Hello everyone,

I am Nitin yadav from India with my first ever write up so please ignore my mistakes. So without wasting time lets roll to the bug and how i found it.

Image for post
Image for post
Photo by Gia Oris on Unsplash

So it was my first time hunting on a live website . I was so much excited to hunt on a program lets say site.com(cant disclose as per program rules). I don't know much about the bug types and was new to it. So after 3 or 4 days my excitement turned into boredom. But then i saw a tweet about recon and searched about recon.

Then i came with a video the bug hunters methodology and after watching that i followed every steps showed in the video by Jason Haddix

Image for post
Image for post

and got with a a subdomain terminal.epm.site.com.

Image for post
Image for post

At first I was like what’s this. And now am totally blank. But i wanted to find a bug so i thought to get the usernames and password for it but cant find. So I thought of password spraying attack. So first I need the internal domain name of the target. Which can be found quickly in the RDS login page source as the WorkSpaceId.

Image for post
Image for post

Now the challenging part was that i got the internal domain but from where do i get the user list. So for that i searched about the company on social media if i find something but it was of no use. But i thought of checking LinkedIn and found some names for the company. But the problem was that how can i get all the usernames from linkdin. Then i remembered about a blog about it and quickly cloned the tool (linkdin2usernames).

Image for post
Image for post

Now for the structure that the company uses for RD web access was first_last . And the tool does not create this format and from the blog which i got to know about the tool i modified the username list with the tip given there wit sed .

Now its time for some action

Image for post
Image for post
Photo by Attentie Attentie on Unsplash

Setting up burp intruder for the action-

There are many ways to perform password spraying but Burp suite gives us a considerable amount of flexibility and control. So i started by capturing the login POST request and leaving a placeholder for the username and using the list which i got from Linkdin2username. I launch a attack . But wait it is important to tune this to minimize impact and load on the service.

Image for post
Image for post

Launching the Password Spraying Attack

Now its the showtime. And i launched the attack. And after 2 hours i got 302 redirection. And BOOM…… Its what i was thinking about.

Image for post
Image for post
Photo by Windows on Unsplash

Accessing the RDS Service with the Obtained Credentials

I accessed the RD web service using the credentials i got from password spraying attack and the user has a little access but its not what i have concern about.

Image for post
Image for post

Without wasting time I reported the bug to company. And within some days i was awarded for that.

Image for post
Image for post
Photo by Crawford Jolly on Unsplash

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store