#bug-bounty

1 messages ยท Page 8 of 1

tough pond
#

Fines lmao

#

Skidy msged me and said he will be helping me out privatly in a few hours

#

but i wont be around

still jasper
#

Yea ok letโ€™s just not discuss anything further

lavish hollow
#

-mute @tough pond I will talk to you in a moment. - TryHackMe discord

uneven galeBOT
#

๐Ÿ”‡ Muted SoFacy#9117 for 1 day

lime hamlet
#

๐Ÿ˜‚ ๐Ÿ˜‚ ๐Ÿ˜‚

fickle kite
#

Sorry in advance for this question...(I'm still learning)...has anyone had a netcat session listening...and a connection was established from a random ip?

#

I sent a payload while doing some bug bounty stuff...and had a listener open for 2 days...I gained a connection but from an IP that looks to be a Chinese website...not even close to the ip scheme used by the bug bounty client...I closed the connection when I found that it wasn't the target site...but what does that mean?

fleet phoenix
#

thats normal

fickle kite
#

ah ok

#

assume something saw my port was open and attempted connection?

fleet phoenix
#

bots scan the entire internet

fickle kite
#

yeah that's what I was thinking too

#

appreciate it

quick bramble
#

any bug bounty hunters active?

quick bramble
#

I am a newbie to bug bounty and I am kinda scared for the same. Can someone point me in the right direction?

#

How should I start in Bug Bounty?

lyric dock
#

Even I want to start with bug bounty.

mellow abyss
#

me too haha

simple cypress
#

iโ€™m kinda new to this whole infosec thing, what exactly is a bug bounty?

#

is it exactly what it sounds like or is there more to it

compact axle
#

Sounds like an easily google-able question ๐Ÿ™‚

hybrid orchid
frank hemlock
#

may i know which room is related to bug bounty scenarios so that we learn bug hunting practically ?

hybrid orchid
#

Check out the web fundamentals path ๐Ÿ™‚

simple cypress
#

oh okay so it is what it sounds like, thanks!

manic mango
#

Hello guys
is there any bypass to bypass origin check in CSRF

teal totem
#

How to start in bug bounty

vocal folio
#

Learn web hacking

#

Then sign uo for private programs

#

Then get disappointed when you realise that it's not a secret tk getting rich

#

And all your bugs get marked as duplicates

teal totem
#

Any recommendation

vocal folio
#

TryHackMe is good

limber flicker
#

@teal totem I am also starting to enter bug bounty. So i joined tryhackme

iron shuttle
#

Hello guys, need help, I found some hard-coded cryptographic keys in an target what to do with that, it looks something like this

private static final byte[] 7r38r = {12, 74, 81, -80, 32, 101, -47, 72, 117, -14, 0, -49, 70, 25, -12, 54};

limber flicker
#

How to create wordlist based on theme ?

still jasper
#

What do you mean?

limber flicker
#

There are some ctfs running on a particular cartoon themes

#

So how to create wordlist based on that cartoon themes ?

#

For password recovery

merry plume
#

Crunch?

#

or

#

bewger

prisma axle
#

Crunch, cewl , namely

limber flicker
#

I am fine with the tool

#

But the names in the wordlists I am worried about

#

The names should be created as per the cartoon characters if it is a cartoon based theme

prisma axle
#

So then what do you want / need help with?

weary axle
#

@limber flicker just for cartoons names and theme based word list

limber flicker
#

@weary axle yeah.

torpid dawn
#

Hey guys! Anyone interested in joining me to try bounties together?

Iโ€™m fairly new to bug bounty and would like to learn more about it by joining or creating a team and sharing resources.

limber flicker
#

@torpid dawn
I am also new. We can try together ?

torpid dawn
void axle
void axle
summer fractal
solemn isle
#

Feel free to dm me to @summer fractal @void axle @torpid dawn @limber flicker

daring rune
#

can some one help me with this : i found this by little digging site from outside.
idk what to do with this but it seems interesting to me , if i can extract some kind of data , or any thing

๐Ÿ“Ž ajex.PNG
serene isle
fallen palm
#

I'm interested in shadowing some bug bounty hunters if anyone would be kind enough to screenshare on a day they're bug hunting. Level 1 or 2/10 noob here but I'm looking to learn fast.

prisma axle
#

Iโ€™ve never heard of bug bounty shadowing but the best option you would have is looking through bug bounty write ups sometimes once NDA is gone hunters will release a writeup / report @fallen palm

fallen palm
#

ya if it's not dynamic enough to be something that i could watch via screenshare then i'll just check out static write ups. Thanks @prisma axle.

