How I Gained Full Access to an Admin Panel and Got a Big Bounty (But Ended Up Frustrated)

Listen to this Post

A few months ago, I was testing a private bug bounty program with a really broad scope. While looking at one of their main websites, I noticed it was loading libraries/scripts from a 3rd party domain. After further checking, I found that the domain was managed by a 3rd party development company that was working for them.

Since the scope was broad enough, I did a subdomain enumeration on that 3rd party domain. I quickly noticed a subdomain that seemed like hosting an admin panel for an ecommerce website belonging to the main company (something like companyadmin.domain[.]com).

The subdomain showed a login panel. I reviewed the source code/JavaScript and didn’t find any endpoints. But, I noticed that after a correct login, the website would redirect the user to “/panel”. I tried to access “/panel” directly and found that the website was loading the frontend and then redirecting me back to the login page. Probably because it was checking if I was authenticated at the end of the code (don’t do that!).

This allowed me to examine the HTML/JS code that the “/panel” page loaded before redirecting me to the login page, and I was able to extract a large list of endpoints through JavaScript analysis.

At that point, it was pretty straightforward:

  • I tested all the endpoints; the server responded with an “unauthenticated” error for all of them except one.
  • After further checking the endpoint that didn’t return an “unauthenticated” error, I noticed that it also included a token in its response.
  • Wait… Was that endpoint providing me with a valid token?
  • Yes, I added it to the headers, rechecked access to “/panel”, and now I had full access to the admin panel.

I reported it, and they accepted it even though it was hosted on a 3rd party subdomain, because it was an admin panel providing control over one of their main websites. But the bounty ended up being €250, and they downgraded it from Critical to High, mostly because it was managed by a 3rd party.

You Should Know:

1. Subdomain Enumeration:

  • Use tools like Sublist3r, Amass, or `Assetfinder` to enumerate subdomains.
    sublist3r -d example.com
    amass enum -d example.com
    assetfinder --subs-only example.com
    

2. JavaScript Analysis:

  • Use browser developer tools (F12) to inspect JavaScript files.
  • Tools like `Burp Suite` or `ZAP` can help intercept and analyze network requests.
    burpsuite
    zaproxy
    

3. Endpoint Testing:

  • Use `curl` or `Postman` to test endpoints.
    curl -X GET http://example.com/panel
    curl -X POST http://example.com/endpoint -H "Authorization: Bearer <token>"
    

4. Token Extraction:

  • Use `jq` to parse JSON responses and extract tokens.
    curl http://example.com/endpoint | jq '.token'
    

5. Header Manipulation:

  • Add tokens to headers using curl.
    curl -X GET http://example.com/panel -H "Authorization: Bearer <token>"
    

What Undercode Say:

This article highlights the importance of thorough reconnaissance and persistence in bug bounty hunting. Even when faced with a simple login panel, digging deeper into the source code and testing all possible endpoints can lead to significant discoveries. Tools like Sublist3r, Burp Suite, and `curl` are essential for any cybersecurity enthusiast. Always remember to manage your expectations and understand the scope of the program to avoid burnout. Happy hunting!

Relevant URLs:

References:

Reported By: Martinmarting How – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image