How I got a lousyT-Shirt from the Dutch Government.

Dutch Goverment VDP

First, let’s have a look at the VDP of the Dutch Government:
https://www.government.nl/topics/cybercrime/fighting-cybercrime-in-the-netherlands/responsible-disclosure
As this program is not listed on Hackerone or Bugcrowd, this VDP is especially a nice target for beginners, as there is less competition. Furthermore the Scope of this program is really huge. You can have a look at this gist for a curated list of domains that are in scope:
https://gist.github.com/random-robbi/f985ad14fede2c04ac82dd89653f52ad
You can use this list as a starting point for recon and go from there.

Finding a vulnerability

As I’m a beginner and just starting my way in bug bounty, I was just looking for simple low-hanging fruit vulnerabilities. This is why I was focusing on WordPress! It is an awesome CMS, but in my experience, a lot of WordPress sites are vulnerable, especially if a lot of plugins are used. So to find a valid WordPress installation with some vulnerability, I had two things to do:
1. Find as many domains inside the scope hosting WordPress as possible.
2. Check every found domain, if it has some sort of known vulnerability.

Recon

To find as many WordPress installations as possible, I used two approaches,
Google-Dorking and Nuclei. As the name suggests, Google-Dorking is a technique that utilizes the power of Google’s search engine to gather some information. You can find a lot of helpful Google-Dorks at the Google Hacking Database at:
https://www.exploit-db.com/google-hacking-database
A nice Google-Dork to identify WordPress installations is:

"Proudly powered by WordPress”
site:*.mil "Proudly powered by WordPress”
nuclei -l wordpress.subs.txt -t /root/nuclei-templates/technologies/wordpress-detect.yaml
Console ouput of Nulcei running Wordpress detection template.

Exploitation via WPScan

The tool to check if a given WordPress installation has some vulnerabilities is WPScan:
https://wpscan.com/wordpress-security-scanner
This is a WordPress vulnerability scanner and is free for non-commercial use. You can register a free account to obtain an API-Token. The API Token unlocks the full potential of WPScan, as the tool will check and display possible vulnerabilities. WPScan can be run like:

wpscan --url <domain> --api-token <your API-Token>
Console output of WPScan.

Timeline

  • Report multiple vulnerabilities at 19.11.2021
  • Initial response and triaged at 19.11.2021
  • Fixed and T-shirt awarded at 04.01.2022

Social Media

Twitter: https://twitter.com/mava656

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mava

Mava

Computer Science Student, Ethical Hacker, Interested in Infosec