Always Test Default Credentials on Bug Bounty even if it’s 2024

Scr1pty
3 min readMay 23, 2024

--

>Small Story Time

Hello, scr1pty on touch! Have you ever read write-ups where, after minimal recon, hackers found P1s, submitted the report, and swam in their money?

After my first 40 hours in the bug bounty scene, with three informational/rejected issues behind me, but with experience from hack labs and completed courses, I began to think I was doing something wrong.

I had already read countless articles on finding XSS, bypassing authentication, OTP, and even F5 Big-IP RCE. These only confirmed that I knew these topics. I realized the following variables are crucial in hunting:

  • a = Where am I looking?
  • b = What am I looking for?
  • c = How fast am I searching?

Only when a+b+c are combined do we get results, and sometimes the answer is right on the surface. With some experience, I realized I focused on minor bugs not because I didn’t understand, but because sometimes your target simply doesn’t have the vulnerability you are looking for. The time spent might not solve the issue. Often, it’s best to retreat to avoid wasting time.

Today, let’s talk about the simplest and one of the most critical vulnerabilities I have ever found.

>Recon Stage

As usual, I chose a new target and started recon. I launched the automation, and while the machine did its thing, I began opening each identified subdomain for two purposes:

  1. Find leaked secrets via [JS Miner] Secrets/Credentials BurpSuite extension. The sages say, “The larger your ‘Target’ tab, the greater the chances of finding something valuable.”
  2. Manual testing to familiarize myself with the infrastructure, forms, functionality — everything my eyes and Wappalyzer could find.

After 20–30 minutes, I saw THIS:

It was the Elastic Search admin panel. For those unfamiliar with Elastic, here’s a quick overview:

Elasticsearch is the distributed search and analytics engine at the heart of the Elastic Stack. Logstash and Beats facilitate collecting, aggregating, and enriching your data and storing it in Elasticsearch. Kibana enables you to interactively explore, visualize, and share insights into your data and manage and monitor the stack. Elasticsearch is where the indexing, search, and analysis magic happens.

>Exploitation

I started researching any vulnerabilities that could bypass the auth form, such as path/directory traversal, XSS, etc. Unfortunately, I didn’t find anything valuable. Then I thought, why bypass the login form if you can just log in through it?

At this stage, I was like:

I work as an information security auditor and often come across default local account credentials, even in large companies with non-critical systems. I decided to Google elastic default credentials and try elastic/changeme.

And Drums…

Smells like P1…

I could log in to the Elastic Panel as an administrator, see logs, alerts, connected hosts, and of course, change the account credentials. (Plan B if I didn’t receive any bounty, just kidding!)

>Results

Always test default credentials and don’t rely solely on automation. Often, you are smarter than your scripts!

Follow for new posts, stay tuned!

--

--