Hello everyone! Welcome back to my blog. It took me just 5 minutes to find this and 1 hour to triage it. This has been my quickest discovery and bounty!
I received a private invite from one of the programs. I checked the scope and noticed that it had a wildcard scope. I ran Subfinder and Httpx to collect more subdomains, and I also used DNS brute-forcing and vhost discovery tools to enumerate a large number of subdomains.
If you want more subdomains, simply run Subfinder again with the subdomains it generated. Use the commands below to create a good list of subdomains:
subfinder -d domain.com -silent -all | httpx -p 80,443,8443 | tee subs.txtsubfinder -dL subs.txt -all -silent | httpx -p 80,443,8443 | tee moresubs.txtAfter enumerating all the subdomains, I ran a CVE scan in Nuclei using the command below:
nuclei -l subs.txt -tags cve,exposure,panel -es low,info -rl 60 -nmhe Within 5 minutes of time i got a CVE !
At first, I thought it might be a false positive, but later I checked for the proof of concept (PoC) for that particular CVE on GitHub and found an exploit.
I checked the CVE against the affected domain and found a Local File Inclusion (LFI) vulnerability.
I immediately reported the finding and, after one hour, received a message with the triage results and bounty information.
Clap if you learned something! Follow me for more blogs like this, and connect with me on LinkedIn.
https://www.linkedin.com/in/ramthullaguduru
Bye for now!
