Dropping root shell in a Crypto Exchange for Fun (and Profit?)
![Image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6aOneLFkRihZTkOMPBJ1WYTz5DEXrLFWl_-W3rhld106jHiGI8WZf5FwpUH7m_yHXctR9sUc_POClEvOE3OyHUX4HrXR3lsg1NOljG9xatjR9F9V7hbj4ll2YXDAWVeS4wCg76ZY4sZQD/s320/Screenshot_7.png)
I have been using this Crypto Exchange - changenow.io for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on changenow.io. I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain eth-btc.com A quick whois on eth-btc.com revealed that it also belonged to changenow.io (admin email - sysadmin@changenow.io) so I enumerated the subdomains of this domain too. One of the subdomain zbx.sup.eth-btc.com was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i