Smart recon to PWN the panel

3 min readOct 24, 2024

بسم الله الرحمن الرحيم

Hello everyone, this is my second write-up, and I will be talking about one of the most interesting findings I discovered this week.

Let’s start with the reconnaissance phase.

In this finding, I used Netlas.io, an internet scanner and search engine.

I began by using a specific dork to discover all the company’s subdomains across various top-level domains (TLDs).

Here’s Example of the dork: Domain:*.uber.*

https://app.netlas.io/domains/?q=domain%3A*.uber.*&page=1&indices=

I dug into the results and applied some filters to discover new assets.

There are two types of filters available.

The first is ‘Zones,’ which refers to the top-level domains (TLDs).

The second is ‘Levels,’ which represent the different parts of a domain.

For example, if we select level 4, it would display domains with four parts, such as admin.root.uber.com, while level 3 would show domains like root.uber.com, and so on.

“Additional Tip: You can search for third-party domains, such as uber.rood.io, if the program allows it.

Here’s an example dork to find third-party domains:https://app.netlas.io/domains/?q=domain%3Auber..&page=1&indices=

Now let’s move to hunting part

My reconnaissance process ended with an interesting domain.

The first thing I did was register a new account, but unfortunately, it required admin approval. So, I inspected the requests to see what was happening in the backstage. ;)

Here’s the response from the login POST request, and the role parameter looked interesting. Naturally, the idea of response manipulation came to mind. So, the first thing I tried was manipulating the response—LOL!