Today I would like to share about an easy P1 bug which I got during recon process.
As I was working on private program I cannot disclose the target, let’s refer the target as “target.com”
VRT : Server Security Misconfiguration > Using Default Credentials
According to my methodology of bug hunting I was checking for Subdomains , So I use Sublist3r tool for finding the subdomains ( you can also use Asset Finder, Knockpy or website like dnsdumpster and virus total) .
After getting a list of subdomains I copied them into a TXT file and saved it as I wanted to port scan all the subdomains. I saved the file as “sub.txt”.
Then I used nmap for finding open ports. So I passed my “sub.txt” file to nmap using the following command. (You can use nmap.org for knowing more about the tool.)
nmap -iL sub.txt
It takes time to scan all ports of all subdomain.
And I got a Subdomain update1.target.com whose port 21 was open.
I opened windows terminal(CMD) and typed the following.
FTP update1.target.com ( Hit ENTER)
Now enter the Name: anonymous (Hit ENTER)
Now enter the Password: anonymous (Hit ENTER)
Done you are login successfully.
An attacker can do the malicious activity by connecting to the FTP server.
Remove the default credentials.
#BugBounty #Recon #P1 #bug-bounty-corner