My Journey With Red Bull
They say the devil makes work for idol hands and there has never been a more apt saying. With the summer practically spent in lockdown and all caught on up on my University work I decided it would be the right time to start a blog. Like anything you put out there on the internet it needed content and lots of it. It was then I decided to put to test some of the skills I had learnt so far from University and what I had taught myself. This led me to subdomain takeovers which I have covered in a previous post and from there bug bounties.
There is a stark contrast between pentesting labs e.g hackthebox and bug bounties on real world targets. Having spent a lot of my time on these labs where vulnerabilities are carefully placed within challenges I had an understanding of how to solve them. I was hopeful that, I will be fine finding bugs in the real world, and boy was I wrong. I remember seeing an announcement by HackerOne saying they had reached 300,000 registered hackers on their platform and I was thinking ..oh wow… so much competition. That is very true, there is a lot of hackers and you will submit reports that turn out to be duplicates.
A couple good deeds and my bug bounties not that they were bountiful at all ranged from the GOV/Military and NHS to top 500 fortune companies to name a few (Garmin & Accenture Hall of Fame). Coming back to the intended article I remember watching Formula 1 on Netflix one weekend and that is when the thought came to me “I wonder if Red Bull has a bug bounty programme” luckily I found that they have a Vulnerability Disclosure Program. I decided to set to work and see what vulnerabilities I could find within their companies’ website. Since I am still a beginner and everything is a learning curve for me I could only test for a few things that I knew how to perform successfully.
Since I had this frenzy going on with subdomain takeovers I decided to look and see if I could find any for Red Bull, long and behold I had found a couple that caught my attention and proceeded to look into those. I had successfully taken next.redbull.com and uploaded a Proof of Concept. Time to get in touch with Red Bull’s security team.
This is when Mark was assigned to my report and from that point on I communicated with him directly. I sent a report to him and soon after got a reply, Mark thanked me and it made me quite happy that someone appreciated my work.
Soon after Mark wrote back thanking me again for my report and telling me that he would want to organize a reward for me. Red Bull does not have a dedicated bug bounty program with pre-defined rewards in place and they don't see financial compensation as an appropriate way to reward individuals. However, they do practice a culture of individual rewards based on novelty and criticality of findings delivered.
For my first bounty I was happy with anything that was rewarded, I am not in a rush for monetary rewards I would rather learn from the experience and have fun doing it.
While waiting for my reward, due to Covid-19 things got delayed slightly and a couple weeks went by without any delivery. Mark had decided to do something about this and came up with the plan to offer me a voucher to use on Red Bull shop (this was an exception and only a one-time reward to honour me). I was excited again because guess what... they have Red Bull Racing merchandise there!
Before my voucher was due to be generated and since I had this one time opportunity for a voucher I had decided over the weekend to take a look over more of Red Bull's infrastructure and perform different kind of tests. This time I was looking for servers that would be vulnerable to injections and sensitive files.
I set up all my scripts, all my payloads, all the wordlists, all the targets.. ready to go... hit enter, I've launched all this tasks in the background as I knew this will be very laborious and I will end up with many false positives that I would need to check manually.
Over the weekend I began to inspect all the hits and different files I managed to access and scrape from thousands of servers belonging to Red Bull.
I took notes on anything interesting to be able to tell the security them afterwards.
While a few alerts were just simple like for example showing phpinfo, they weren't really disclosing any credentials and others lead me to some debug logs, some interesting dev panels, but nothing was too sensitive yet.. digging digging digging.. a couple hours later I came across some javascript files that had credentials to a FTP account, but they weren't valid.. hmm.. right.. I suppose it's still informative to see how they format their username and passwords.
Sometime later I came across some interesting files that peaked my interest.. this time they were json jwt tokens ..and yet again a magic js file however this time I struck lucky because it had credentials to endpoints, a few api secret keys and a couple MySQL databases that were valid and populated with data. Wow... I thought this one must be worthwhile reporting!
Also as a surprise the drinks finally arrived...!
I do remember Mark saying in an e-mail .. 'do enjoy the drinks when they arrive'
I really liked the Red Bull Watermelon Summer Edition, Cheers!
My hunt was not finished yet. I kept looking around and unbelievably came across a MySQL dump of 200 MB and this was a goldmine. You can imagine what kind of data was inside this dump.
I had decided this was enough for me and started putting everything together in a new report for the Red Bull Security Team.
Finished, Sent.
Perfect.. I was satisfied that my findings were useful to them and that they were working on fixing those.
Reward update
This was great news to me as I really wanted to get some nice Red Bull Formula 1 merchandise and I felt that this amount will be enough for a couple items from their shop.
Mark was amazing to deal with and he got me the voucher, I'll admit I couldn't help myself but to mess around with a couple burp requests and check out how this voucher worked. I couldn't really do much to fool the system in any way, especially with my little knowledge about APIs, however I found a point where I could inject js/html and achieve persistent XSS during the checkout process. I've informed Mark about it, he replied back that they are already working on it as it has been reported by a previous individual. I then placed the order, it was delivered to me fast even though I only used regular delivery 'free'!
A couple thoughts I'd like to share about Red Bull. I wasn't aware of how big this company is until now, and just how many events they are involved in trust me when I say Red bull is huge.
This blog post is not sponsored!
I am glad that I got my first bounty from Red Bull because the company was really nice to deal with and they were quick in their correspondence, also Mark was very pleasant to engage with.
Red Bull is currently working on a BugBounty program, so they can track, and send non-monetary rewards out to everyone who earned it.
Have you got any suggestions for me ? Get in touch!
Thank you for reading my article, Until next time!
Your friendly neighbourhood Hacker.