In 2010, WikiLeaks released a classified document.

A list of infrastructure critical to U.S national security.

The government listed a Trans-Atlantic cable.

3 years ago,

19-year-old me gained ADMIN access to that cable (and another; shared codebase).

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🧵" title="collectie" aria-label="Emoji: collectie">Here& #39;s how I found it
1/ It began with a bug bounty program.

Of a telecommunications company (that I can& #39;t name publicly).

As some of you may know, I love recon.

I had already done subdomain enumeration.

The next step was to scan their IP ranges.

So,
2/ I searched the company& #39;s name on bgp.he\.net

Saved their IP ranges.

I ran @ErrataRob& #39;s masscan, probed for HTTP(s) servers, and grabbed the HTTP titles.

Looked something like:

$ masscan -p 80,443 -iL ranges -oL out.txt
$ cat out.txt | httpx -title

One title stuck out:
3/ "███ Cable System" (I have to redact this)

So, I visited the server in my browser.

The home page said

> "Welcome to the ███ Management System"

No way. This isn& #39;t really online is it?
Underneath was a link:

"Log in to ███"

Clicked it and it brought me to
4/ "login.jsp"

Ok! It was a Tomcat webserver

I didn& #39;t have credentials. Obviously.

I started with directory brute-forcing.

Used @joohoi& #39;s ffuf & filtered by the number of response words on the 404 page.

It found several directories.

One that stuck out was
5/ The directory /admin/

Remember, it& #39;s running Apache Tomcat.

I built a wordlist for .jsp files using BigQuery. (Learned from @assetnote& #39;s commonspeak)

Bruteforcing found a few JSP files, but they all redirected to the login page.

Gah. Well,
6/ Let& #39;s see if there are more directories down /admin/

Directory-Bruteforcing found /accounts/.

This redirected to the login page.

I was about to brute-force JSP files when I realized something unique in the response.

A header.

> Set-Cookie: JSESSIONID=<id>;

That& #39;s weird.
7/ It& #39;s probably worthless. Right?

I was intrigued enough.

So I decided to visit the endpoint in my browser.

Twice.

1st - To set the JSESSIONID cookie in my browser.
2nd - To see if the cookie was valid & used for authentication.

1st visit: http://<IP>/admin/accounts/ and
8/ Redirected to the home page.

Second visit:

> HTTP/1.1 200 OK
> --- snip ---
> <title>Account Administration</title>

HOLY **** IT WORKED.

This is a HIGHLY redacted version of what I saw:

So,
9/ I clicked through the menus to see if I was actually authenticated.

I was. FULLY. AUTHENTICATED.

On that same IP range,

They had ANOTHER system for ANOTHER cable.

I tried the same attack.

IT WORKED!

I had admin access to TWO. Different. Cables.

I was in disbelief.

So,
10/ I reported it immediately and started pinging their program manager.

It was the best response I& #39;ve ever gotten.

And will ever get.
TLDR;

- Participating in a bug bounty program (telecommunications company)
- Scanned their IPV4 Ranges
- Found a webserver that said "███ Cable System"
- Directory brute-force found /admin/accounts/
- The endpoint set a valid admin JSESSIONID. https://twitter.com/hacker_/status/1512552850831851531">https://twitter.com/hacker_/s...
You can follow @hacker_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more