Currently at time of writing I'm ranked #1 finder of Bugs on https://hackerone.com/pornhub which is a nice position to hold. This post is to explain the techniques I've used to get to where I am and how I found my most recent $2500 bug on pornhub. To update this post also this finding has now been included within Web Hacking 101 by Peter Yaworski.
Difficulty: Low
URL: stage.pornhub.com
Report Link: https://hackerone.com/reports/119871
Date Reported: March 1st, 2016
Bounty Paid: $2500
Twitter: https://twitter.com/ZephrFish
####Probing for Holes Starting out on most bounty hunts & pentests I always carry out reconnaissance, this varies across scopes however for the original pornhub bounty their scope was:
*.pornhub.com
To which I thought great! ALL the targets. Subdomain enumeration using various DNS tools my weapons of choice are shown in the list below. However as good as the default lists are, from previous DNS research I have built a custom list of over 1 million unique sub domains pulled from: All Your Hostnames are Belong to Us.
Long story short, I identified close to 90 unique hostnames, next stage in enumeration for me personally is visually mapping the estate. This was achieved using Eyewitness, fed it the list of urls and it dropped a html report of the urls that have valid http/https pages.
From this the fun begins, mapping out the domains for potentially interesting ports open begins.
Using nmap, I was able to discover some random ports open on a selected subdomain:
stage.pornhub.com
Firstly using basic nmapping, I decided to have a pop at this subdomain, however an IP is easier to scan than a domain.
nslookup stage.pornhub.com
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: stage.pornhub.com
Address: 31.192.117.70
Now that I have an IP, let the games begin:
nmap -sSV -p- 31.192.117.70 -oA stage_ph -T4 &
Starting Nmap 6.47 ( http://nmap.org )
Nmap scan report for 31.192.117.70
Host is up (0.017s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
80/tcp open http nginx
443/tcp open http nginx
60893/tcp open memcache
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.73 seconds
Looks fairly box standard, but wait, WTF is memcache? WTF is port 60893?!?! lmgtfy: After some quick research I found it is a service for object caching found here: https://memcached.org/. Further reading landed me at the WiKi for it, https://github.com/memcached/memcached/wiki all the commands required, all the information!
Straight from their website: Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering. What did this mean for me? Well not a lot but surely this shouldn't be exposed to the internet? What happens if I connect to it with netcat?
DB & API you say? Now that this new found port was exposed time to poke at it. so simply using netcat to attack it:
nc 31.192.117.70 60893 -v
version
VERSION 2.1.1r-49-gbe05158
stats
STAT pid 8141
--SNIP--
STAT evictions 0
END
Nothing malicious, just a quick version check and some statistics. From this I decided this should probably be reported to Pornhub as the service was clearly responding to commands. Further investigation uncovered that there are more malicious commands that can be run, including clearing the system or causing an overflow.
As a result I reported this to pornhub who followed this timeline:
- Reported on Hackerone to Pornhub: March 1st 2016
- Pornhub Verify it's an issue: March 1st 2016
- Pornhub Triage Bug: March 1st 2016
- Pornhub Award $75 Bounty: March 8th 2016
- Report Disclosed Publicly: May 26th 2016
- Pornhub re-award vulnerability with a $2,425 bounty: May 29th 2016
Pornhub Network issued the following statement:
We have modified the payout table to better align with the other public bounty programs. We want to be fair with every researchers, and as such we are retroactively crediting all past submissions according to the new payout table.
Overall it was a decent outcome, $2500 is a decent bounty as it was originally, 75 so a 2425 increase is always appreciated.
This issue has now been fixed, pornhub have closed the port and removed the service