Subdomain Brute Forcing Leads to Admin Access in the Navy

Web Application Security, Default Credentials

This post is about my first valid and critical bug on HackerOne in 2023 where I utilized different kind of recon techniques to end up getting admin access.

Dorking #

While Google Dorking “”, I encountered results with minimal content. So I tried dorking with DuckDuckGo, where I used git to search for Git files.

Despite the limited results I received from DuckDuckGo, there was one domain in particular that stood out to me.

Brute Forcing #

I started to brute force subdomains with ffuf because I figured that there’d be more subdomains within the DevOps domain since DevOps usually contains various development, testing, and deployment tools.

I began subdomain brute forcing using Assetnote’s best-dns.txt wordlist, which I often use for brute forcing subdomains. I ran the command below in my TMUX session:

ffuf -u -w /opt/wordlists/assetnote/best-dns-wordlist.txt

I used a tool that I wrote for concatenating the subdomains found from ffuf with the domain provided:

./ -d -f ffuf-output.txt

The result:

Admin Access #

The “artifactory” subdomain hosted a JFrog login page. I started looking for any JFrog CVEs, but had no luck there. Many systems come preconfigured with default credentials, so I googled for JFrog’s default credentials. To my surprise, the site had default credentials enabled, which were “admin:password”. I managed to get admin access.

The vulnerability was accepted, marking my first valid and critical finding on HackerOne, and to the U.S. Department of Defense.

Image Description

Image Description