For the first Bounty, it takes a few challenging months, but only a few days for the second.
Good day, everyone! I spent nearly three hours looking for this bug, but it took me three months to uncover the bug that brought me my first bounty.
And this is the continuation of my article about “On the way to 2nd Bounty”, where I said about XSS and a vulnerable Apache serever.
The target was “example.net” as I mentioned in my prior post. While signing up, I received the api subdomain “api.example.net” and the version was 2.4.29. The “api.example.net” page was simply an apache default page where I attempted to FUZZ for directories and files but was unsuccessful.
As I was using HTB, I suddenly thought of searching for vulnerabilities in that version and discovered that there are a few vulnerabilities in that version, such as HTTP request smuggling, possible buffer overflow with very large or unbounded LimitXMLRequestBody, and CVE-2017–15710.
Because there had been an article about these issues, I tried to do the tests described in those CVEs, and I was able to do a DOS on that server when verifying the user’s email for account availability.
I assumed that additional vulnerabilities might work as well, so I waited a few days to try to exploit the other vulns listed, but I was unable to do so because there were no publicly disclosed exploits for them. The next day, I filed a report stating that I had discovered a vulnerable Apache server on your domain, as well as mentioning DOS and ‘No Exploits available for public use at this time.’
They accepted the next day and requested 14 days for the final procedure, after which they messaged with the Fix and sent a $250 reward after 23 days.
Thanks for reading the writeup,
Hope you like it 😁✌️.