#

I guess I was thinking bug bounties were time sensitive as in the companies only payout for a 12-24 hour window or something

prisma axle
#

Nah

unreal horizon
#

there's a single "k" on the old nmap room

#

on top of the website, so its not the room's content

golden zephyr
vocal folio
ebon solar
#

Where can I apply to companies to become a bug hunter? What is the process? What are the rules?

thorn parcel
#

you can try your luck with services like hackerone, bugcrowd, intigriti etc.
they are places for companies to advertise their bug bounty programs and for a bit more streamlined bug reporting process where you don't have to go through random support people

#

the rules depend from program to program so be sure to read them and the scope of it

limber flicker
#

@golden zephyr you can join

candid bridge
#

hey yall, im still fairly new to hacking does anyone have any advice for getting into bug boutnies

compact axle
#

Start with Web Fundamentals Path on TryHackMe

prisma axle
candid bridge
#

Thank you guys so much! i will be sure to check these out. I already been experimenting with someof the THM rooms lately

fallen palm
#

hi

thorn frigate
#

Can anyone suggest some XSS write up please

still jasper
stark folio
#

@torpid dawn can i join you guys too?

stark folio
fallen palm
#

Oh there is nothing better than some clean documentation.

candid bridge
#

anyone wanna help me out on getting started with bug bounties

#

if you can you can send me a dm

#

pls

dapper saffron
#

@candid bridge i can help you with the resources

golden zephyr
#

@dapper saffron id love to check them aswell

dapper saffron
#

i just saw that someone shared nahamsec github repo which have cool and enough resources for anyone to get start with bug hunting, if you need more then feel free to dm me and i will provide you more.

#

you can also join nahamsec discord channel which is all about bug hunting

golden zephyr
#

thanks i will do that

faint halo
#

!rank

lyric dock
ivory solstice
#

hello guys, can someone help me out .. ive known ethical hacking and i wanna learn python scripting for hacking as well as bug bounty hunting.. how do i begin practicing it

dapper saffron
#

@lyric dock yeah feel free to ping me up here or in dm for any kind of help related to bug hunting

ivory solstice
dapper saffron
#

ask what you need

open prawn
#

Hello Guys, I just got my Sec+ and interested in web pentesting. Do you advice try my luck on bug bounty? What things should I learn first?

golden ravine
#

hello guys, i actually new to bug bounty can anyone guide me that how can i start. what can i do at my initial phase

stark folio
#

any one need help in starting bug bounty ib me will provide you material

cerulean spruce
tropic cipher
polar walrus
#

Recently I started studying bug bounty. Not even a whole week ago to be fair... but I think i can already give some tips for starters too...

  1. "Jason Haddix methodology" on youtube is DEFINETELY something you need to check
  2. Basic knowlegde of network/kali/python (or any other language you can use for scripts)
  3. Read a lot. Theres plenty of books out there with tons of information
  4. Just start somewhere. There's some websites like tryhackme.com, pentestinglabs, hackthebox....
  5. Be consistant
maiden bison
#

books like?

tropic cipher
#

a guy in a video mentioned those points i dont remember his name tho

#

and how could you do that all in a week bro

polar walrus
#

I have these

tropic cipher
#

what books have you read till now

#

when i was starting i downloaded a bunch of books i didnt read much of em more like any of em

polar walrus
#

I didnt read any of those entirely. I use them to consult on something im needing atm... Im working on learning the basics and doing researchs

tropic cipher
#

alright mate

polar walrus
#

Im a complete noob. But curious af

fallen palm
#

@ivory solstice Black Hat Python and Violent Python books are the way to go.

modest vector
#

Google: Portswigger Academy. It's from the writers of The Web Application Hacker's Handbook, and the makers of Burp Suite.

graceful cairn
#

^
Portswigger Academy is the best source for web vulnerability studying

#

It's both theoretical and practical

prisma axle
#

Hacker101 as well

rough crag
#

So, I'm interested in try to submit bug bounties on hacker one. Can people point me to things I should read? My biggest fear is, how do I know I'm going to find something when I try to hack a commercial website like Facebook or Google? I don't want to probe around for hours and find nothing. Has that ever happened to anyone? I guess I don't have this fear for CTFs because I know the machine is meant to be hacked and there's a solution.

slender jacinth
#

there are lots of different resources, hackerone has Hacker101 as well for teaching

rough crag
#

Any books that are must reads?

#

I'll scour this chat too for past recommendations.

slender jacinth
vocal folio
#

Even on smaller bounties, private programs

#

Bug bounty is not guaranteed. It's not a stable source of income, and the reward does not directly correlate with the work you put in

#

Private programs are going to be better, but they still don't change that much

dapper saffron
#

Yeah i am agree with that

#

There is alot of competition in bug hunting and its only stable if youโ€™re willing to spend countless hours / day

#

But still you can make good money and put good experience on your cv/resume

rough crag
#

I don't want it for the money, I just want street creds for my resume so I can find an actual job ๐Ÿ˜‰ , but I don't have 20 hrs/week to spend on it outside of work and find nothing.

vocal folio
#

That's the risk you take

#

Private programs reduce that risk as there are less people looking etc

rough crag
#

What is meant by private programs? Is that not on hackerone?

golden wigeon
#

is anyone up for helping me do recon on a bug bounty? just need the practice, i heard collabs were a great way to do things if your a noob

vocal folio
rough crag
#

Ahh but then how do I get an invite? I have to be good on a public program right? LOL

vocal folio
#

Some of the platforms have little CTFs that you do that opens up some private programs

fallen palm
#

you can get private invites by having a positive ranking (reputation).

