In the Name of the One Who Gives Glory

If you only want to read the technical part, please start reading from the Technical Part Header.

Some Hunting Vibes

Since I was a little boy, I always wanted to be a Gangster. Sorry, I meant a farmer. 🧑🏽‍🌾🧑🏽‍🌾🧑🏽‍🌾🧑🏽‍🌾 😂😂😂

Like World War II soldiers’ dreams, like Western movies.

After all the war and fights, I just wanted a peaceful life. Buying a land on the edge of the world, marrying to the desired one and making babies.

So I said why not!!! f♥♥k yeah. I’m in. Let’s farm some VDPs honey.

I hit up my friend @TheM@sterOfDisaster , the most dangerous doctor in the world.

Thank God this is where we ended up.

X on Twitter: "🚨🚨Amazing collaboration with @young_vanda_ 👈👈👈We Hunting for a couple of hours on @intigriti, and the results were quite surprising. Reported over 20 bugs, mostly Exceptional. 👾👾👾SQLi, Admin Panel Bypass, RCE, and ...If you want to see the write-up of this hunting... pic.twitter.com/cijE43y4Ir / Twitter"

🚨🚨Amazing collaboration with @young_vanda_ 👈👈👈We Hunting for a couple of hours on @intigriti, and the results were quite surprising. Reported over 20 bugs, mostly Exceptional. 👾👾👾SQLi, Admin Panel Bypass, RCE, and ...If you want to see the write-up of this hunting... pic.twitter.com/cijE43y4Ir

Technical Part

After some recon, we decided to work on a program with this scope.

https://app.redacted.com

I love forcing things, you know 🤔😜. Especially when there is no WAF, that’s when I get violent. So basically the first thing we did was FUZZING.

ffuf -u https://app.redacted.com/FUZZ -w wordlsit.txt -c -r

We got a hit with this endpoint /file_manager/ . Then, the first thing we saw was this Admin Panel.

From old to new resources, from ancient times 😂😂😂, we’ve been told to look for CVES when we face a third-party panel or admin panel. Therefore, nowadays every hunter does the same thing. Right? OK. That’s what we did. 😐😂

We came across this reference from Exploit-DB:

https://www.exploit-db.com/exploits/51067

We did a bit of reading, playing around with the target, like Cannibals, and after a couple of minutes, we realised that it’s vulnerable to Authentication Bypass. eXtplorer<= 2.1.14 - Authentication Bypass

We put admin:admin and then captured the request, removed the entire password field and finally sent the request.

The Explorer panel allows you to view and manage files in your test directory. The panel shows the directory’s content as a tree of subdirectories, files, and tests. Long story short, we could read the source code and extract unauthenticated endpoints with parameters. Since we had access to the source code we could see what vulnerabilities each endpoint had. You can guess the rest of it. Since they were all unauthenticated endpoints and not same-root/same-cause/anything you say😘, they were all accepted.

Just being honest and some words

Well, the key to this discovery, for us, was doing structured Wide Recon and I’m sure if I gave that application to any hunter they could find the same discoveries more or less. So, we can conclude that we were the first hunters working on that application.

This is how I see it:

Simple Techniques + Good Wide Recon Methodology = Success — Bug

By Simple techniques I mean, it could be a simple fuzzing, running a simple nuclei command, a simple active crawling, a simple Google Dorking, and so on.

A little Me

I’ve been a bit inactive the last couple of months. But God is with us guys. I hope very soon I can have a strong comeback.

If you somehow liked my write-up, you can like it and follow me on social media.
I don’t know man. It was nice to write something again and share some knowledge.

My Twitter Account: @young_vanda_

My Super Dope Friend: @TheM@sterOfDisaster

Let’s gooo. Yeah buddy, light weight baby. Lightweight baby, light weight.

