Subscribe For Free Updates!

We'll not spam mate! We promise.

Saturday, August 24, 2019

From Github Recon To Account Takeover

Hi everyone , after a long time I am doing a write-up on GitHub recon which leads to full account takeover . Few days ago I got a private invite where the in-scope target is only the mobile app.

As its a private program we will take it as Example App . So I gone through all endpoint and functionality of the  application , i didn't find anything critical. So I thought to give a try to their GitHub.

If you want to learn how to do GitHub recon there is a detailed tutorial by Th3G3nt3lman


So i started my search with the keyword passwd , i got 3-5 result 

after going through all file i got a valid password in file called config.properties


 So that app using OTP based authentication and i got the credential for the third party service , which they are using for the SMS.

Using those credential I logged into the SMS provider portal , there is a section call SMS delivery where all SMS delivery report are  stored along with the Phone number and the text sent to that number.



So now i have all registered users mobile number and OTP delivery report along with OTP


So i just request for OTP and from the delivery report got the valid OTP and loggedin to any user's account 😎


 Hope you guys like it , share your feedback in commen. 




 

2 comments:

Sonali said...

How you found that password🤔..
Don't know the tricks,but its intresting...

THE ONLY TRUE HACKER IN THE WORLD ® said...

INSTEAD OF GETTING A LOAN,, I GOT SOMETHING NEW
Get $5,500 USD every day, for six months!

See how it works
Do you know you can hack into any ATM machine with a hacked ATM card??
Make up you mind before applying, straight deal...

Order for a blank ATM card now and get millions within a week!: contact us
via email address::{Universalcardshackers@gmail.com}

We have specially programmed ATM cards that can be use to hack ATM
machines, the ATM cards can be used to withdraw at the ATM or swipe, at
stores and POS. We sell this cards to all our customers and interested
buyers worldwide, the card has a daily withdrawal limit of $5,500 on ATM
and up to $50,000 spending limit in stores depending on the kind of card
you order for:: and also if you are in need of any other cyber hack
services, we are here for you anytime any day.

Here is our price lists for the ATM CARDS:

Cards that withdraw $5,500 per day costs $200 USD
Cards that withdraw $10,000 per day costs $850 USD
Cards that withdraw $35,000 per day costs $2,200 USD
Cards that withdraw $50,000 per day costs $5,500 USD
Cards that withdraw $100,000 per day costs $8,500 USD

make up your mind before applying, straight deal!!!

The price include shipping fees and charges, order now: contact us via
email address:: {Universalcardshackers@gmail.com}