How I was able to bypass WAF and find the origin IP and a few sensitive files

Hello hunters,

This is Jan Muhammad from team Darkanon.

Today I’ll be demonstrating to you guyz how I was able to bypass WAF and find the origin IP in a jiffy, using shodan.

So let's begin.

I was hunting on a VDP program, let’s call it target.com. During my reconnaissance, it came to my notice that the target is protected by Cloudflare WAF. In order to find the origin IP, I opened my terminal and hit command:

nslookup target.com

But the resolved IPs were generated by Cloudflare with the intention to protect the origin server. Hitting those IP’s in URL were showing “Direct IP Access not allowed”

After referring to multiple articles I found this interesting regex:

Ssl.cert.subject.CN:”target.com” 200

Hitting this regex in Shodan search engine disclosed the origin IP of the server. Now, I was able to communicate with the server directly without going through WAF.

To confirm whether Cloudflare is bypassed or not I used wafw00f:

wafw00f target.com → Protected by Cloudflare

wafw00f origin_ip → No WAF detected

Now, let’s dive deeper.

I fired up the dirbuster and ffuf to Bruteforce the directories. Here I was able to find out multiple hidden files and directories which I was not able to find via the intended URL.

Bounty Awarded: $three_digits

Hit me up on Twitter: https://twitter.com/hasanakajan