I - Passive Reconnaissance
test
Subdomain Enumeration
Let's start with some recon. The information we have so far is that @martenmickos has has lost his login details for BountyPay and thus can't approve the May bug bounty payments. We also have the scope which is *.bountypay.h1ctf.com
Usually when I approach a target I'll begin with some subdomain reconnaiscance. I have a couple of aliases in my ~/.zshrc to use subfinder and amass. I run subfinder then amass:
alias subff="subfinder -o subfinder.txt -v -d"
alias amasss="amass enum -config ~/amass/config.ini -ip -src -nf subfinder.txt -d"Amass results:
[Censys] www.bountypay.h1ctf.com 3.21.98.146
[DNS] bountypay.h1ctf.com 3.21.98.146
[Censys] api.bountypay.h1ctf.com 3.21.98.146
[Censys] app.bountypay.h1ctf.com 3.21.98.146
[Censys] staff.bountypay.h1ctf.com 3.21.98.146
[Censys] software.bountypay.h1ctf.com 3.21.98.146We can see that everything is running on the same IP 3.21.98.146. Something that is often useful is to get basic info about the IP. For this I have a small function in my ~/.zshrc:
ipinfo() {
http get https://ipinfo.io/$1 -b
}In this case we can see that the IP belongs to Amazon which could be useful if we encounter a SSRF later on:
{
"city": "Columbus",
"country": "US",
"hostname": "ec2-3-21-98-146.us-east-2.compute.amazonaws.com",
"ip": "3.21.98.146",
"loc": "40.1357,-83.0076",
"org": "AS16509 Amazon.com, Inc.",
"postal": "43236",
"readme": "https://ipinfo.io/missingauth",
"region": "Ohio",
"timezone": "America/New_York"
}Mapping
I usually follow up with some visual recon using Aquatone:
aqua='cat amass.txt | aquatone -ports xlarge'Here I skipped Aquatone since it appears that we only have 5 targets:
bountypay.h1ctf.com / www.bountypay.h1ctf.com
api.bountypay.h1ctf.com
app.bountypay.h1ctf.com
staff.bountypay.h1ctf.com
software.bountypay.h1ctf.com
bountypay.h1ctf.com
bountypay.h1ctf.com has a dropdown menu that redirects to:
Customers - app.bountypay.h1ctf.com
Staff - staff.bountypay.h1ctf.com
The other interesting thing we can note is that there is a reference to a Twitter account in the source of the page:
<div style="position:absolute;bottom:7px;right:7px" class="pull-right">
<a href="https://twitter .com/bountypayhq" class="twitter-follow-button pull-right" data-show-count="false"></a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
</div>Twitter
On @BountypayHQ profile page there are only 3 tweets including one with a reference to a new employee named Sandra:
BountyPayHQ is only following 3 accounts and we can see that among them, is the new employee SandraA76708114 aka Sandra Allison:
If we look at her profile there is only 1 tweet with a photo including what appears to be her employee ID: STF:8FJ3KFISL3 which will be useful later on:
app.bountypay.h1ctf.com
On app.bountypay.h1ctf.com at first sight there is not much to see, there is only a login form which gives su an error when submitting invalid credentials.
api.bountypay.h1ctf.com
On the api the only thing out of the ordinary is a link that redirects to Google Search, we will come back to this later on.
<a href="/redirect?url=https://www.google.com/search?q=REST+API">REST API</a>staff.bountypay.h1ctf.com
The staff application looks really similar to the app one. We are presented with a login form which throws an error with invalid credentials. Something we can note is the template parameter in the URL used to load the login template.
software.bountypay.h1ctf.com
The software subdomain appear to be only accessible from a specific IP.
Last updated
Was this helpful?