Default Credentials, P1 with $$$$ Reward in a Bug Bounty Program

Hello dear hunters I hope you’re doing great. It’s been over a year since my last publication about Insecure Direct Object References

In this post, I’ll delve into the technical details of how I discovered a critical vulnerability “Default Credentials” (P1) in a bug bounty program in under 30 minutes.

Note : Vulnerabilities are assessed and then categorized between P1 (most severe) to P5 (least severe) which determines how much an organization should reward the researcher who reported it.

If you’re questioning whether the default credentials vulnerability entails the use of ‘admin:admin’ or similar as a login:password in a computer system, then the answer is: yes.

The reasons for using default credentials can be varied.

Lack of Awareness: Developper/Sysadmin might not be aware of the importance of changing default passwords and may not realize that the device or system they’ve acquired comes with default credentials.
Assumption of Security: There’s a misconception that the system come pre-configured with secure credentials, leading Developper/Sysadmin to believe that there’s no urgent need to change them. Specifically if there is a rush to launch the project very quickly.
Complexity: If I change the password after launching the project what will be the consequences on my infrastructure ? Changing passwords could be perceived as a complex task, leading them to postpone or neglect this critical security step.

The day before I sent a vulnerability report on the company’s main site, which is accepted by the bug bounty platform but the client closed the report as “false positive”.

So I decided to expand my attack perimeter

Here we go for a subdomain enumeration, using different tools I get a list of several dozen websites.

I open all the sites one by one in my browser with “open multiple url’s extension”. (I know that we can use aquatone for that, but for my part I prefer to do it manually and have the first visual feeling of the website)

And one website in particular catches my attention.

A user login form was present, i tried very quickly severals vectors like SQLI login bypass and Defaults credentials but nothing. And the worst is that my IP was banned in a few minutes after by the Web Application Firewall.

So I change my IP address via my VPN before resuming the investigation.

Ok now let’s check what’s the technologies used on this website

In the application’s source code, I stumbled upon a noteworthy discovery.

Within the application’s source code, we uncovered references to two JavaScript files linked to an e-commerce platform called “INTERSHOP”, hinting at the possible technology employed by the website.

Upon inspecting the “robots.txt” file, yet another reference to “INTERSHOP” strengthening the indication of the utilization of this e-commerce platform.

Now the questions that i have in my mind are :

Can I find information disclosure on the website ? Exploring the site thoroughly to spot any potential information disclosures, diving into URLs, endpoints, and directories for inadvertent leaks.

Can I find an admin panel ? Upon discovering an admin panel, we might attempt to gain access, employing various methods to test its security measures and determine if unauthorized entry is possible.

Has Intershop been associated with any CVEs? This helps in pinpointing any known vulnerabilities that we can use and report.

To answer some of these questions I need more information on the target and the e-commerce INTERSHOP

Utilizing the Wayback Machine was my initial approach, but unfortunately, it didn’t yield further insights or information regarding the admin panel or related details.

Regarding INTERSHOP, is there more information available on their website or within their documentation that we could access?

Let’s google it

BINGO : “Accessing Intershop Organization Management”, ok yeah it’s what we are looking for…

They explain use where and how to connect to the Admin Panel of their application INTERSHOP

Enter a URL with the following syntax:
http://<SYSTEM.HOST>/INTERSHOP/web/WFS/SLDSystem where <SYSTEM.HOST> is either the IP or DNS name of the machine hosting the Intershop Web Server.
Log in to the Operations site as administrator.
In a default Intershop Commerce Management installation, use the following credentials:
Login: admin
Password: !InterShop00!
Organization: Operations

Armed with this newfound knowledge, I revisited the website and initiated further exploration and testing.

I first complete the URL with /INTERSHOP/web/WFS/SLDSystem like https://redacted.com/INTERSHOP/web/WFS/SLDSystem (this is the admin panel path)
I paste Operations in the Organization field

I attempted to access the admin panel by entering the specific login:password combination.

Every hunter will understand me on these points :

We have an expectation we enter a password on a system that does not belong to us without knowing if it will work.
Everything can stop there if it doesn’t work.
You know it’s two/three seconds of waiting before knowing if we are going to receive “incorrect username/password”.
Or maybe we will be redirected and connected as Administrator and potentialy obtain a huge reward.

Well are now connected as administrator in the INTERSHOP Admin Panel, and we therefore have access to full read and write privileges, granting control and access to all client data within the system.

The impact of this vulnerability if a malicious hacker had found it before us could have been the following :

Data Breaches: Once inside, they may have access to sensitive information, such as user data, financial records, or proprietary information, leading to potential data breaches.
System Manipulation: With admin access, they can manipulate settings, alter configurations, or even disrupt the system’s functionality, causing damage or downtime.
Legal and Compliance Issues: Organizations may face legal repercussions or compliance issues if they fail to secure their systems adequately, especially when handling sensitive data like personal information protected by privacy laws.
Reputation Damage: A security breach due to default credentials can severely damage an organization’s reputation, eroding trust among users, partners, and stakeholders.

What i think or did next :

I thought about trying an Remote Command Execution, but I remembered the WAF and if their team detects that I am connected as Administrator in their system, they will change the password immediatly and i can say goodbye to the potential bounty $$$$.

So i reported the vulnerability on the plateform, I waited for them to accept my vulnerability (45 minutes).

Returning to check for Remote Command Execution (RCE) after reporting the vulnerability was a strategic move. However, the client swiftly changed the password within a mere 10 minutes.

One mistake can lead to other maybe no ?

Let’s go for a little fuzz session

What am I trying to do?

I use FFUF to test all domains that i have found in the subdomain enumeration step, and look in the robots.txt if there is an entry with the word /INTERSHOP/

As you can notice i received a response from FFUF, so we have found a new domain with INTERSHOP.

This time, our luck didn’t hold up — the credentials we acquired didn’t provide access, suggesting a difference in security protocols or permissions specific to this domain.

if you haven’t read it yet, my OSCP write up is available here: OSCP

Thanks for reading, and see you soon for a new adventure.

Contact :

Linkedin : https://www.linkedin.com/in/drisr53/

Website : https://jedus0r.github.io./