Resources

• https://www.exploit-db.com/exploits/51067
• You can do further studies by this Shodan Dork — http.title:”extplorer”

Going Crazy with Farming VDPs: Extplorer Admin Panel Bypass & Remote Code Execution (RCE) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hi guys, I’m here again, YoungVanda. In this write-up I’m gonna talk about Meteor Subdomain Takeover. From a simple recon to one of the trickiest exploitations of my life 😉

In this write-up, I explained everything from the beginning. If you just one to get to the exploitation part, check out Exploitation heading at the end.

Also if you haven’t read this write-up, give it a go. It’s a good write-up and it helped me a lot during the exploitation process.

The story

It was a private program, with this scope: *.redacted.com
First thing I do when facing a small company/target, is just running Konckpy to get the vibe of domain. Like:

• How many subdomains does it have!!!
• Getting familiar with subdomains and naming patterns.
• Is there any test/stage subdomain!?!

I ran Knockpy and it gave me a few subdomains I just opened them manually.

• I use this Firefox extension for opening URLs manually, at the same time.

I found an interesting subdomain.

When I saw this page I said OK usually these kinda messages could be a sign of Subdomain Takeover. I’m not a big fan of Subdomain Takeover, but I said why not!!! Let’s dive into it 🔥🔥🔥

Note:

• When I face such a web pages and I think it might be vulnerable to Subdomain Takeover, I usually check can-i-take-over-xyz
• Also, I run Nuclei for this purpose😁 Because Nuclei has lots of community templates when it comes to Subdomain Takeover.

Back to the story, I ran Nuclei, after a second Nuclei told me, You’re a lucky boy😁 Just get out here man. Get out here.

Why no ones has reported this before?

• can-i-take-over-xyz hadn’t had the Meteor Takeover in its resources.
• There was no write-up about it, except one. And you could not find it with Googling.
• The only write-up was placed in the Nuclei template. Even, I followed the write-up. Went step by step. But it didn’t work.

How did I find the write-up?

In every Nuclei template there usually extra information about it. Even the way you can exploit the vulnerability. So here what I did to find the write-up:

cd nuclei-templates/
find . -name "template-name.yaml"
cat ./http/takeovers/template-name.yaml

Exploitation

Step — 1:

So I found the write-up, the first thing I did according to the write-up was installing Meteor:

# Other ways here: https://docs.meteor.com/install.html

# I installed this way
curl https://install.meteor.com/ | sh

Step — 2:

Next step is creating Meteor application. I used this command:

# Execute the command with a normal user, not root.
mkdir poc && cd poc
meteor create --minimal .

Note:
For creating a Meteor application you shouldn’t be root user. That was one of my problems, so to make this work I used my Amazon VPS with a ubuntu/normal user.

Step — 3:

So far, all the required files have been created. Go and change this file
client/main.html and put your flag there:
<platform-uesrname> POC Takeover

nano client/main.html # Put your <platform-username> POC Takeover

Step — 4:

Now, go to the www.meteor.com and sign-up. Also take note that you should put your payment details to be able use the custom subdomain feature.

meteor login # Enter your username & password

Step — 5:

It’s time for final step.

DEPLOY_HOSTNAME=[CNAME] meteor deploy [sub.target.com]

In [CNAME] section you can put CNAME of your subdomain.

• dig sub.target.com

But in my case it didn’t work. You can try these:

# Didn't work for me 
DEPLOY_HOSTNAME=eu-west-1.galaxy.meteor.com meteor deploy [sub.target.com]

# Didn't work for me
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy [sub.target.com]

# Worked for me
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy [sub.target.com]

How I found this galaxy.meteor.com

I was disappointed that I couldn’t takeover the subdomain. Even though I spent around 10 hours, in two days, to exploit the vulnerability, but I wasn’t successful. However, suddenly, I came up with an idea, but to me this was more like a shot in the dark :)

I discussed my problem on forums.meteor.com just asking for some help :)

DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy travel.target.com

Finally after 2 days of exploiting and 3 days of waiting for some help. It worked !!!
Man, the moment I realised that the application is being deployed I was over the moon.
It was marvellous. Like a beautiful woman in a red dress with red lipstick

Like this woman:

Ohhh, my bed, sorry, I meant this one:

Ultimate Final Hot Cooking Recipe:

• Ohhh, Mamacita, what a recipe !!! Yummy 😂😂😂

# Follow the steps with normal user, not root.
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
meteor create --minimal .
nano client/main.html # Put your <platform-username> POC Takeover
meteor login  # Entering username and password - Sign-up here www.meteor.com

dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com

# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com


# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help

Severity/Priority of this Takeover

It was a private RDP program so I really tried to escalate it to High/P2 by showing the scenario of Stored XSS. But it didn’t work. They closed it as Medium/P3.

Triager said this:

The Errors you might get during the takeover

• After installing Meteor create a directory and run following steps on that directory

curl https://install.meteor.com/ | sh
mkdir poc && cd poc

• Create the Meteor application in a new directory and as a normal user, not root. Otherwise you gonna get this error:

ubuntu@369:~/$ mkdir poc && cd poc
ubuntu@369:~/poc$ meteor create --minimal .

• The last error that you might encounter, is gonna happen while deploying the application:

dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com

# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com


# Check out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help

Moral Values of Story

• The moment I realised that I’m not able to takeover the subdomain, after 7 8 hours of trying. I was really sad and just watched anime. I used to be lazy when it came to exploitation. But I didn’t give up, the next day:
• I watched multiple YouTube videos. About how to deploy a Meteor application and even the Meteor itself.
• Reading documents, from docs.meteor.com, just to figure out what’s going on.
• Finally, when I was disappointed. I explained my problem on the forum, forums.meteor.com, I have waited for 2 or 3 days. And finally someone answered my question and it actually worked.

Uooo man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account . Sorry X account :)

My Twitter Account: @young_vanda_

Resources:

• https://rivalsec.github.io/blog/2022/12/02/meteor.html
• https://galaxy-guide.meteor.com/deploy-region.html
• https://forums.meteor.com
• https://www.meteor.com/

Meteor Subdomain Takeover was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hi guys, I’m YoungVanda and in this write-up I wanna talk about how I monitor BBPs (Bug Bounty Programs) + Introducing you to a new made private tool.

The Mindset

What would’ve happened if you were the first hunter working on a target?
Or if you could possibly see every single changes of the programs, in all platforms( HackerOne, Bugcrowd, Intigriti, Yeswehack ).
Good news baby👼👼👼

Introduction to Program-Watcher

This is a new tool developed by Ali Khalkhali, called Program-Watcher. This tool gets the latest changes and updates( Added Scopes, Removed Scopes, New Added Programs and much more details) of bug bounty platforms.

If you don’t know how to install and work with the tool, check out the video:

What’s the point

Basically by this tool, we gonna find fresh targets, they could be new scopes or new programs. It literally means, we are one of the first hunters working on these assets.
Yeap, that’s a good news, finally 🤗. Yeap!?

The Points

• No more duplicates.
• Running Nuclei, in this scenario, might give you more bugs.
• Hunting XSS with Wayback + kxss is possible.
• Hunting XSS with Google Dork is possible.

I only use the last technique, for now, and I’m gonna tell you about my own approach. But you can be creative and do something crazy with the fresh targets👽👽👽

Note:

• I use this method quite often and I was quite successful in this regard. Even Ranked 1 in a Hall of Fame of a VDP Program
• Also, some of my friends use this technique for RDP targets and they’ve performed quite well so far.
• It’s totally up to you, The way that you want to use the tool. But eventually that’s a good start. Because you’re the first hunter😮

How I take advantage of program-watcher

First of all, I wanna say that you can take advantage of any recent changes, please be creative. But I have my own approach for this matter.

