...
Write
OneWriteup
  • Login
  • Register
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
  • Trending
  • Articles
  • Blog
  • Tutorials
  • News
  • Research
  • Top 10 Lists
  • Case Studies
  • Writeup
  • Interviews
  • Personal Stories
  • Infographics
No Result
View All Result
OneWriteup
No Result
View All Result

How I Got $1000 Bounty From X-Company? (RCE +Authentication Bypass)

Rajsec by Rajsec
August 20, 2024
Reading Time: 3 mins read
27
0
How I got $1000 bounty from X company?
Share on FacebookShare on Twitter
ADVERTISEMENT


How I Got $1000 Bounty From X-Company? (RCE +Authentication Bypass)

Hello all, Raj here! I’m back with some interesting findings.

I know it’s been a while since my last writeup—been busy with some good projects and learning new things. But without further delay, let’s dive right in.

Introduction:

Bug bounty programs provide a unique opportunity to explore the depths of cybersecurity, presenting challenges that often lead to intriguing discoveries. Recently, during my active engagement in testing, I uncovered a Remote Code Execution (RCE) + authentication bypass vulnerability in a top company (due to their policy, I won’t reveal the name, so let’s just call it X-company) (CVE-2023–46747).

Let’s go…

On May 16, 2024, I disclosed a vulnerability I identified on an internal IP owned by X-company. This was part of their Bug Bounty program, where rewards are given for finding security vulnerabilities. I discovered an authentication bypass vulnerability in X-company’s F5 BIG-IP. The vulnerability has a critical severity rating with a CVSS score of 9.8. Successful exploitation could allow an attacker to perform remote code execution on the target system.

My Methodology:

“Reconnaissance is the initial step in bug hunting.”

  1. I started by gathering the in-scope domains.
  2. Then I kicked off active and passive subdomain enumeration using various tools. For passive subdomain enumeration, I used Subfinder with API keys from different services like Shodan, Censys, Chaos, GitHub, Sublist3r, etc. For active subdomain enumeration, I used the Best DNS Wordlist from the Assetnote Wordlist.
  3. I ended up identifying around 10,889 subdomains and IPs.
  4. The next step was filtering out live domains based on their status codes.
  5. I quickly identified the internal IP with the F5 BIG-IP and confirmed it using Wappalyzer.
  6. Here’s where the actual journey begins.

Recently, I came across the F5 BIG-IP Unauthenticated Remote Code Execution Vulnerability (CVE-2023–46747).

CVE-2023–46747 is a critical vulnerability that allows undisclosed requests to bypass configuration utility authentication, enabling an attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Geared up, I discovered an endpoint (/mgmt/tm/util/bash) that was vulnerable to CVE-2023–46747.

This vulnerable endpoint (/mgmt/tm/util/bash) allows an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands.

Once I confirmed the vulnerability, the next task was to find a proper exploit. There are many exploit scripts available, but several give false positives. So, I opted for an exploit using a Nuclei template, and this approach worked effectively.

Exploit Process for Remote Code Execution (RCE) and Authentication Bypass:

=> First, I ran a Nuclei scan and waited for the results.

=> BOOM…! RCE is working—I got the system ID, username, and password.

=> Next, I decided to increase the impact by exploiting the authentication bypass.

=> So, I navigated to the $ip/mgmt/tm/util/bash site, entered the username and password, and BOOM! I was redirected to the F5 BIG-IP admin panel on the internal network.

After that, I reported this issue through their Bug Bounty Program.

X-company has since fixed the issue, and I want to commend them for their responsiveness. This is an excellent example of a company that takes security seriously and rewards those who help them identify and fix issues.

Timeline:

  • May 2024—Submitted bug report.
  • May 13, 2024—X-company marked it as triaged.
  • May 14, 2024—They verified the vulnerability and began the fixing process.
  • May 16, 2024—Marked as resolved, and the bounty 💸 was awarded.

I hope this inspires you.

Thanks for reading! 🙂

ADVERTISEMENT
Rajsec

Rajsec

Recently Posted

HOW To BECOME AN ETHICAL HACKER ROADMAP

Free Cybersecurity Roadmap for Ethical Hacking Career in 2025

November 15, 2024
743
Top 4 Cyber attacks Commonly used for Hacking Websites!

Top 4 Cyber attacks Commonly used for Hacking Websites!

November 9, 2024
169
How to use bloodhound tool for pentesting

How to use Bloodhound / Sharphound for Pentesting Active Directory?

November 6, 2024
509
Pass The Hash

How to perform Pass The Hash Attack on Active Directory in 2024?

November 2, 2024
153
Load More

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Recommended

WhatsApp For Windows Runs Arbitrary Python Code

WhatsApp For Windows Runs Arbitrary Python Code

August 10, 2024
106
How to remove Private Leaked Photo or Video from internet.

7 Steps To Remove Leaked Private Photos or Videos from the Internet.

September 27, 2024
324

Popular Story

  • Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    Download the Top 100 Free Cybersecurity Courses, Resources, and Study Materials for 2024

    834 shares
    Share 334 Tweet 209
  • Top 10 Ethical Hacking and Exam Prep Books: including free PDF links

    84 shares
    Share 34 Tweet 21
  • Termux Top 10 Most Powerful Tools in 2024

    316 shares
    Share 126 Tweet 79
  • 100 Most Asked SOC Analyst Interview Questions For Freshers

    100 shares
    Share 40 Tweet 25
  • Top Cyber Security VAPT Interview Preparation Questions in 2024

    88 shares
    Share 35 Tweet 22
ADVERTISEMENT
OneWriteup

Discover expert cybersecurity articles, tutorials, and the latest trends to protect your digital world.

  • OneWriteup Labs
  • About Us
  • Feedback
  • Contact Us
  • Report
  • Privacy Policy
  • Community Guidelines
  • Terms Of Service

© 2024 OneWriteup

No Result
View All Result
  • Trending
  • Articles
  • News
  • Blog
  • Tutorials
  • Research
  • Top 10 Lists
  • Case Studies
  • Interviews
  • Login
  • Sign Up

© 2024 OneWriteup

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.