Using Default Credential to Admin Account Takeover

Rohit_443
2 min readOct 2, 2022

Hi, Everyone

I hope you all are doing well.

I am writing my 4th Bug bounty write-up “Using Default Credential to admin account takeover”. while testing on a program , i walk through the application and checked all the functionality ,forms ,login,signup,forget-password etc. After this all, i was going to perform recon phase on this target and that leads to admin account takeover.

Lets start with the finding.

While testing on this target , and go through all the functionality , i have found 3,4 low level bugs. And then i was started doing recon on this target with directory fuzzing using FUFF tool but not getting any useful information. Than i open shodan.io and search for this simple shodan dorks “ssl:company.com 200” and finding many ip belongs to my target. After opening two pages of shodan , i have found an IP address , where company support page is running and there is login page with the forget password functionality. So, in forget password i am using my personal email address and got an error “email address not found”.

Invalid email

So , the turning part of this story comes here.

At the footer of the same web-page i have found something which is “Have some queries? email us at Support@company.com. and i copied this email address and using it on forget password and this message pop-up on my screen“ You will receive an email with a link to reset your password”

Valid Email

Here , i have found valid email address for this support portal of the company. and after that i am using this email as username and for password->company123. and successfully login to this portal.

After login i have access to all internal information of the company , like employee email ,phone , their message , documents and also able to change the password etc. I reported this vulnerability but report was going duplicate as critical vulnerability , but i was happy to find this.

Step to reproduce:

  1. Use this dorks on shodan.io “ssl:company.com 200”
  2. Found a IP address with support page.
  3. At the footer of the web-page ,found valid email as username
  4. Now using Default password company123.
  5. Successfully logged in.
  6. Enumerating all employee data ,like , email,phone, documents etc.

Thank you for reading this write-up i hope you found it useful.

For upcoming write-up.

Follow me on twitter https://twitter.com/Rohit_443

--

--

Rohit_443

Senior Security Consultant | Bug bounty hunter | Twitter @Rohit_443