We’ve been in this pandemic since March and once the pandemic started I used to be having hundreds of free time, And I need to exhaust that point wisely, So I’ve made up our minds to purchase the OSWE certification and I accomplished the examination on 8 of August, after that, I took a pair of weeks to recuperate from the OSWE examination, then in the med of September, I stated you understand what? I did no longer register my title in the Fb hall of reputation for 2020 as I enact once a year. okay, let’s enact it.
I below no conditions chanced on a vulnerability on one of Fb subdomains, and I took a eye at some writeups and I saw one writeup in a single of Fb subdomains which It got all my consideration It used to be a marvelous write up you might maybe maybe presumably presumably presumably test it out [HTML to PDF converter bug leads to RCE in Facebook server.]
So after reading this writeup now I took an correct belief about how many vulnerabilities I’d receive in this kind of immense web app.
So my main target used to be https://ethical.tapprd.thefacebook.com and my unbiased used to be RCE or something the same.
I ran some fuzzing tools honest correct to rating the elephantine endpoints of this web app and I took a 2 hours nap and watched a movie, Then I got abet to scrutinize the outcomes okay I got some correct results.
Dirs chanced on with a 403 response:
Dirs chanced on with a 403 response: /tapprd/ /tapprd/philosophize/ /tapprd/products and services/ /tapprd/Converse/ /tapprd/api/ /tapprd/Companies and products/ /tapprd/temp/ /tapprd/logs/ /tapprd/logs/portal/ /tapprd/logs/api/ /tapprd/certificates/ /tapprd/logs/auth/ /tapprd/logs/Portal/ /tapprd/API/ /tapprd/webroot/ /tapprd/logs/API/ /tapprd/certificates/sso/ /tapprd/callback/ /tapprd/logs/callback/ /tapprd/Webroot/ /tapprd/certificates/dkim/ /tapprd/SERVICES/
I spotted a fashion to avoid the redirection into the Login SSO, https://ethical.tapprd.thefacebook.com/tapprd/portal/authentication/login and after examining the login page, I spotted this endpoint
I stated okay, this might maybe maybe presumably presumably very neatly be since the electronic mail is inferior or something? let’s rating an admin electronic mail, Then I started to set apart random emails in a checklist to rating a wordlist and after that, I used the intruder and I stated let’s gaze what is going to occur.
I got abet after a pair of hours I chanced on the same error results plus one other outcome, This one used to be 302 redirect to the login page, I stated wow, I’ll be damned if this worked Haha.
So let’s rating abet to scrutinize what I’ve accomplished here, I despatched random requests the usage of intruder with a CSRF token and random emails with a recent password to this endpoint /savepassword
and one of the most outcomes used to be 302 redirect.
Now I went to the login page and I build the login electronic mail and the recent password and BOOM I logged in Successfully into the utility and I’m in a position to enter the admin panel 🙂
I be taught the hacker file who chanced on RCE sooner than the usage of the PDF and they gave him a reward of 1000$ simplest so I stated okay, let’s rating an correct Impact here and a ideal exploit.
I wrote a fast and simple script to make the most of this vulnerability with python you set apart the electronic mail and the recent password and the script will commerce the password.
The Impact here used to be so excessive since the Fb employees used to login with their blueprint of work accounts, Which imply they’re the usage of their Fb accounts access token, and presumably if one more attacker desired to make the most of this it might maybe maybe presumably presumably give him the ability to set apart access to some Fb employees accounts .. etc
Then I reported the vulnerability and the file triaged.
And on 2 of October, I obtained a bounty of 7500$
I loved exploiting this vulnerability so extraordinary, so I stated that’s no longer ample, that is a archaic script! let’s dig more and more.
And I chanced on two more vulnerabilities on the same utility, But we are in a position to discuss relating to the opposite vulnerabilities in the Segment two writeup 🙂