Hello there, I am Krishna Agarwal ( Kr1shna 4garwal ) from India 🇮🇳. An ordinary bug hunter and So called security researcher :)

Let me tell you how I was able to find my first “valid” interesting critical vulnerability on a Vulnerability disclosure programme. I hope you will learn something new from this write-up :)

var domain.tld = target.com

One day I was hunting on a Public Vulnerability disclosure programme, they provides Hall Of Fame for valid submissions. It was a medium scoped target (*.domain.tld). So I started my private recon script for recon (I’m mentioning only 5% of it in this write-up).

Commands (Taken from my private recon script):

note: Medium prints double hyphen in a single line ( — ) so don’t be confuse, it is double hyphen.

subfinder -d domain.tld -all -o .temp/subfinder.txt

sublist3r -d domain.tld -e baidu,yahoo,google,bing,ask,netcraft,threatcrowd,ssl,passivedns -o .temp/sublist3r.txt

findomain -t domain.tld| sort -u | tee -a .temp/findomain.txt

assetfinder –subs-only domain.tld | tee -a .temp/assetfinder.txt

amass enum — passive -d domain.tld -o .temp/amass.txt

got 594 subdomains.

After this I combined all the results and passed it HTTPX

cat .temp/*.txt | sort -u | grep -i domain.tld | tee -a all.txt

cat all.txt| httpx -silent -ports 80,443,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090 | tee -a alive.txt

After HTTPX I got total 684 probed subdomains.

Now I started nuclei with my custom templates in background and moved all the subdomain to my Burp proxy configured browser (In 50 subdomains per window), while visiting the each subdomain I found many 403 subdomains, for bypassing these all shi**y forbidden subdomains I started 4-zero-3 in background, but no luck :(

Other 200 OK subdomains were feature less (No signup, Login, etc) So I left these subdomains for future.

If you notice, I run port scan with HTTPX, I got some 8080,8443,9090 and 8081 ports open, so while checking the subdomains with ports ( subdomains.domain.tld:<PORT>), I found one of the subdomain very interesting because it was running RAVENDB on port 8080 with no authentication :)

What is Raven DB?

→ RavenDB is an open-source fully ACID document-oriented database written in C#, developed by Hibernating Rhinos Ltd. It is cross-platform, supported on Windows, Linux, and Mac OS. RavenDB stores data as JSON documents and can be deployed in distributed clusters with master-master replication.

In short: RavenDB is an open-source No-SQL Database.

So when I open subdomain.domain.tld:8080 in my browser, I see no authentication on RavenDB, I was able to change settings, Dump full database, View System Configurations, Delete Database (Obviously I don’t have permission to do that).

I quickly create a Professional detailed report, And Send it to security team :)

later I got Some anonymous FTP, XSS and some common misconfigurations on same target. It is enough for me, So I stopped hunting on that target.

update (12:22 AM, 19 July 2022):

Shodan Dork for finding RavenDB:- http.favicon.hash:442225173

Takeaway: Want to speed up your Nmap Scan? Use this command

nmap 127.0.0.1 -sS -sV -Pn -n — max-rate 1000 — open -p 21 -oN Active_21.txt

Tip: Don’t forgot to scan the commonly open ports like 21,22,3000,8080,8000,8081,8008,8888,8443,9000,9001,9090.