How i got admin panel without opening the target

Milad Safdari (Eulex)
5 min readMay 2, 2024

--

Hi guys, it’s me Milad i come back with another interesting finding.As you may confused from tittle of this article and may ask how it was possible ? but just let me just show you my magic :)

a photo generated by AI after reading this article

A few days ago i have read a write up about how a Hacker build different approach to find some secret, then it comes to my mind can i build a different approach too ? after i thought so much and did research, but couldn’t find any way, then this quote came in my mind.

for building a car you don’t need built it from zero instead you can see anothers findings and try to make them better.

After that i start analyzing some approaches that hackers must uses to find bugs, i have a fantastic style to solve my problems i just write full detailed problem on a paper , like why i get bunch of duplicates and somethings like that, then tried to find, what can i change from my side, because we probably can not change things, which are not under our control,I founded, that i do the exact same thing that i learn from write-ups, books or any sources by analyzing my patterns. To be honest with you guys, why you thinks you can find bugs on targets that tested our 3 or more years from thousands of researchers. the answer of this question is my approach. and here are some solutions i founded.

  • Look carefully what others do and find how can you make it better, Sometimes a subdomain more leads to sweety bug.
  • If you thinks that is hard to find bug like the flow is confusing to understand , just go ahead because anothers thinking like you.
  • Know what you want, don’t run x8, because it is nice , understand what your goal is.

I know i speak lot so far,but you may noticed so far, that my main goal is not to show you my findings and get clap from you.If you do exactly, what i did then what is the different between you and someone else, why should you get paid for it ? , because it is not more a zero day and everyone use it after reading this article.I will, that you see my findings as an example and go ahead and develop you way.Anyway if you work on a fresh program or have a penetration program it may work for you, but not on program that was 2 years or more on programs and tested our different hackers. Now lets Begin the hacking :)

Start

the program was a whole functional program for developers to test there apps ,there main app was only in scope,but for us hunters even the status of relationships of employees are in scope too :)

I just take the Organization name and search in sources like google, GitHub, Giglab and every platforms begin with “G” :)) I Founded that the organization has a GitHub repository which is very common for such Company.Just search for GitHub leaks dork and see in YouTube how another hackers do this kind of hacking.

I founded it out and write of a paper that must of hunters search for specific words like “API, Password, secret ” and must of them recommend gitleaks tool which is very cool and make everything easy.Now Golding part begin this repository has more than 15K stars.I ask my self if it possible that 15k hunters didn’t run it on my target which was 3 years on Hackerone as private program ? you know the answer.

I just write my goal on parer which is finding secrets after it, i ask my slef this question what can i not find with gitleaks ? yes you guess write, custom word and the reason is, why should developer write his secrets in such pattern like API=”API_KEY ”, i know it is common, but he is a developer and we don’t even know the style of he coding or she coding.The second thing comes to my mind was, why should be the API key or secrets plain text ? maybe developer thinks base64 encoding is a best way to protect his sensitives.Like this There are thousands of ways that developers maybe do which, while testing didn’t comes in my mind to check them.

After making some consumption i start to test them, like below.

  1. Downloaded all Repositories of Organization, using public GitHub API, because there ware more than 200 repositories.
  2. Now i would to have all commit changes in every repositories just run the simplest bash code, in below you will see it.
ls | while read  line; do cd $line ; git log  | grep commit  | cut -d " " -f2  | while read log ; do git show $log ; done >> Logs ; cd ../ ;done;

4. In this level, I have start reading every repositories to figure-out the pattern of developer.

5. I founded that developer stored sensitive infos in variable like “PLATFORM_SOMETHING=some-secrets”. He used the name of platforms and random to store it’s secrets.

6. I found another interesting pattern of the developer, he encoded some secrets in base64 after decoded i found some secrets like “export AUTH-KEY=API Key Here”.

I searched in google to inform me how can i use this secrets.I founded the platform that his data belongs to, it was a kind of debugging platform, where you can run virtual machine for debugging and if your app has error it sends them to the platform.

I have read the API documentation and tried to create a user with admin access to this platform using founded API Key. I did some research like how to find team UUID because i needed to know which team i will register a user, after that i have created successful my user as admin, then i used public login page and gain access, you will see it below.

Yes as you see, it is so easy. The important thing was to find the write word for search.

Now we are at end of this article I hope you have enjoyed this article if you have any question please let me know, i would happy to know, what is your perspective from this kind of article.If you like this kind of article clap me up to 50 times, It will boost me to write more and more.

Happy Hunting and Be a Hacker !

--

--