Hi Everyone, Hope you all are doing well and hunting bugs 😉

So in my first write up, i have shown how i founded a critical bug in a private company and got my name in their hall of fame list. Today I will demonstrate how i got my name in BBC’s Hall of Fame by only doing recon.

What is Recon?

In simple term, it is the process of gaining as much information about the target as possible.

Most beginners(like me :p) ignore this part and start hacking right away in the main domain which is wrong. Sometimes, you can get rewarded just by doing recon.

So now that we are done with the intro part, let’s get started 🙂

So my target was BBC and the first thing i did was to enumerate all the subdomains using subfinder and sublist3r and saved the result at a single place. After that i started visiting each subdomain one by one and start looking for the web application functionality.After that i found some rate limit vulnerability and reported to the company but unfortunately it wasn’t in scope and i was like :-

But as we know that great things takes time, I decided to give it another shot. The next day, i tried to find some vulns in any of the subdomains but i didn’t find anything. I tried finding bugs for a week or two but still found nothing.

I was about to give up(like most people will do at this point) but deep down i know that the only reason i was not getting bugs because i don’t have enough knowledge. So why not collect some knowledge instead of giving up 😉

So I decided to read write-ups, watch videos from channels like NahamSec, STOK, Farah etc. After a week of gaining some knowledge, I was prepared to attack again but this time i thought “I will spent my most time on recon rather than attacking”. So the first thing which i did is to collect root domains of the company and then after go for the subdomains.

After that i found an Account Takeover vulnerability in one of the root domains of BBC and I was like:

But unfortunately, It was not in the scope as well 🙁

But at this point, I was very happy that i found something critical. So the next day, I started by recon process and at this time i wanted to find root domain which is in scope. After spending like 3–4 hrs on recon, i found a domain which is in the scope which was bbctest01.co.uk but when i tried to open it, it showed my the following error:

At first i thought that this domain is not in the scope but i found that there is security.txt file which means it is in scope(to check if a domain is in scope or not, we just have to look for security.txt in the domain’s endpoint eg bbc.com/security.txt).

So now i decided to do some more digging. I started sublist3r and subfinder on this domain and used httprobe to find valid subdomains. After that i found a subdomain which was running wordpress. So i started wpscan(a great tool for scanning vulnerabilities in wordpress plugins) and found that xmlrpc.php was publicly available.

I quickly made a report and send it to the BBC’s security team but again they marked this report as not is scope. The main reason is that i have not created a good report which is why they were unable to understand it’s impact. After that, I spend 30 mins to create report for this vulnerability and sent this to the security team again. And after that, I got the following reply from them:

After this, They added my name in their Hall Of Fame list:

And here i was like:

Important Takeaways:

1- Spend time on recon.

2- Instead of giving up, always focus on learning new stuffs.

3-Follow the road less traveled.

4- Spend time on making reports, make sure to demonstrate the impact of the vulnerability you found.

So that’s it for this article, I hope you all liked it and please ignore if my English was bad 🙂

Peace Out.