Hello there, I am Anirudh Makkar from India. This is my first write up and I hope you guys like it. In this write-up, I will explain the power of Recon and Google Dorks. Don’t worry I’ll keep it short and crisp.

It was a Bugcrowd private program so can’t disclose the name. Let’s say redacted.com. So *.redacted.com was the scope that means I have a pretty wide scope to hunt on.

I started with Subdomain enumeration and probing using assetfinder, subfinder, and httpx.

1 domain caught my eye which was https://git.infotech.redacted.com. I opened that sub-domain in the browser and saw it was a Gitlab instance which redirected me to its SAML Login page powered by Okta Login. So, only internal users are allowed to log in to that GitLab instance with their company email address ([email protected]). I tried some default credentials but no luck!

I didn’t give up and jumped on to google to find some juicy stuff. I tried many google dorks but only there wasn’t anything sensitive. After few tries, I used “site:git.infotech.redacted.com ext:env” and found some usernames and group names of that GitLab instance.

I immediately tried https://git.infotech.redacted.com/username and https://git.infotech.redacted.com/groupname and I was able to bypass the authentication flow and directly access the source code present there. I found lots of sensitive data there like SQL credentials and LDAP credentials.

A big thanks to all of you who helped me and supported me in every possible way.

Here’s what you get from this write-up:

1. Recon always helps.
2. If you’re stuck anywhere, just google it.
3. Keep learning.

You can follow me on: Twitter, LinkedIn, Instagram for more bug bounty tips.