I’m more fond of New Programs and New Added Wild Scopes. Like these messages:

Fresh Targets + Google Dorks

I only use Google Dork technique for fresh assets. You can run Nuclei or run Wayback + kxss. The key in my methodology is that I only look for legacy applications. Just looking for easy XSS 😁

Here are some Google Dorks I use more often than not.

site:*.newwild.tld ext:php
site:*.newwild.tld ext:jsp
site:*.newwild.tld ext:asp
site:*.newwild.tld ext:aspx
site:*.newwild.tld ext:htm
site:*.newwild.tld ext:html

I hate copy & pasting dorks, so I’ve made a simple dork generator.
You can check out my github to see all the dork I use:

GitHub - youngvanda/google-dork-generator: My Handy Google Dorks for Hunting/Pentesting

For example, when I use this dork:

site:*.newwild.tld ext:php

I usually find endpoints like:

https://sub.newwild.tld/sth/sth/endpoint.php

So here I do parameter discovery with x8. Also, now I know that this application is legacy, it means it is a bit old + good spot for old bug types like: XSS, SQLi, etc.
Therefore, I fuzz . I fuzz till the apocalypse, metaphorically speaking😂.
I fuzz for hidden endpoints, hidden parameters.
So make your own private word-list. Use raft-large and mix it with some other word-list repositories together and now you’re good to go.

Here, Some fuzzing scenarios I use most of the times:

https://sub.newwild.tld/sth/sth/FUZZ.php
https://sub.newwild.tld/sth/sth/FUZZ
https://sub.newwild.tld/sth/FUZZ
and so on 

Final Thing :)

Yeah man. That was all I knew. Was this write-up good enough? 😂😂😂

Never mind 😂. Please let me know. If you have any question, I would be more than glad to help you

Take care kings 👑👑👑

Oh man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account . Sorry X account :)

My Twitter Account: @young_vanda_

Resources:

• https://www.youtube.com/watch?v=V6d6_YVUSR8
• https://github.com/Alikhalkhali/programs-watcher
• https://github.com/youngvanda/google-dork-generator

The Art of Monitoring Bug Bounty Programs was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hi guys, I’m YoungVanda and in this write-up, I’m gonna explain my own approach towards Swagger XSS and why I don’t use the Nuclei template ( swagger-api.yaml) ;d

The Entire Flow

1. Find as many subdomains as possible
2. cat all_subs.txt | dnsx | tee -a resolved_ones.txt
3. cat resolved_ones.txt | httpx | tee -a alive_ones.txt
4. ffuf -w /root/wordlist/api/swagger_xss.txt:FUZZ -w alive_ones.txt:URL -u URLFUZZ -mc 200 -o ffuf-result.txt
5. cat ffuf-result.txt | jq -r .results[].url | tee -a feed_me_to_httpx.txt
6. cat feed_me_to_httpx.txt | httpx -silent -title | tee -a title.txt
7. cat title.txt | grep "Swagger UI"

First Step

Find as many subdomains as possible you can get help from Chaos.

Second Step

Now it’s time to resolve subdomains. If you get false positive, use ShuffleDNS with -d and -l options.

Third Step

After resolving them, we need to find alive subdomains. You can add
User-Agent, Time Delay and etc

Fourth Step

Now we are ready to fuzz for Swagger UI endpoints.

ffuf -w /root/wordlist/api/swagger_xss.txt:FUZZ -w alive_ones.txt:URL -u URLFUZZ -mc 200 -o ffuf-result.txt

Fifth Step

Extracting found URLs from ffuf result.

cat ffuf-result.txt | jq -r .results[].url | tee -a feed_me_to_httpx.txt

Sixth Step

Now, we use httpx with -title to get the title of fuzzed and possible endpoints for Swagger UI.

cat feed_me_to_httpx.txt | httpx -silent -title | tee -a title.txt

Seventh Step

cat title.txt | grep "Swagger UI"

Why Not Nuclei (swagger-api.yaml) ?

