Pageviews

Pwning LODHA for Fun & Learning

Hi Internet,

While having a quick glance to their website I concluded  their  will be multiple security issues in it.
Img Src: https://www.lodhagroup.com
Lets get started, and do sub-domain enumeration using WGET this time
 Once you have index.html I utilize "cut" & "grep" command to find sub-domain from html file.
Save the above script in .sh and index.html in same folder and run it.
Their you go, you will not get much sub-domain, but chances are their you get unique ones, moving further, I targeted on qcm.lodhagroup.com which was LODHA Quality Management System.
Okay ummmmm! spending lot more time and performing recon on it, still I wasn't able to get anything. Again, came back scratching my head and took a look on index.html file which we downloaded from WGET as mention in above step, and guess what.
Their was this small little /rest-api/ folder in href tag was which commented out in the source code.
Without thinking, much I ran curl to that path.
Arghhh! Log's (Gem's) everywhere, it was having logs from 2014-2018 for each and every activity perform in Quality Management System of LODHA.
Then what WGET all the things. I downloaded all logs to perform further analysis.
Remember, our old trick which we did in McDonald's use grep command to filter keyword specific.
So, I got 3000+ LODHA co-operate email and passwords 😅 where 2720 are unique and guess what even, I had access to QMS console.
Assumption:  As per LinkedIn their are 4200 employees working with LODHA
and I already have passwords for 2720 workers 🤐 not bad though anyways, hope you like the read, however no bounty or acknowledgement was provided. 

PS: Looks like, I have a good dump of passwords now from Pwning McDonald and Pwning LODHA, I'll upload only passwords on GitHub so that it can be used as dictionary and may help you somewhere during your bruteforce attack.


Struggle for closure :
15-03-2018: Message sent via Twitter (No Response)
15-03-2018: Mail sent to enquiries@lodhagroup.com (No Response)
16-03-2018: Explain this issue over telephone
17-03-2018: Received call from LODHA IT & Security Team
17-03-2018: Interim report shared via mail to team
19-03-2018: A reminder mail was sent
20-03-2018: Got a response from a member, requesting to resend the report
20-03-2018: Report shared again  
22-03-2018: A reminder mail was sent again
22-03-2018: Issue patched
23-03-2018: I went for a public disclosure.



Regards
Dhiraj

1 comment: