How i hacked BBC mail servers
Hey hackers ;)
Today I’ll write about a kind of vulnerabilities a lot of hunters forget to search or test it and some of them didn’t know how to exploit it!
The vulnerability which we will talk about it today is the Mail Servers takeovers AKA SMTP Servers Broken Access ..etc, It got a lot of names though, but now let’s talk about it.
My case is unique though, because It’s a kind of chained vulnerability as i well explain, so let’s start ….
First of all i did my normal recon starting from gathering the domains of the BBC, but unfortunately the BBC got a lot of SSL’s like:
- BBC Studios Distribution Limited
- BBC Studios Limited
- BBC Worldwide
- BBC Worldwide Ltd
So if you want to gather the domains in a correct way you should use every SSL name and extract the domains from it, by doing some reverse whois operation or the other techniques to gather the domains with, so i did all of that then i want a kind of general certificate or unique certificate got all or most of the domains, also some times i search for an SSL got a limited domains, seems weird right ?
I know :), but check that:
- I search for the SSL which got a large amount of domains in order to prevent wasting time by searching with each certificate for domains
- Then i checked the SSL with limited domains in order to see the rare domains, or the domains that is not common because the vulnerabilities will be exists like the registers in the processor :) [A lot]
So after some search i get an idea, this idea is what if i entered my homie Shodan in order to search for any new SSL on it, Me to me:
But let’s try why not man, so entered Shodan then i started with the dork:
This dork will seek for any host, domain ..etc related to an organization named BBC so now if any host appeared and related for the BBC organization, I can clearly see it’s SSL, so after hitting enter i got this result:
And i did find a new SSL which is:
- British Broadcasting Corporation
So now we got a new SSL, then after gathering some domains i decided to start with the main domain of the BBC UK which is:
I used my automation script — theSubdomainer — in this operation, so i typed the command in my VPS:
- nohup subdomainer -d true -g <github_token> -l domains.txt&
This command will simply run the subdomainer in the background and will block any hup signal from reaching the process when i close the SSH tunnel, so i slept in this night when I’m thinking how can i hack this company but with critical or high impact.
So i woke up in the next day to check for the domains and it’s sups specially the bbc.co.uk domain, then i find a lot of attractive subs on it, so one of my favorite methodologies is to fuzz the attractive subs only, then the other subs, so i get a sub then fuzz it with the dirsearch tool, i love this tool like i love the exploitation 🥰
I have a technique in choosing the wordlists, this technique is:
- Choosing the common files wordlist
- Then detect the technology of the web app then get a wordlist for it
- Detect the web app server then use the wordlist for this server
- Finally get the raft wordlists
So before is start i entered the subdomain, but unfortunately it redirects me to another sup with a login page:
No i confirmed that this sub contains sensitive info’s so i started the war now 🙂.
I get the common files word lists and i find the /api/ path, GOTCHA!, let’s start the work of my second fuzzing technique:
- If you find an /api/ or api subdomain like api-example.com or api.example.com, then you should start your fuzzing with:
- 1. Started with the common api endpoints wordlists
- 2. Then the api’ seen in wild wordlist
- 3. After that try some graphql’s endpoints wordlist
- 4. Also you can search for actions / objects in this endpoint
So now first let’s try entering the API endpoint and see what will happened and how the application will interact with us:
So as you can see it dumped all the endpoints which have, so first let’s try to enter the /admin/ endpoint, in fact i love admins a lot 😻.
So after entering the admin endpoint i get the following result:
GG Homie, now we are in the Admin api, which shouldn’t be accessible by default, so for now we have an Unauthorized Access To Admin API, but without impact, so let’s try access the /admin/users, so that we can reach any sensitive info’s:
So i found a lot of emails with permissions & info’s about the mail users, so i searched a lot till i get the System_Admin info’s, so i report it as an Broken Access Control or Unauthorized access to admin endpoint, for the first time they did not accept it or they do not clearly understand what is this in face & they said that they will check for it deeper, so no problem I’m OK
So then i decided to make some network pentesting on it, because i was little sad about the endpoint 🥺, so i opened Shodan and stop for a while, then i though like that:
- Hey homie CG, you find emails right ??
- - Yeah Right
- So why not to try find a kind of vulnerability in the mail servers then try to use this mails !!?
- - Man i love you 🙂, Let’s do it
So i started my Shodan recon, so i searched a lot using the common certificates for the BBC, but few or no results found, then i think of the certificate which originally get by Shodan which:
- British Broadcasting Corporation
So now i decided to make an accurate dorking so i dork with:
- ssl:”British Broadcasting Corporation” port:25,587 “Hello”
So now let’s explain this simple dork:
- ssl: is for specifying SSL to search about
- port: to specify ports to only appear in the result
- “Hello” to grap only the connected SMTP connections, because when shodan connects to SMTP server, he always try to send EHLO AKA Hello request to a kind of host to make sure that it can perform commands, so in the response if the SMTP connection is really created and “Hello” word appeared that means that the EHLO request is really sent.
- 25: the SMTP port
- 587: the Encrypted SMTP connection port
- To explain the ports, simple like the difference between the ports: 80 & 443
Then i get the result:
Before saying why you hide anything, we can simply type the dork and access all of that ?, so first because all these info’s if any one use it with a wrong way this may cause a problem for me so i try make this report private as i can, second don’t ask a lot 😊.
So now when i tried to connect for this SMTP port which is 25, through my home network it doesn’t connect, i did some port scan to make sure that this port is rally opened because some times shodan caches the response & they may close this port:
So as you can see the rustscan tool didn’t give me any response with that port is really opened, but wait it’s not the end, look for this tip homie:
- Sometimes in your home country there is some restrictions to access hosts / ports like this from your network, so try using a VPS, also do this in port scanning 😉.
So i switched into my VPS, then did the port scan and i get the result:
So we did it my homie, now let’s try connecting to it using the telnet command:
- telent <port> <SMTP por>
So as you can see we connected and we could do the EHLO request with the SMTP command:
- EHLO <host>
Now let’s play homies 😈, So i get back to the /api/admin/users to choose a mails from it, so i bring two emails like:
Now we have two mails right ?, So before continue let’s explain what are the workflow of the SMTP commands:
- Specifying sender
- Specifying recipient
- Then knowing the syntax of data sending
- Specifying mail subject
- Specifying mail body
- Sending the mail
And i think now you understand why i bring two mails :), if not i bring two emails to be one sender and one recipient, so let’s start specifying the parts of this SMTP communication:
- MAIL FROM: mr-High@bbc.co.uk
- RCPT TO: email@example.com
Now the SMTP server accepts the sender and the recipient, let’s see what is the Syntax of the data sending:
So as you can see here, the Syntax is:
- Putting all the mail requirements [sender, recipient, subject, body] then enter a “.” to end the mail then send it
So let’s continue:
- Subject: re-test from Cyber Guy
- <hit Enter>
- This is a re-test from Cyber Guy
So finally i was able to compromise over 4 or 4 BBC mail servers with that, and more also 😉, then finally they accept the first report about the sensitive endpoint and the second report about the Mail Server takeover. And i become a BBC Hall Of Famer, Wait for coming write-ups in BBC, Allah Willing