How I got RCE In The World Largest Russian Company
2021-08-23 17:10:13 Author: infosecwriteups.com(查看原文) 阅读量:50 收藏

Thinking outside the box

Sicksec

Photo by Christian Wiediger on Unsplash

Hello Security Researchers & Hackers

In this writeup I will explain how I was able to find RCE in Mail.ru which is considered the world largest internet company,
Before starting to hack I was wondering on how I should approach the target and what most people would miss in the program, they have a huge scope which means it should be something out there sitting for me to find XD

I started looking with the Favicon using This Where I replace the link with the Mail.ru favicon, once generate I go to shodan.io and search for it

Now we search this hash on shodan.io with the http.favicon.hash syntax

Now I went to see page by page and look for something suspicious with an unusual port number so I kept going till I found a host with port 8080
That has a Welcome to Nginx page
Once found I wanted to dig further on what’s going on, so I started to FUZZ directories and I found /static/shards/html Publicly accessible and it looked Juicy

From here I guessed that most of these hosts are Internal host and it will be difficult to reach them and I decided to Nmap all of them
Found only one that has a JDWP stands for (Java Debug Wire Protocol)

So I started my research about this service / port and it turns out that it may be vulnerable to RCE by reading this article
With the help of this repo I was able to show the RCE and the team triaged and paid $$$ since the server belongs to their infrastructure not the main assets

Hope you enjoyed reading this and catch you in the next adventure
Stay curious ❤


文章来源: https://infosecwriteups.com/how-i-got-rce-in-the-world-largest-russian-company-8e6e8288bc4e?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh