Hello there, I am Veshraj Ghimire all the way from Nepal. This is my second write up and in this write up, I am going to tell you one of my totally unexpected bounty story which was possible by recon only.
So, without wasting your time, Let me quickly tell short story of mine.
Severity: Medium
One day while I was looking after the programs at Bugv, I went through a WordPress site. Firstly, I visited the site and checked if I might find something interesting but the site seem to be static so I did not found anything interesting there. Then I planned to enumerate subdomains but I ended up getting nothing.
Then, as usual I started to fuzz on the main domain with ffuf using this wordlist from SecList expecting to get something useful.
Fuzzing go Brrrrr, After some times I found an unusual file publicly available, which I never saw before on any target. The File was:
/wp-config.swp
After discovering the endpoint, I opened it on my browser and it downloaded a file named wp-config.swp on my pc which basically contained editor name, version, root and username as shown in the picture below:
Seeing this I quickly googled about .swp files and got to know that swap file is used by the system to “swap” out memory to the disk, temporarily.
I reported it quickly to avoid the duplicate because we all know it is very painful lol. But my POC was not sufficient cause there was not sensible file displayed and they flagged it as needs more info.
With this reply, I was somehow happy knowing it was not duplicate. So now i have to research harder to show it’s impact. Then I started my research, after some time, I got this article explaining how someone could get the database credentials exploiting same vulnerability. I was like woooo, intresting!!
Then after reading that interesting article, I started to create my own Proof Of Concept. I quickly installed WordPress in my VPS then made a video showing how someone could get the database credentials if the file was being edited with vim. Here I have attached my POC which I sent them:
Summary:
Set up a script to keep downloading http://target.com/.wp-config.php.swp several times a second. If someone is currently editing the file on the server in Vim and you download that URL, you will get the swap file. Once you have that downloaded, just run vim -r .wp-config.php.swp, hit enter at the vim dialog and you should see whatever changes they’ve made to the file. This isn’t really a big deal, but could be used by someone if you know that they’re editing files within the public directory (/public, /public_html/ etc) and that they use Vim without changing the default swap file directory.
After Some Days of review, it got triaged. But it made me little confused. Since I had never seen similar kind of reports at any writeups/hacktivity before,
so I was unware about the severity so I had reported it with low severity but their comment while triage confused me thinking they may change it to informative since the sensitive info was not actually disclosed but it was possible. So I was fearing about that.
Since they mentioned “Severity is subject to change” I also felt somewhere that they may change it to informative and close it. I was praying god not to happen so :V
But thank god, may be my prayers worked so it didn’t happened and after some days Boom!!!, the severity was changed to medium and they rewarded me $$ 🥳🥳
Timeline:
Reported: Apr 08, 2021 17:49
Needs More Info: Apr 09, 2021 11:09
POC video sent: Apr 09, 2021 12:07
Triaged: Apr 27, 2021 10:59
Updated Seiverty from low to moderate: May 02, 2021 08:27
Rewarded $$: May 02, 2021 08:27
Takeaways:
You can connect with me in twitter if you wish to.
Bye bye till next writeup, Stay Safe Stay Happy. Peace ✌️✌️