بسم الله الرحمن الرحيم
Hello everyone, this is my second write-up, and I will be talking about one of the most interesting findings I discovered this week.
Let’s start with the reconnaissance phase.
In this finding, I used Netlas.io, an internet scanner and search engine.
I began by using a specific dork to discover all the company’s subdomains across various top-level domains (TLDs).
Here’s Example of the dork: Domain:*.uber.*
https://app.netlas.io/domains/?q=domain%3A*.uber.*&page=1&indices=
I dug into the results and applied some filters to discover new assets.
There are two types of filters available.
The first is ‘Zones,’ which refers to the top-level domains (TLDs).
The second is ‘Levels,’ which represent the different parts of a domain.
For example, if we select level 4, it would display domains with four parts, such as admin.root.uber.com, while level 3 would show domains like root.uber.com, and so on.
“Additional Tip: You can search for third-party domains, such as uber.rood.io, if the program allows it.
Here’s an example dork to find third-party domains:https://app.netlas.io/domains/?q=domain%3Auber..&page=1&indices=
Now let’s move to hunting part
My reconnaissance process ended with an interesting domain.
The first thing I did was register a new account, but unfortunately, it required admin approval. So, I inspected the requests to see what was happening in the backstage. ;)
Here’s the response from the login POST request, and the role
parameter looked interesting. Naturally, the idea of response manipulation came to mind. So, the first thing I tried was manipulating the response—LOL!
I tried using match and replace, but it wasn’t vulnerable with response manipulation. So, I continued by analyzing the JavaScript file.
I found some Interesting paths, and try to access it directly
And guess what? I gained access to this path: /manage/settings. The full URL was:
“https://uber.root.io/#/manager/settings”
The first thing I did was navigate to User Management to check my account.
Than click to manage
As you can see, the status is inactive and the role is empty. I activated my account and assigned the admin role to it.
Now, I logged back into my account, and guess what? I had admin privileges, and I had full control of the panel!”
In conclusion, I hope everyone found value in reading my write-up. Thank you, and I wish you all the best in your own security explorations!