BugBountyHunter

If you browse GitHub for the keyword bugbountytraining.com then you'll discover this GitHub repo: https://github.com/BugBountyTraining/dev-bbt/blob/06d4d8cac301b269d6c085bcfa8ea8ded2568a21/index.html

Upon inspection, you can see at the bottom of the page: <!-- <script src="http://qa-dev.bugbountytraining.com/dev/assets/debug.js"></script> -->

Now if you visit http://qa-dev.bugbountytraining.com/dev/assets/debug.js then it won't load (as the subdomain isn't online) however you should always try .js files on the main domain also. In this case, if you visit https://www.bugbountytraining.com/dev/assets/debug.js you will find:

function debugInfo(dataSend) {

var xhr = new XMLHttpRequest();
xhr.open("POST", '/dev/log.php', true); 
//xhr.open("POST", '/dev/logger.php', true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

xhr.onreadystatechange = function() { 
    if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {

    }
}
xhr.send(dataSend);
}

Visiting https://www.bugbountytraining.com/dev/log.php will show you a success message, except.. what's logger.php?!

If you visit https://www.bugbountytraining.com/dev/logger.php then you'll see some interesting logs, but the most interesting is: */10 * * * * /usr/bin/php /dev/connect.php.

Visit https://www.bugbountytraining.com/dev/connect.php and the MYSQL database password is revealed!