بسم الله الرحمن الرحيم
This write-up is a part of HakTrak Cybersecurity Squad's research activity.
---
1. Target Information Collection
During a bug hunting activity conducted by myself and YoKo Kho, we encountered a target in the form of a newly developed mobile application. In addition to focusing on testing the mobile application itself, another task we undertook during this phase was gathering information related to the domain/sub-domain identified within the app. In short, we found the dev-env.target.tld.
So, based our initial investigation of this domain, we identified two situations regarding the target:
First, there is a possibility that the application is hosted on one of the well-known public hosting services, as the IP used by the dev-env.target.tld sub-domain is registered under that provider's name.
IP of dev-env.target.tldSecond, there is an indication that the administrator may be utilizing Cloudflare services (evidenced by the Name Servers in use) as an additional layer of protection, which could help prevent injection attacks or mitigate activities that could overload system resources.
IP is Protected by CloudflareRegardless of the investigation results, both of these insights are valuable for profiling the target.
Please take a note that technically, when a target uses Cloudflare services, it's assumed that the IP we ping is not the actual IP of the target, so we need to uncover the real IP address to understand the true setup of the application. To begin this process, we searched using the Censys service.
---
2. Searching for Connections (like IP addresses) Associated with dev-env.target.tld
You might wonder, why use Censys? In one of his writings, my friend Yoko has written a blog about one of Censys' functions for information gathering.
From Recon via Censys and DNSdumpster, to Getting P1 by Login Using Weak Password - "password"
A simple story when Allah allowed me to get P1 by combining several issues, one of which was related to "weak…infosecwriteups.com
Simply put, Censys continuously scans public IPv4 addresses every day and supports scanning over 3,500 types of ports. Given that the target.tld domain (our target in this write-up) has existed since 2021, there's a possibility that Censys has collected information from the host, especially if the host isn't well-protected and can be accessed publicly.
From the Censys search, we identified two Autonomous System Numbers (ASNs) - one under Digital Ocean and another under the main provider we previously identified, which is one of the well-known public hosting services.
As a note: An Autonomous System Number (ASN) is a numerical identifier assigned to an organization that groups a set of IP address blocks.
So, upon investigating the ASN of that well-known public hosting service, we found only two IPs with limited relevant information, both located within the same country. However, when examining the Digital Ocean ASN, we discovered several IPs with numerous open ports.
Found Few IPsOne of the most notable discoveries was IP address 165.***.***.***, which had at least eight open ports. Most interestingly, this IP had a certificate registered under the name "dev-env.target.tld."
Certificate has been Issued to dev-env.target.tldThis suggests that this IP could be the one used for the development or staging environment of the application, hosted on the main public hosting services. This hypothesis is further supported by the fact that the certificate expired on the early of 2024 (in other words, still quite fresh).
---
3. Discovering an Active Debug Mode on Port 9000
Continuing from our previous findings, we attempted to access each port identified by Censys, eventually discovering that Port 9000 had an active debug mode.
Found a lot of Open PortsFound an Active Debug Mode on Port 9000What stood out in this debug mode is that nearly all credentials (such as for email and databases) were properly protected with asterisks.
Protected Credentials / KeysHowever, it's important to note that despite this protection, this remains a sensitive issue that requires safeguarding.
---
4. Discovering the Master Code for OTP
Among the protected fields, one particularly interesting find was the STAGE_VERIFICATION_CODE parameter.
Found "STAGE_VERIFICATION_CODE"Initially, we didn't know its purpose, but we soon encountered it during the "registration" process, where entering a random OTP resulted in a "Invalid Verification Code" error.
Error Message after we Entered Random OTP CodeWhile this parameter was found in a different environment, it seemed worth testing, as the same configuration could potentially be reused across different areas of the application. We attempted to register a random account using the master code, and surprisingly, we were able to register with those OTP XXXXXX and even used the "forgot password" feature with the same OTP.
As a result, we were able to take over all registered accounts in the application (provided we knew the associated phone number, which could be brute-forced).
The most alarming part is that we were able to withdraw money from these accounts (though no real money was involved, as this was a development environment). We were simply demonstrating the impact of exploiting this vulnerability.
---
5. Gaining Limited Access to /Admin Dashboard
From the developer accounts we took over, one account granted us access to the /admin dashboard. The username was extracted from the HTTP response when the mobile app queried the /api/v1/auth/user endpoint.
Access to DashboardHowever, this access was limited. Nonetheless, this finding indicates that if an attacker acquires the phone number of users with initial IDs (often resembling administrator accounts), they could gain full admin access.
---
6. Conclusion
Finally, as we conclude this article, we want to emphasize the importance of a holistic approach to security testing - one that not only focuses on the application itself but also considers its underlying environment. Organizations should prioritize proper configurations, minimize the exposure of sensitive ports, and implement strong authentication mechanisms to prevent vulnerabilities like those discovered in this case.
---
HakTrak Cybersecurity Squad
HakTrak is a Saudi-based cybersecurity R&D company dedicated to enhancing national cybersecurity capabilities through…medium.com