Hello everyone,

I am Nitin yadav from India with my first ever write up so please ignore my mistakes. So without wasting time lets roll to the bug and how i found it.

Photo by Gia Oris on Unsplash

So it was my first time hunting on a live website . I was so much excited to hunt on a program lets say site.com(cant disclose as per program rules). I don't know much about the bug types and was new to it. So after 3 or 4 days my excitement turned into boredom. But then i saw a tweet about recon and searched about recon.

Then i came with a video the bug hunters methodology and after watching that i followed every steps showed in the video by Jason Haddix

and got with a a subdomain terminal.epm.site.com.

At first I was like what’s this. And now am totally blank. But i wanted to find a bug so i thought to get the usernames and password for it but cant find. So I thought of password spraying attack. So first I need the internal domain name of the target. Which can be found quickly in the RDS login page source as the WorkSpaceId.

Now the challenging part was that i got the internal domain but from where do i get the user list. So for that i searched about the company on social media if i find something but it was of no use. But i thought of checking LinkedIn and found some names for the company. But the problem was that how can i get all the usernames from linkdin. Then i remembered about a blog about it and quickly cloned the tool (linkdin2usernames).

Now for the structure that the company uses for RD web access was first_last . And the tool does not create this format and from the blog which i got to know about the tool i modified the username list with the tip given there wit sed .

Now its time for some action

Photo by Attentie Attentie on Unsplash

Setting up burp intruder for the action-

There are many ways to perform password spraying but Burp suite gives us a considerable amount of flexibility and control. So i started by capturing the login POST request and leaving a placeholder for the username and using the list which i got from Linkdin2username. I launch a attack . But wait it is important to tune this to minimize impact and load on the service.

Launching the Password Spraying Attack

Now its the showtime. And i launched the attack. And after 2 hours i got 302 redirection. And BOOM…… Its what i was thinking about.

Photo by Windows on Unsplash

Accessing the RDS Service with the Obtained Credentials

I accessed the RD web service using the credentials i got from password spraying attack and the user has a little access but its not what i have concern about.

Without wasting time I reported the bug to company. And within some days i was awarded for that.

Photo by Crawford Jolly on Unsplash

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store