1. In this methodology wordlist is so important and what I realised is that the wordlists inside this template is not enogh.
2. We’re looking for Swagger UI not API paths. We should be aware of our wordlist so this way you can reduce the extra traffics. I mean you should remove endpoints like this:
   * /swagger-ui.js
   * /swagger-ui.yaml
   * /swagger-ui.json
   Because you looking for Swagger UI, which under a certain version is vulnerable to XSS, not API path. But if you’re looking for API path that’s a different thing.

Best Approach

I think the best approach would be fixing above-mentioned problems and code your own private nuclei template. Even though, my methodology worked fine so far, I was able to find multiple VDP bugs, and you can use it if you’re not into coding templates, but it takes lots of time and energy, also you have to send lots of requests. Therefore, I tried to explain my previous methodology and the reason why I don’t use default Nuclei template in this regard so you guys can think and get the idea or maybe you can come up with a better methodology.

Update

Check out this post. I talked about my recent RDP finding and some more useful tips:
https://twitter.com/young_vanda_/status/1700590035282587861

My Twitter Account: @young_vanda_

Swagger XSS Mass Hunting was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hello mates. I’m YoungVanda and this is my first write up. I hope this write-up would be useful for you. 😊

Let’sssssssssssssssssss Gooooooooooooooooooo 🔥🔥🧨🧨(Just Vibing 😂)

My approach towards platform-based programs ( VDP — RDP )

Since I just started hunting I decided to go for a VDP program. After over 10 duplicates, I got my first bug which was a Reflected XSS (In another write up I’ll tell you how) and this is my second bug which was triaged as critical.

Bug Story

The night before I was working on a simple tool to scan/monitor my assets on a regular basis with the help of passive providers and, in the end, I added a notify(tool) to my code in order to notify me if any new subdomain has been found. So I finished writing the tool and after that, I watched anime for an hour ( a bit of dopamine 🐱‍👤), read a book and went to sleep.
There was no sign of interesting subdomains, but I was happy because my tool was working fine (I’m not a programmer🐱‍👓).
I went to the gym and came back, took a shower and etc and finally opened my laptop and I saw a new subdomain alert on my discord :)
I put the subdomain on my search bar and I wished I could find XSS 😂 after 30 minutes, my internet connection was so bad, the subdomain finally has been loaded and I said damn It’s an admin panel, what should I do now?
I was disappointed and wanted to close the tab, but I said just try admin:admin, if it didn’t work close it.
You know what??? It worked! I put admin:admin, and it asked me for a new password and entered the new password and now I had access to one of the most juiceful admin panels in the world.
Jokes aside that admin panel was really juicy I literally could do anything.

Behind the Scene is the place where the magic is happening !!!

• I was the first person among hunters to find that subdomain.
  So recon always wins. I was monitoring the asset just less than 24 hours and a new subdomain popped up in my discord and I went for it before anyone else.
• The default port for the Grafana panel is 3000. Also, consider 80,443.
• Grafana 8.0.0-beta1 to 8.3.0 is vulnerable to LFI.
• Take advantage of Shodan dorks.
• The default credential for Grafana is admin:admin, if it doesn’t work try other combinations.

End of the Story

This was almost all I knew about Grafana and I explained my own approach for finding this bug ;d
If somehow you liked this write up please give me a thumbs up and see you soon.

More Write ups to read about Grafana Admin Panel Bypass:

• https://infosecwriteups.com/from-shodan-dork-to-grafana-local-file-inclusion-e77dc4cfc264
• https://infosecwriteups.com/grafana-admin-panel-bypass-in-google-acquisition-virustotal-c5ecc9d7b8ae
• Try to find more by searching on the Internet

My Twitter Account: @young_vanda_

My Second VDP Bug Went Critical: Grafana Admin Panel Bypass was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.