🥭Glance Networks

www.glance.net

High

• SQL Injection resulting in unprivileged data access or modification

• Authentication or session management flaws leading to arbitrary account compromise.

• Unprivileged data access / privilege escalation

Medium

• Persistent or Stored XSS,

• Cross-Site Request Forgery (CSRF) exposure on sensitive functions

• Use of a third-party component/library with unknown vulnerability or known vulnerability older than 45 days of CVSS score 7.0 or higher.

Low

• Reflected XSS

• XSS from an authenticated customer admin

• External Cross-Site Request Forgery (CSRF) exposure on non-sensitive or non-critical functions.

• Cross-site History Manipulation (XSHM) resulting in Information Inference (other than Login or permission detection)

• Other than intentionally configured iframe embedding

*.glance.net

Medium

• Sub-domain takeover on *.glance.net domains and obtaining a certificate (HTTPS requests allowed)

Low

• Sub-domain takeover on *.glance.net domains without ability to obtain a certificate (HTTPS not allowed)

---

Out of scope:

1. ww2.glance.net

2. help.glance.net

3. status.glance.net

4. glance.cx

---

Empecemos haciendo una Enumeración de dominios de www.glance.net →

subfinder -d www.glance.net -o glance1.txt
httpx -status-code -mc 200 -l glance1.txt -o subdomains_200OK.txt
httpx -status-code -mc 302 -l glance1.txt -o subdomains_302OK.txt
httpx -status-code -mc 401 -l glance1.txt -o subdomains_401OK.txt

Input no sanitizado → Posteriormente se atacará

• https://www.glance.net/visitor/join/?username=">

Correos:

• https://app.tomba.io/search/glance.net?type=all

Encontré que el dominio de mas arriba es un Microsoft IIS HTTPd → entonces podemos hacer una enumeración o fuzzing un tanto personalizada con diccionario especifico pa’ ese.

• https://www.glance.net/visitor/join/?username=

• Y esta sola nos devolvió un 403, que luego podemos verificar endpoints desde el content-discovery historical con waymore → o directamente desde waybackmachine, etc.

Punto super importante: la URL de glance.net/visitor/join implementa una libreria de Javascript la cual es vulnerable a un CVE 2024-6484 →

gems/bootstrap/CVE-2024-6484.yml → este lo podremos buscar y usar con NUCLEI.

Bendita sea la extensión Retire.js que me instale Jajs está super cool.

• https://glance.net/include/bootstrap/3.4.1/js/bootstrap.min.js

• https://www.nslookup.io/domains/www.glance.net/webservers/

---

• https://www.glance.net/visitor/join/?GlanceConnect=

• https://www.glance.net/visitor/join/?username=

  • Los objetos hidden del dom convertidos a show → borro un input que tiene un base64 y aparece este valor en otro input →

  • A causa de que encontré estos hidden en el DOM

  ctl00$ctl00$MainContent$MainContent$JoinSessionRealButton

• https://www.glance.net/login/default.aspx?msg={{j+a+v+a+s+c+r+i+p+t:a+l+e+r+t(1)}}

• https://www.glance.net/robots.txt → url de abajo

• https://www.glance.net/.well-known/* → bypass 403

• https://www.glance.net/services/authorizationservice/GetVisitorSettings3?groupid=8757&site=production&service=cobrowse

• https://www.glance.net/WebResource.axd?d=pynGkmcFUV13He1Qd6_TZFZEp92K6rAmvfDBxCcna6Yo38KE_7OBm335IFgbZmooREzGBrgURVruEEs4lKdqKg2&t=638459680569584809 → OPEN REDIRECT

Haremos ahora feroxBuster pero con las credentials ya logueados a ver →

• Username:

h1-tearofextinction.glance.net

• Password

qDz8hNTqdgREKvgoav7C

---