept Of Defense (2019) and how I reached top 100 hackers on hackerone, You can find it below.

The article also contains all needed resources to start learning and a lot of valuable tips.

Good Luck :)