IT-Securityguard Blog

[BugBounty] Decoding a $😱,000.00 htpasswd bounty

| 6 Kommentare


A Private Bug Bounty Program had a globally readable .htpasswd file. I cracked the DES hash, got access to development and staging environments and was rewarded a shitload of$.

[Tools used]



[\Tools used]

Today I want to share something with you that I recently discovered in a private Bug Bounty Program. Due to private program restrictions, I am not allowed to disclose the identifying details of the bug, so I’m just going to share my techniques and how I discovered it.

So, as a first step, I looked for potential vulnerable subdomains using a Google Dork query: site:* -www and then looked for interesting stuff. One particular domain caught my attention and so I had a look at it, Upon review, the site looked pretty unspectacular and so I decided to use the tool „dirbuster“ to look for the juicy stuff. I was about to give up when I saw the tool discovered a .htpasswd file with an HTTP status 200. With a bit of excitement, I visited the URL and was pretty surprised to the file rendered.

Ohne Titel


So what exactly is this? As some of you may know, several webservers offer a mechanism called Basic Authentication. While I now knew the username was us3r, the password was still encrypted… Now, in similar cases, I’ve seen passwords simply being Base64 encoded but here, the encryption didn’t look like anything I was familiar with. After some Googling, I realized it was DES (Data Encryption Standard).. Based on what I read, while DES is now considered insecure and susceptible to theoretical attacks (thanks Wikipedia), there are no trivial methods known for DES cracking. So instead, I used a simple password cracking tool called john with the help of @nijagaw Nico who pointed me to a nice wordlist (Link) to crack it.

Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])

After some time i finally had the encrypted password.

But what now? The website itself didn’t use any kind of .htaccess and, admittedly, I was a bit lost. However, thanks to the awesome @mongobug, I was able to figure out that each of the following was using Basic Authentication:

  • thestageingstuff.*
  • developmentworkshere.*
  • quark.*
  • devsfavourite.*

Additionally, the fun thing was the Username and Password I discovered worked on each and every one of them. In other words,I had access to the company’s development / beta environments.

The next step? Report it to the program owner who responded quickly, and resolved the issue even quicker. Kudos to them.

End of the story 🙂

rawraw (1)

6 Kommentare

  1. Нихуя ты баклажан

  2. Pingback: Weekendowa Lektura 2016-09-09 – bierzcie i czytajcie | Zaufana Trzecia Strona

  3. You should remove the references to Uber from your screenshots. I don’t think they’d appreciate a public blog post on an otherwise unpublished 10k bounty mate.

  4. Often, you don’t need to crack a password, just get a hash collision.

  5. Good to know the a ‚thousand dollar‘ tools you used

Schreibe einen Kommentar

Pflichtfelder sind mit * markiert.