How i Earned $250 with just 5 minutes Recon Process

Introduction

Actually a lot of my friend have requested to share the Proof of Concept for my newest finding so i decided to write an detailed story how i found a subdomain takeover on a private company on Bugcrowd

So Today i am gonna share an Amazing story of how i Earned bounty of $250 from an private Company on BugCrowd in Just 5 min!

So The story begins with the regular college day and we were having  DAA (Design Analysis and Algorithms) Lab. I went to the Lab and My Class Teacher Started to teach us About The Quick Sort Algorithm ! And it was quite boring because i don't like Developing things ! rather i am more interested in Breaking them and finding security vulnerabilities and Exploiting them !

Let's move to technical Part

so lets move to the real/technical Part. As an responsible penetration tester i am not allowed to diclose the company name so let suppose the company name was "xyz"

So After Few minuets i Decided to login my bugcrowd  account an have a look to at newly invited programm. i went to the program and started to check the scope. and It was like *.xyz.com which means if i am able to find security weaknesses on any of the subdomains. It will be considered as Valid security issue !

so after looking at the scope i decided to look for subdomains for that i went to http://crt.sh and seached for %.xyz.com and a huge no of subdomains came on the screen i started to browse subdomains one by one and i landed on something very intresting. When i visited h2.xyz.com and it gave me an fastly unknown error.

and i was like  ! WTF ! i mean its a subdomain takeover vulnerability. I was amazed that already more than 200 security resaechers were already invited to this program but i think none of them looked at for subdomain enumeration

for Confirming the the vulnerability i visited the same subdomain in HTTP and HTTPS because sometimes it looks like its a subdomain takeover vulnerabiltiy when you are visiting it on port 80 but the actual service is running on port 443. and hopefully i showed me an same error on Both HTTP and HTTPS.

for Futher Confimation i decided to resolve the domaina and check for the DNS records. So i fired up the HOST command and it showed me this

from this screenshot what i was able to understand is an h2.xyz.com is pointing to fastly address and but when i am trying to visit that address it is showing me that there is no such app on fastly.

and it confirmed that its an valid security issue !

so without wasting too much of time i reported an issue to the company. After Few Days the Bug got traiged and Fixed and i was awarded $250 for this whole process.

Overall Process

Dates:
16-03-2018      -----       Created an Report
18-03-2018      -----       Go Traiged
19-03-2018      -----       Got Fixed
19-03-2018      -----       I rechecked the issue and now it was redirecting me to main xyz.com.
20-03-2018      -----       Changed to Got Resolved
20-03-2018      -----       Got Awarded with $250

Thats it !
Thank you !