Easy P1 Severity Bug which I got during Recon Process

Today I would like to share about an easy P1 bug which I got during recon process.
As I was working on private program I cannot disclose the target, let’s refer the target as “target.com:grin:

VRT : Server Security Misconfiguration > Using Default Credentials

According to my methodology of bug hunting I was checking for Subdomains , So I use Sublist3r tool for finding the subdomains ( you can also use Asset Finder, Knockpy or website like dnsdumpster and virus total) .

After getting a list of subdomains I copied them into a TXT file and saved it as I wanted to port scan all the subdomains. I saved the file as “sub.txt”.
Then I used nmap for finding open ports. So I passed my “sub.txt” file to nmap using the following command. (You can use nmap.org for knowing more about the tool.)

nmap -iL sub.txt

It takes time to scan all ports of all subdomain. :confused: :slightly_frowning_face:
And I got a Subdomain update1.target.com whose port 21 was open.
I opened windows terminal(CMD) and typed the following.

FTP update1.target.com ( Hit ENTER)

Now enter the Name: anonymous (Hit ENTER)

Now enter the Password: anonymous (Hit ENTER)
Done you are login successfully. :star_struck: :star_struck:

IMPACT :
An attacker can do the malicious activity by connecting to the FTP server.

MITIGATION :
Remove the default credentials.

#BugBounty #Recon #P1 #bug-bounty-corner

13 Likes

How did you obtain the uname and pword?

He already mention he used default credential ( anonymous, anonymous).
For FTP common default credential is : ( anonymous, anonymous)

2 Likes

congrats bro. cool find!
how long did it take for nmap to scan btw?

1 Like

Nice. P1 boom baam :star_struck:

1 Like

Thankyou @toor97 for explanation , I think @Fareed got his answer.

1 Like

Thats cool Bug, I used to play with these bugs on “HACK THE BOX “

1 Like

Not much , depending on the list it was around 8-12 mins.

1 Like

Wow… @Omkar26 this is awesome !!

1 Like

Can we have Bug Bounty as separate category ? @sahil

2 Likes

Done. Access the same here : #cybersecurity:bug-bounty-corner !!

Accepted as per #site-feedback

1 Like

Tankyou so much :raised_hands: @sahil

1 Like

That is not a bug, it is a misconfiguration. All FTP servers have an option to use Anonymous Login. If Anonymous Login is allowed, the server checks if the username is “anonymous” if it is, we don’t even need to specify a password.
By the way, good find brother!

4 Likes