Weak credentials lead to access to admin panel (Deep Recon)

بسم الله الرحمن الرحيم

While doing my usual bug bounty recon, I came across an interesting asset that I hadn’t seen before. I wasn’t actively targeting a specific subdomain — I was just digging deep like I always do, trying to find forgotten or hidden parts of the target’s infrastructure.

What started as a simple login page turned out to be something much more impactful. Using weak credentials, I was able to gain full access to the admin panel, which exposed a wide range of internal functionalities and sensitive data.

This write-up walks through how I got there — from keyword-based recon all the way to full admin access.

Reconnaissance Process

As part of my daily recon routine, I perform deep reconnaissance on the company I’m testing by collecting brand-related keywords. For example, if I were targeting BMW, I would gather variations like:
bmw, mini, bmw-, mini-, rolls-royce, etc.

Once I have a solid list of keywords, I use tools and platforms that support keyword-based searches. One of the most useful tools for this purpose is SecurityTrails, which allows keyword-based subdomain discovery.

During my keyword-based search, I discovered a domain I had never encountered before. I opened the site and was greeted with a login page that displayed the company’s official logo — confirming that this domain is legitimately part of the target’s infrastructure.

This concluded the reconnaissance phase and confirmed that the asset belongs to the company.

Vulnerability Discovery:

After finishing the recon phase, I moved on to actual testing. I first checked the page source, tried Wayback URLs, Google Dorks, and even alternative search engines, but nothing useful showed up. I also tried a few basic SQL injection payloads just in case — no luck there either.

At this point, I decided to try something I don’t usually do (because I personally didn’t believe in it much before… not anymore 😅). I went for manual user enumeration.

I started by testing usernames directly in the login form:

• Trying admin returned: "Your password is incorrect"

• Trying random usernames like rood gave: "Username not found"

This confirmed that admin is a valid username on the system.

Brute Force Attack:

Once I confirmed admin existed, I launched a brute-force attack using [Burp Suite Intruder] and a basic password list — the well-known Pwdb_top-1000.txt from SecLists.

While the attack was running, I stepped away from my machine and completely forgot it was still in progress.

Later that day, I revisited the site and — out of curiosity — tried accessing the login path on port 8080, which I hadn’t tested before. To my surprise, the admin dashboard opened directly without asking for login.

I was confused at first, but then realized Burp Intruder must have found a valid password earlier. I checked the results and saw that one request returned a different status/response — the password was: hello1

Boom — I now had valid admin credentials:
admin : hello1

Impact

Once authenticated as an admin user, I gained full access and control over the entire backend system, including:

1. User Management — Ability to view all users and change their passwords.
2. Consulting Center — Access to customer support data containing Personally Identifiable Information (PII).
3. Requests Management — Full visibility and control over incoming and internal system requests.
4. Reports and Statistics — Access to internal reports, analytics, and the ability to export sensitive business data.
5. Logistics and Inventory — Full control over product data, stock, orders, inventory processes, and shipments.
6. System Logs — Access to server-side logs which may contain sensitive internal activity or error data.

In a real-world attack scenario, an adversary could:

• Steal sensitive customer information.
• Tamper with reports or analytics.
• Disrupt the company’s logistics and inventory.
• Completely compromise internal business operations.

This level of access clearly meets your “High Impact” category, especially considering the exposure of PII and administrative-level control.

Conclusion

This vulnerability demonstrates how a small misstep — like relying on weak admin credentials — can lead to a complete compromise of a system. Through persistent recon and a bit of luck, I was able to escalate from a simple login page to full admin access with total control over sensitive user data, internal processes, and system functionality.