Recon wins - Part 1
Can browser extension get you high severity vulnerabilities?
Hey everyone! I hope you all are doing well!
Rohit soni is back with another write-up and this time it is about how shodan browser extension helped me to get high severity vulnerability while hunting on moviexchange.com I hope you will enjoy :-)
So, Here is my little story….
While roaming on linkedin feed I came to know moviexchange has responsible disclosure policy and they add individuals to their “Security Researcher Hall of Fame” for reporting valid vulnerability.
I took a look at scope and saw all subdomains are in-scope — *.moviexchange.com. Means I have big scope 😁.
Big Scope = More Chances to Find Vulnerabilities. And I don’t want to loose this chance. So, I started hunting on it.
Recon Time
I used assetfinder and sublist3r to enumerate subdomains and merge results of both tools.
I got 16 unique subdomains and it’s not large amount of subdomains. So, I decided to open all subdomains one by one manually in the browser. And I saw auth.moviexchange.com where there were 2 options “Forget Username” and “Forget Password”.
I started playing with this subdomain but I found nothing interesting. I was about to leave but something caught my attention and that was…..
I got few open ports using shodan browser extension.
• Wait, What is shodan ?
Shodan is a search engine that lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. It is also known as a search engine of hackers. Because you may find hell lots of (Vulnerable) devices using shodan across the whole internet.
• That’s alright but what does that extension do ?
Well, I am very lazy and I can’t wait to run nmap and discover open ports for me. So, I use shodan browser extension to save my time. Easy hack huhh….😜
Interesting, Port number 8080 is open.
I opened http://auth.moviexchange.com:8080 in browser and entered into traefik dashboard without any kind of authentication. There was no password protection. But I never heard about traefik and I was not sure whether there should be any kind of authentication or not.
• You also don’t know what is Traefik ?
Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your existing infrastructure components (Docker, Swarm mode, Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, etc.) and configures itself automatically and dynamically.
I read documentation of traefik and read about secure and insecure mode of traefik but still I was in dilemma should I report or not. I thought to ask to my friend Debangshu Kundu (@bourne_shell) for help. This guy has amazing knowledge of recon.
I told him whole story. He replied, this traefik dashboard have some internal processes and internal links and it contains their network infrastructure so, it should not be publicly accessible you can report. This should be under P1 or P2 category.
Woahhh…..Got high severity bug using shodan browser extension.
Wait wait wait…..This is not over yet.
Before reporting I thought to check other subdomains. staging-auth.moviexchange.com subdomain took my attention. Again same number of ports were open and one more traefik instace was running on 8080 port of this subdomain.
Before reporting I wanted to know more about traefik. I started playing with one traefik dashboard and saw 2 subdomains which were not in the list of enumerated subdomains. I simply opened them in browser. Found nothing interesting but again shodan browser extension told me 8080 port is open on both subdomains. And guess what…. 2 more traefik dashboard found.
Think Logically
Previously I have seen auth.moviexchange.com has staging subdomain. So, I thought to check whether these both (unlisted) subdomains has staging subdomain or not. And luckily I found both has staging subdomains and port 8080 is open. And Yeah..!! Got 2 more traefik dashboards.
I found total 6 traefik dashboards. Without waiting I reported to moviexchange and got positive reply. :-)
After resolving this issue they added me in their Hall of Fame.
Hope you enjoyed my story. If you have any questions or suggestions reach me through instagram, twitter or linkedin.
Happy Hunting. :-)
Instagram: @street_of_hacker
Twitter: @streetofhacker
LinkedIn: Rohit Soni
Special Thanks to Debangshu Kundu : @bourne_shell
