How i was able to get more than 10k cpanel and full hosting admin dashboard access in 30min
INTRODUCTION:
This article is a short story of my first experience in penetration testing as a freelancer in 2019.
Service done by me, with a contract signed by the contractor ( me ) and client ( Russian Company CTO).
During this Pentest service, i was able to access the dashboard admin of the hosting ( WHMCS ) and get access to more than 10K cpanels and vps …
Details:
After some discussions between me and the client, we have agreed on a simple Vulnerability Assessment service, since this is my first client and my first experience, i wanted to give all my best during this service and keeping all my effort on this opportunit,not just a Vulnerability Assessment, so i planned to have a full Penetration Testing service as a Bonus!
For those who do not know the difference between vulnerability assessment and penetration testing this a brief definition of these two techniques.
Vulnerability Assessment:
A vulnerability Assessment is a systematic review of security weaknesses in an information system. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
Penetration Testing:
A Penetration Testing , colloquially known as a pentest or ethical hacking, is an authorized simulated cyber attack on a system, performed to evaluate the security of the system, this is not to be confused with a Vulnerability Assessment The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.
The scope was a hosting company ( shared hosting ), the CTO provide me with a simple url of his website company, and let’s imagine “xyz.ru” , and “xyz.com” are the main website with different “cctld”, it’s a simple website for creating websites, selling vps, and other stuffs as every host business, in the step of paying your stuff, you’ll be redirected to “clients.xyz.com” which is ”WHMCS” .
What is WHMCS?
It’s an automation platform that simplifies and automates all aspects of operating an online web hosting and domain registrar business. Save time and money with WHMCS. Optimize and automate your business with the WHMCS billing and automation platform.
Since my previous knowledge of this CMS, I knew this site was the beating heart of the company’s business and noted it as initial target.
I won’t go through the process of pentesting, i started checking the main website “xyz.com”, what is ip , ports , what technologies and framework uses…etc.
The main website was using Laravel Framework with a special version vulnerable only to “XSS”, and other informations disclosure Vulnerabilities, as a result,i was not satisfied with, my favorite second idea after completing web application ( Ennumeration, Fuzzing and scanning) is Subdomain enumeration or listing.
The easiet way for listing most of website’s Subdomains is via VirusTotal website, https://www.virustotal.com/gui/domain/xyz.com/relations
Through this link, i was able to list some of subdomains like:
“mail.xyz.com”
“dev.xyz.com”
“support.xyz.com”
“ftp.xyz.com”
…etc
One of the subdomain that caught my attention a lot, were “xyz.xyz.com”, once I opened this subdomain, it appeared as an exact copy of the original site ( same framework, same design…ect), at first I was going to leave it because i thought i wouldn’t find anything in it because it’s exactly like the main site as i scanned the first one before.after some checking the whole subdomain, i except that i found that subdomain does not contain online chat with the support unlike the main website and does not contain all topics, but it is not completely different from the main site.
I realised that this is a beta version, even if it will not be Vulnerable, but most of admin’s and developers They don’t care much about password policies or hidding backup/config files in public in this version.
I made a small password and users list and did a brute force for the admin panel with one of brute force techniques.
Boom!
Brute force successfully completed with a valid username and password,let’s make this cred’s for exemple (user1 /password1) in www.xyz.com/admin .
Next Step is controlling the server and the website, by uploading our backdoor i made ( 1.php ) in admin profile page www.xyz.com/admin/profile/ the easy way was with burpsuite, diting photo,uploading jpg php backdoor and access it through www.xyz.com/images/1.php.
Now, we have a simple user in a linux server in a different range and network, and my initial target was the whole WHMCS hosting.
From the past cred’s, i was able to list all users and admins on the subdomains, for sure, one of them is a vaild admin in our main website “www.xyz.com” and from their editing bar, i was able to extract their password with Inspect Element.
I prepared another list username and password , i extract shortly before and did another Brute Force with the new lists i made on the admin panel of www.xyz.com/admin.
Boom again!
A valid username and password, with the technique i explain before i uploaded my shell and i got an access on my target even it is in different server.
With the config file that were in www.xyz.com/includes/config.php, i got an access to the Database .
Here, in this table i found all client’s (domains owners with their credentials) of cpanels.
With the same config i read and throught my access on the databasae ,i was able too, to adding my self as an admin in the WHMCS “www.clients.xyz.com”, since they are using same config.
Authentication was successful.
I wasn’t taking a lot of screenshots, cause this WHMCS admin panel is enough.
Target is done, the whole business are in my hand now.
Let’s make an explained report of my pentest ( bonus service ), and another Vulnerability Assessment report as the client asked.
Note:
I am writing just to share ideas, not for technical knowledge, and it was in 2019 not 2023!
Best regard
