General security write-up

Easy bounties with subdomain discovery

Using Project Sonar for bug bounty

A couple months ago I started playing around with Rapid7’s Project Sonar. This is a project where they create several datasets and release them for free with regular updates. On of these datasets is their forward DNS set. This dataset is a massive JSON of over 300GB that contains DNS queries and responses. Quickly after learning about Project Sonar, I found DNSGrep, a program that claims to download the dataset, extract and format it in a way that allows you to search for subdomains of a given domain name in a matter of (milli)seconds.

So my idea was simple: download the dataset, extract it using the script I found online and search the dataset for all programs available on Intigriti with a wildcard subdomains scope. Execution of my idea however, did not go as smooth. While the search function of DNSGrep worked great, I suffered a lot of issues trying to format the dataset in the first place. After a lot of retries, I gave up on the pure bash approach. The reverse (rev) command just seemed to crash after a while trying to reverse such a big file line by line. To this date I still don’t know why.

# extract and format our data
gunzip -c fdns_a.gz | jq -r '.value + ","+ .name' | tr '[:upper:]' '[:lower:]' | rev > fdns_a.rev.lowercase.txt

I decided I’d just do the parsing part in Python and get it over with instead of wasting my time trying to find a solution in bash. In the end, my not so great Python script looked like this:

The script is nothing to be proud of, took at least 15 hours to run on my 4 core server but it did the job. I now had a formatted dataset.

Now it was time for me to search through different programs on Intigriti and use my formatted dataset for subdomain enumeration! After a while I found something interesting:

Grafana v5.2.2 login page

An outdated Grafana instance, which after a quick google search seems to have a vulnerability: CVE-2019-15043. I couldn’t find any ready to use exploits or proof or concept however. Luckily RedHat’s page has a “Mitigation” section for this CVE, which gave me some hints on where to look. Apparently there seems to be some unprotected endpoints. This information, together with Grafana’s API docs allowed me to create a successful Proof of Concept.

Successful response from what should’ve been a protected endpoint

Although the program on Intigriti was set to responsible disclosure (meaning no bounties), I still received a €100 bounty in the end for my finding 😀

2 replies on “Easy bounties with subdomain discovery”

Hey Torben,

Interesting finding and write-up. Just a update, that you forgot the hide the hostname on the last screenshot you had put in. I’m not sure if it is OK to disclose this now as it’s already been fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *