Hello Infosec Community myself Basavaraj, this my 2nd writeup, the first one is about Hacking scammers(click here to read), I seen many people getting hall of fames and bounties from google vrp , I thought why should I give a try and successfully got 4 duplicate(and any beginners reading this don't change change your mind when you got dups because it's common for everyone) and started hunting on an acquisition called owl chemylabs (Note: If you are started take acquisition as target please check whether it is solded by google or not first, because you will get acquired information first, rather than solded ,if it is solded then its not google acquisition).
I will not do any recon automation while hunting, I will check everything manually leaving subdomain enumeration and fuzzing, First enumerated all live subdomains and started looking it one by one and a day wasted successfully without getting anything, Next day in shodan I found a target belong to owlchemylabs example search query ssl:target.com 200
Got two 2 targets having an Login page with title Plastic SCM, Now Opened one link
Plastic SCM: https://en.wikipedia.org/wiki/Plastic_SCM
Now I got this login panel , Now i tried what every bug hunter tries(checked for default creds,js files,sqli etc) but Got nothing but noticed one thing i.e when I add any password and click on login the URL Changes to https://35.244.187.233/account/login then i removed login in url and added register i.e https://35.244.187.233/account/register Boooom Got an password reset page (This page is occurs when they successfully configure Plastic SCM server and the last step is setting password)
And I set password as admin and successfully logged in into server.
And Got, SSL Pfx password and mysql password and i was able to add users and delete users. And i quickly made an POC and reported to google
I tried to increase impact and got nothing that day, and after 3 days also I didn’t got any reply from google and bug is also not accepted , and I am worried too on this report. Now again I started recon on that target and after researching 3 Hours on the target i came across an endpoint https://35.244.187.233/webui/repos that holds private repository codes, after going to that endpoint i got another login page
Now i tried to login as administrator because i know administrator password but login failed, tried default credentials and sqli and bruteforced login page and this also failed and then i remembered that i came across some users on the server while i logged in as administrator
Now guess what now i have taken one user who having admin permission and changed his password because i am an administrator.
and again gone to https://35.244.187.233/webui/repos this time i used the username and password which i changed recently and tried logging in guess what?
successfully logged in to private code repository having 145 Repositories ,And now suddenly added this comment and got reply from the google vrp within an hour
And now i felt so happy, And it was an acquisition i got rewarded $$$
Now I thinked about how to get targets using the same product now i crafted an shodan search query i.e title:”Plastic SCM” (Don’t search now because no targets are there to report😂)and Got two URLs belongs to the one target and they are vulnerable too, they have bug bounty program too and i reported them and they have given an private invite of their program, and they said to report it but they have limited scope only and these two URLs are out of scope and it was critical vulnerability so they marked it as P1 and and waiting for bounty.
Moral of the story : If you got any low level issues please try to increase impact as much as possible by giving much time to that bug.
Google Reported Timeline
Reported: May 16, 2021
Accepted : May 20, 2021
Rewarded: May 25, 2021
Fixed: Jun 7, 2021
Follow me on.
Twitter : https://twitter.com/basu_banakar
Instagram: https://www.instagram.com/basu_banakar/
Website : https://www.basubanakar.com/