How I got a shell on Google Acquisition ?
Getting a shell on Google Acquisition.
Getting a place on Google hall of fame is a milestone for any bug bounty hunter. With this in mind, I started reading Google’s Vulnerability Reward Program and noticed that all the Google Acquisitions are a part of the program once it passes 6 months mark. So I decided to read more about recent Google Acquisition. Wikipedia has an aswesome page which contains an entire list of the companies acquired by Google. I decided to check the companies which were acquired in 2014 so that I was assured it is eligible for the bounty program.
After some reconnaisance, I decided to fix my target on
songza.com which was acquired by Google in July 2014. When I visited the website, I got redirected to
daily.songza.com which was running on Wordpress 3.8.1. The Wordpress version 3.8.1 itself has several vulnerabilities (latest version is 4.4.2 at the time of writing) but I was not interested in those. I decided to enumerate the Wordpress users available so that I can try logging in with them using common passwords.
After the enumeration, I saw that the site has 9 users. I manually tried logging in with some common password formats. One of them turned out to be correct and I got logged in ! I couldn’t believe my eyes at first but the logged in user was an Administrator. One of the usernames among the enumerated one was
Michael and his password was nothing but his username (
Michael) itself !
So, now I got the admin panel of the site. Now I had 2 options:
- Report this to Google now along with its after effects or
- Upload a PHP shell as a valid Wordpress plugin and use it to achieve command execution !
I believe that by now you would have guessed which option I would have chosen. So I quickly searched for a PHP reverse shell and got one:
Original Author: PentestMonkey
Now I added some comments to the top of the page so that the shell will truly look like a Wordpress plugin with Author information.
* Plugin Name: Shell
* Plugin URI: https://blog.0daylabs.com
* Author: a0xnirudh
* Version: 1.0
* Author URI: https://blog.0daylabs.com
After this, I zipped the PHP shell and uploaded the plugin. The moment I clicked on
Activate plugin on the dashboard, I got a reverse shell back to my server. I can now execute commands on a Google Acquisition !! :O
I reported this to Google but they were not happy since I uploaded a shell. Now they have to involve the Incident response team to secure the server back. They also warned me that uploading shells was against their policy but since it was my first bug report, they didn’t disqualify it.
Next time when you get a vulnerability using which you are sure that you can upload a shell, better stop it there and report (I know how hard it is to stop there but just report it and let it go or else you might get disqualified) !
Google payed me $1337 for this report and listed my name on their Security Hall of Fame.