While testing on a private program (ima name it redacted.com) I started like any security researcher would, doing basic reconnaissance (Subfinder + Httpx) and upon doing that i discovered an employee's portal

employees.redacted.com

But visiting it redirects to another subdomain for authentication, I tried several auth bypass methods but none worked

So i switched gears and started hunting on the employees portal instead. since i had no way of accessing anything on it I had to start by fuzzing

ffuf -u https://employees.redacted.com/FUZZ -w big.txt

But all endpoints redirected me to the login page

None

To make things clearer, i filtered out those responses

ffuf -u https://employees.redacted.com/FUZZ -w big.txt -fw 13

and found one endpoint ( /assets) that was acting strange, instead of redirecting me to that login page it redirected me to /assets/ then that redirected me to the login page. so i decided to fuzz that as well and found another endpoint behaving the same way

/assets/stage/assets/stage/

So i decided to fuzz inside that directory as well but nothing returned. Since the endpoint looked like an assets endpoint for me ( /assets/* ) i decided to fuzz files inside the dir and found this one file ( 001.png ) that was leaking an employee ID card:

None

So i decided to fuzz .png files by generating a wordlist 001999 using seq:

seq -w 1 999 > numbers.txt

Then fuzzed again:

ffuf -u https://employees.redacted.com/assets/stage/FUZZ.png -w numbers.txt -fw 13

And i was able to access hundreds of Employees ID cards, as well as .pdf leaked employees contracts

After reporting this finding i was awarded with 2550$

None