Hack Till Your Last Breath

A Tale of my ATOs

Hi fellow hackers, I’m mechboy. This is my first write-up. In this blog, I will share, how I was able to hack a popular website. Ok, let’s start…….

P1 in 10 minutes

It was hackerone private program so I can’t disclose its name. Let’s assume it as “redacted.com”. That Program had very small scope so I decide to hunt in the main domain. Actually, I won’t do recon but not now. So directly I jumped for testing. Just powered up my burp and browser to monitor the requests. While looking users dashboard there was an option to change email for our account. I changed the mail id and moved to burp.

Changing email
Changing email

{“userId”:”xxxxx-xxxxxxxx-xxxx-xxxxx",”email”:”test12@gmail.com”}

There were two parameters, one is user id and another one is our new email. You can see that in the above image. That user id is unique for every user. I had replaced my user id with the victim’s user id in that request. When I checked victim account Booom….. victim mail got changed. Now I can take over the victim account by requesting a forgot password. Hoooo within 10 mins I found a P1 bug. . I reported that in h1. But my report is not ended with this!

Unexpected quotes

I just waited to see this “triaged” but there was a surprise for me. Yes, my report was marked as “NOT APPLICABLE”. And that triager left this below message for me

The user_id parameter is a UUID value that has very high entropy. I don’t see an impact here because the UUID cannot be guessed.

User id values have very strong entropy. I tried to crack it. But nothing happened. Yes, the site is secure because I can’t get other’s user id.

Wait….. what they can do if user id was revealed by them. Yeah accidentally I noticed user id was leaking in URLs, password reset links and cookie. I gave this info to triager.

Again and Again

But he replied as below,

There are two same reports before, and the team informed us that they are not willing to accept this UUID is not publicly available.
What example you gave for UUID was self exploitable. If you are able to find UUID of another user without any self-attack, I can ask the team to have another look.

So it was closed as a duplicate. But I didn’t stop. I already told you that user id was leaking in a cookie so I started hunting for an XSS. And I got that. Through this XSS I can get any user’s user id by executing my payload in his browser. Through IDOR and XSS I can do account takeover. Again I informed this to that triager.

Again Again Again

Again it marked as dupe…………………..This is the reply of that triager

This XSS was also reported before and again it is a duplicate of #XXXXXX

This made me mad…………………..

So I just took a break and relaxed. But I decided to learn RECON in this break time. Every day, I read some blogs and watched Jason Haddix and Behrouz Sadeghipour youtube videos.

After a week I came to know about the new course of Aditya Shende and it was around 150$. I want to join his course by using my own bounties. So I decided to start hunting. In an hour I found a Business logic vulnerability in a site. And I got 200$ for that. It was a small bug but………….. it gave me the solution.

Dorks Cure’s Dork

Yup, this small bug gave me the solution. While hunting this bug I used Google Dork to gather some information. Then only it came to my mind ”why don’t we use Google Dorks to find URLs which having user id of redacted.com users”. Yes, I used Google Dorks in order to perform account takeover in “redacted.com”.

I already said user id was leaking in URLs.

site:redacted.com inurl:”xxxxxxxx”

By using the above dorks, I got more than 1000 URLs which having user-id redacted.com users. From that URLs, I have taken a random user id (this user belongs to an unknown user of “redated.com”) and changed the email by the help of my IDOR bug in. Through “Forgot password’ I changed the password. Then I logged in to VICTIM account. I gave this as a Poc to triager. At last, my report got TRIAGED

IDOR + DORKS = ACCOUNT TAKEOVER

Conclusion

How to be successful in bug bounty”. You may face hard times in bug bounty. But don’t run away for that. Persistence is the key to success. Two hackers were reported this bug before me. Their report is closed as N/A but my reported got triaged. Because I ran till the endpoint. “Never Give_up” it may look like a cinematic dialogue. But it will drive you to success so use this in your hard times.

I got everything from this community and now I want to give it back. I will try to share my findings in future. Thank you guys…….HAPPY HACKING

Ping me:

Instagram

Twitter

learn anything which gives the feel of learning