Importance of Recon — Hacked one of the biggest Software house within 15mins!
How cool it would be to hack one of the biggest software development companies in your country within 15mins just with the help of Google!!
People don’t know that sometimes or most of the times in Pentesting engagements, Google plays an important role from information gathering to searching for exploits. Whenever i start Pentest on my clients, i always start with some basic Google Dorking against the target because sometimes you can find some juicy information in the start without even starting to actually Pentest your target.
This write-up focuses on the importance of information gathering in Pentesting. Its basically the first and most important phase in Pentest, which if done properly can be extremely useful.
So lets start with how i hacked within 15 mins and got access to their and their client’s Database!
One day, i was just going through different software house sites and came across this company which is one of the biggest software house (Lets call it redacted) in the country having many international well known clients.
Their main site was running on WordPress and had like 1 or 2 other subdomains which did not have anything on them so i went back to the first thing that i always do when testing a target “Google Dorking”.
I went to Google and searched for multiple things like publicly available docs, log files, config files etc. Some of them that i used are bellow:
1)Publicly available Docs
site:redacted.com ext:doc | ext:docx | ext:odt | ext:rtf | ext:sxw | ext:psw | ext:ppt | ext:pptx | ext:pps | ext:csv2) Directory Listing
site:redacted.com intitle:index.of3) Publicly available DB files
site:redacted.com ext:sql | ext:dbf | ext:mdb4)Publicly available config files
site:redacted.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini | ext:env5) Backup Files
site:redacted.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup6) Available Pastes of the target
site:pastebin.com | site:paste2.org | site:pastehtml.com | site:slexy.org | site:snipplr.com | site:snipt.net | site:textsnip.com | site:bitpaste.app | site:justpaste.it | site:heypasteit.com | site:hastebin.com | site:dpaste.org | site:dpaste.com | site:codepad.org | site:jsitor.com | site:codepen.io | site:jsfiddle.net | site:dotnetfiddle.net | site:phpfiddle.org | site:ide.geeksforgeeks.org | site:repl.it | site:ideone.com | site:paste.debian.net | site:paste.org | site:paste.org.ru | site:codebeautify.org | site:codeshare.io | site:trello.com “redacted.com”7) Searching Gitlab/Github
site:github.com | site:gitlab.com "redacted.com"
Did not find any useful thing except when it showed me the results for site:github.com | site:gitlab.com “redacted.com” , i saw a URL containing the name of a very famous food delivery company which i knew was a client of this software house. On opening the link, i saw it was a complete project of that food delivery company. I quickly checked the owner of that project and that user’s email was of that software house.
Note: They removed the project from GitHub after my report so the above image is from wayback machine which their crawlers had already crawled few years ago.
Till now, i know that an employee of redacted was working on their client and left the project open on GitHub which means it must contain some useful information which could help an attacker compromise the target.
The project had codes of different pages but when i was looking at the reset-password.php code, i came across an image tag which contained an ip address
<img src=”http://*.*.*.*/demos/food_delivery_company/html/email-templates/food_delivery_company-logo.png" width=”180">
I quickly did some recon on the ip address and saw it was of Digital Ocean. Upon visiting the site it did not show anything but a white page saying No such file or directory in /var/www/html/wp-settings.php
This confirmed me that its a WordPress instance. Whenever i come across a WordPress site, i always check if their Admin Panel is publicly accessible or not. So i typed /wp-admin and surprisingly it showed me a list of directories the site had. At this point i was sure that this was some sort of testing instance which developers usually use to test their project before pushing their code to production.
On entering some common directories name in the URL, i saw that it was running phpmyadmin at /phpmyadmin but was password protected of course!
I tried the usual default credentials on it like root:root, admin:admin and root with no password but nothing worked. Then i randomly tried the credentials root:redacted123 and it WORKED!
I checked what information it had inside and came to know that it had redacted’s admin panel’s creds plus most of their clients they had or were working on. The worst part, the credentials were stored in plain text!
A malicious attacker could have uploaded a shell through db, compromise their main site, their clients etc which could have resulted into loss of reputation.
Given the severity of this finding, i quickly found the email of the CEO and wrote an email consisting of a detailed explanation of my finding with PoC and how to mitigate such vulnerabilities.
They initially did not reply or opened my email but when i sent the second time on the next week, they were quick enough to understand its impact and fixed it right there.
Conclusion
This Blog tells us how important it is to do proper recon on the target and there is a reason why this is the first and most important part of Pentesting. Sometimes a simple google search if done right, can help you in ways you cant imagine. Its an amazing and very powerful tool.
Thanks alot for reading, Happy Hacking! ;)
