How finding origin IP got me an ATO
السلام عليكم ورحمة الله وبركاته
Hi Brothers, i hope you’re fine insha’allah, our bug today demonstrates how hacking an origin IP differs from the main domain which may have a firewall like CloudFlare
First of all, we will call out target redacted.com
our redacted.com, have a login page that needs only your email, and it will send an OTP to your email, you gotta be thinking rn, he should try bypassing the rate limit, i already have done that BUT, you when you enter a wrong code you get
“user_message”: “Incorrect code 9 attempts remaining.”
then it becomes 8 and so on, it was kinda not vulnerable, i was collaborating with my homie Omar Ahmed, he sent me one of their origin IPs he has found during shodan dorking phase, we attempted without an expectation of not getting blocked there, but when we tried, it gave us that message “user_message”: “Incorrect code 9 attempts remaining.” every time without decreasing the amount of the attempts remaining
And by that we could have hacked any account in less than 10 mins using turbo intruder:)
Lessons i’ve learned in this experience
when we were collecting the biggest amount of origin IPs, we checked SSL Details from https://www.sslshopper.com/ssl-checker.html
what really got my attention is that serial number, i said to myself can i dork in shodan with just the SERIAL NUMBER? i gave it a shot and found that i can do this using the following dork
ssl.cert.serial: xxxxxxxxxxxxxxxxxxxx
and guess what i got like more than 22 working IP :)
But unfortunately, the corp we were hacking on gave us the least amount of bounty they could have pay:) saying that the complexity of the attack is high and some non realistic things to avoid paying at least the highest amount of high severity
this field has it’s dark side as the bright side:), i hope you have enjoyed reading this one!
see you in my other 0-Click ATO write-up
my twitter account https://twitter.com/mux0x
my GitHub account https:/github.com/mux0x