Pawning Half A dozen of Admin Panels & User Management Apps And Reporting 9–10 P1 in a day.
Ok so As the topic Name looks like (complicated ) the writeup is just the opposite and is very simple.
Sometimes we tend to make things complicated while they are easy and just lying under our eyes straight. Ok enough of the lecture, lets’s just jump straight into the write-up and the exploitation.
So I would say that make shodan your best friend, the best friend to whom you go first every time. whenever i see a target i go to shodan first just to have an idea that how big is the target. you can use simple searches there for finding login panels and Admin panels.
So there is a private program on which i wanted to hunt. as usual started from shodan and ended with a lot of IP addresses. Ok so one by one i started visiting each of the Ip addresses. I saw a few user management applications hosted which is managing all the internal employees of the company in all over the world. and it is present on shodan with a name like (usr mgmt). I clicked on one of them and i got nothing just a blank page. no issue i have seen this a thousand times before also. Started opening the other panels as well like there were a lot of remote login portals. But the issue is the same with all of them when you open those, it does open but it gives you a normal page where there is no option to log in.
I noticed that they are actually using a service for hosting their login panels. I searched a little bit about the service provider but couldn’t get anything solid.But I was having this feeling that i might be missing something and also why every page is opening the same having nothing on it. I decided to go through the request bodies which are present on shodan and all of them are 200 OK , it means i am the one who is missing. so i went to the IP again and started changing the Ports. i tried 80, 8008, 8080, also used nmap.
In the Nmap scan i found out that port 8443 is open as well. i quickly used the port with the IP address and then BOOM…. i can see the Admin login page hosted there on 8443. But just finding out the login page is not enough right??
Here comes the power of default credentials. default credentials are set by badass Gangsta admins. The Admins who think who else will get to see my portal it is for me only. they have no idea that there is a bigger gangster sitting there and it is called Shodan. remember the name ..shodan……
It took me 30 sec and i was inside the Admin account and had access to a lot of critical data …using the default credentials i pawned around 8 Admin Panels in next 15–20 minutes. After pawning i remembered there was user management apps too and a thought came to my mind what if the same gangster admin is running those user management apps?
Let’s confirm it . opened the user management by same trick changing ports but there were no option for login. i kep going here n there and adding /login or /admin/login , but no luck. then i scrolled to the extreme right of the page and saw 3 dots there. clicked on the dots and i found out that by default i am already logged in as anonymous in the application and has no data. then i logged out using the 3 dots and i was shocked …i was literally shocked what i saw next. when i tried to login again the application it self told me if i want to login as a normal user or admin, and if i want to log inas admin the password is Admin….i was like WTF…..
wakt badal diye , jasbaat badal diye , criticality badal diye. pr password sala same hi rkha hai (Admin).
I logged in using (Admin:admin) and this is how i hacked another 2 of the user management apps where i could have added anyone as super admin, could have deleted every single user. and a lot more. This is how i reported almost 9–10 P1 In a day.
themkssss for reading
