๐Ÿ‘ค ๐™„๐™ฃ๐™ฉ๐™ง๐™ค๐™™๐™ช๐™˜๐™ฉ๐™ž๐™ค๐™ฃ

None
Hello everyone, this is my first writeupย :)

Hello everyone, My name is Fathi Akhdan Dzaky. I'm a high school student (Grade 11) and a cybersecurity enthusiast passionate about security research and responsible disclosure. I spend a lot of my free time studying web security, understanding various types of vulnerabilities, and practicing ethical hacking to understand how systems can be secured against potential threats.

This is my first public security write-up, where I share my experiences with vulnerabilities I discovered during my security research. The goal is to raise awareness about security issues and demonstrate how simple mistakesโ€”like exposed credentialsโ€”can lead to serious security risks.

I hope this article can also be a useful learning experience for others interested in cybersecurity and responsible disclosure practices.

๐Ÿ”Ž ๐˜พ๐™๐™ง๐™ค๐™ฃ๐™ค๐™ก๐™ค๐™œ๐™ฎ ๐™ค๐™› ๐˜ฟ๐™ž๐™จ๐™˜๐™ค๐™ซ๐™š๐™ง๐™ฎ On Wednesday, February 18, 2026 (18/2/2026), I was conducting my usual security research activities. The goal wasn't anything specialโ€”simply the process of exploring and testing the attack surface (attack surface mapping) of various publicly available systems.

None

As part of the reconnaissance process, I also search public repositories to identify potentially exposed configuration files.

One common approach is to search for .env files in public repositories, as these files often store sensitive credentials such as API keys, tokens, passwords, or databases.

The search query I use to find exposed .env files is:


/[A-Za-z0โ€“9-_]+\.target\.com\/+/ language:Dotenv
None
Exposed credentials

This is where things start to get interesting.

I found login credentials that appeared valid and related to CSIRT's internal systems. At first, I thought they might be dummy data or old, inactive credentials.

However, in security research, assumptions should never replace verification. To ensure its validity, I attempted authentication on the CSIRT Portal.

None
Shocked ๐Ÿ˜ง๐Ÿ˜ฎ

The results were quite surprising. The login process was successful! without any issues, with a few concerning conditions:

  • No Multi-Factor Authentication (MFA)
  • No IP restrictions
  • No suspicious login activity notifications

After successfully logging in, I discovered that the account had the highest level of access to the system's internal dashboard. The account had Editor access level.

๐Ÿ” ๐˜ผ๐™˜๐™˜๐™š๐™จ๐™จ ๐™๐™๐™–๐™ฉ ๐˜พ๐™–๐™ฃ ๐˜ฝ๐™š ๐˜ฟ๐™ค๐™ฃ๐™š Once inside the system, I performed limited verification to understand the impact of this vulnerability. This verification was performed without making any permanent changes to the system.

Some of the capabilities of this account include:

  • Creating new users
  • Changing user roles
  • Editing system configurations
  • Uploading files
  • Accessing critical administrative features
  • CRUD (Create, Read, Update, Delete) operations on several system components
None
Admin management page
None
Edit configuration page
None
Article edit page
None
User data page

At this point, it's clear that this isn't just a simple credential exposure. It's a combination of:

  • Exposed Credentials
  • Over-Privileged Access
  • Administrative Control

If these credentials are misused by irresponsible parties, the potential impacts are quite serious, including:

  • System takeover
  • Data manipulation
  • Uploading malicious files, such as webshells/backdoors
  • Service disruption
  • Web defacement
  • Full account takeover

๐Ÿ”ฅ ๐™Ž๐™š๐™ซ๐™š๐™ง๐™ž๐™ฉ๐™ฎ ๐™‡๐™š๐™ซ๐™š๐™ก Based on the impact analysis and ease of exploitation, I categorize this vulnerability as: CVSS 9.8 โ€” Critical


Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The reasons for this assessment are:

  • The vulnerability is accessible over the network
  • It does not require user interaction
  • It does not require additional authentication
  • It has a high impact on Confidentiality, Integrity, and Availability

๐Ÿ›ก๏ธ ๐™๐™š๐™จ๐™ฅ๐™ค๐™ฃ๐™จ๐™ž๐™—๐™ก๐™š ๐˜ฟ๐™ž๐™จ๐™˜๐™ก๐™ค๐™จ๐™ช๐™ง๐™š

None
The report is declared "Valid"

During the verification process, I did not perform any further exploits. The following were not performed during the research process:

  • No data downloaded
  • No system configuration changes were made
  • No permanent users were created
  • No malicious files were uploaded
  • No webshells or backdoors were inserted
  • Etc.

๐Ÿž ๐™๐™ค๐™ค๐™ฉ ๐˜พ๐™–๐™ช๐™จ๐™š

None
Keep ethical hackingย :)

The root cause of this vulnerability stems from login credentials being exposed in a public repository, allowing unauthorized parties to access internal systems.

Furthermore, the system appears to have overly broad access rights for certain accounts, magnifying the impact of a leaked credential.

๐Ÿงฉ ๐™„๐™ข๐™ฅ๐™ค๐™ง๐™ฉ๐™–๐™ฃ๐™ฉ ๐™‡๐™š๐™จ๐™จ๐™ค๐™ฃ๐™จ

None

Several lessons can be learned from this case:

  • Secret exposure remains a common security issue
  • Many internal systems have over-privileged access
  • Credential hygiene is often neglected
  • Secret leak monitoring should be automated

Sometimes, the biggest threat isn't a complex exploit or a zero-day. It's credentials accidentally left in the wrong place.

Security isn't about finding vulnerabilities to abuse. It's about finding vulnerabilities before the wrong people find them.

โ€” Fathi Akhdan Dzaky