#

either by participating in public programs and getting bounties and /or by completing CTFs in hackerone

golden wigeon
#

are there any good sub domain finders besides sublister, im kinda having trouble with it

prisma axle
#

amass

golden wigeon
#

wow its working great, thanks a bunch

wispy notch
#

Hey guys I'm new to bug bounty.
Can anybody help me to become a bug hunter. I dont know where to start can anybody plzzz help me.....

vocal folio
#

You need to learn web hacking

#

From there, you need to manage your expectations from bug bounty. Don't expect to get rich.

hollow folio
red nest
#

Anyone who wants to get into bug bounty with the thoughts of getting rich quick, your dreams are going to get shot down so hard its not even funny

wise lagoon
#

hey guys any good tips for bug bounty

#

trying to get into it to level up my web app skills

#

dont care about the money

tranquil sonnet
#

Did any one got bug today?

red nest
tranquil sonnet
#

Lol

#

Sry man

fallen palm
#

I feel like there's this air of bug bounties netting you alot of money. I believe even Jason Haddix states in his methology video that a passioned individual could net 5k - 15k each month. (could be i misremember and it's from a different bug bounty beginner video). But that sounds like A LOT of money. and seeing how most people in the community aren't earning that kind of money by a long shot it's kinda weird how the sentiment gets thrown around

sand solstice
lyric dock
modest vector
sand solstice
#

https://youtu.be/YU4QBjg703U Best video on the topic, the cyber mentor made one as well.

YouTube
Cristi Vlad
The Ugly Truth about Bug Bounty Hunting

Why only a handful of security researchers and bounty hunters make it and how can you be one of them?

Free coding platforms:

https://freecodecamp.org
https://edabit.com
https://codewars.com

Free books:

https://www.py4e.com/book.php
https://www.golang-book.com/books/intro
https://books.goalkicker.com/BashBook/

Recon in Cyberse...

โ–ถ Play video
fallen palm
fallen palm
modest vector
rough crag
#

I'm glad corporations now allow you to hack them, money or not. 20 years ago, it was not the case. You go to jail. =[

rough crag
sand solstice
#

Of course

#

A lot of struggle a lot of hard work, failure after failure

#

And persevering through it all for the long term

rough crag
# sand solstice This is inevitable.

How do you know that there's nothing to find versus you're just stupid/still a noob? LOL Is the 2 years recommended "practice" timeframe accurate?

wicked jewel
#

TFW I did a report and the company doesn't want me to publish a write-up

#

But I'm credited

#

And got specific merchandise for the service I found it via

#

Lol

wicked jewel
#

Know Victor Gevers? He's reporting for 22 years now

rough crag
#

I mean you can evade it if you knew what you were doing...

#

I had no idea what I was doing back then ๐Ÿ˜›

golden wigeon
#

whats the importance of using screenshot tools in bug bounty, and can it make a big difference in recon on a website?

prisma axle
#

In reference to recon specifically and I assume youโ€™re talking about something like gowitness it can be used alongside other tools like amass as httprobe and dirbuster to quickly identify anything of interest

wicked jewel
prisma axle
prisma axle
charred matrix
#

Do bug bounty hunters use OWASP ZAP to find XSS ? or do they prefer it doing manually ?

still jasper
#

It's all different really, some prefer to use Burp, ZAP and/or other tools or some might prefer to do it manually

charred matrix
#

I see, thanks

vocal folio
#

@fallen palm wat

#

We don't appreciate trolling here @fallen palm

short hill
#

Hey has anyone used zseano's website: Bugbountyhunter.com, to learn and get some hands-on practice?

stark folio
still jasper
#

???

hollow marten
#

oh tk โค๏ธ

sly tulip
#

anyone here has ever found a bug?

prisma axle
#

yes

vocal folio
#

Yep.

#

In THM, with Muirland. That we got a bounty for.

sly tulip
sly tulip
#

then you guys clearly can answer this right?

#

what should i learn to have the slightest change of finding a bug?

#

and gimme a link for bug bounties plz

vocal folio
#

Learn web hacking

sly tulip
#

can you be a little big more especific?

vocal folio
#

No.

#

Because bug bounty isn't

#

Bug bounty is mostly web hacking

sly tulip
#

ok thx

#

now im gonna ask for support cuz cant open tryhackme

fallen palm
#

@sly tulip I'm just starting out too but try reading "Real World Bug Hunting" by Peter Yaworski

sly tulip
#

thanks*

still jasper
prisma axle
sly tulip
#

thank you

candid linden
#

Anyone has any good resources to learn android hacking? Except the owasp top 10?

#

Im interested in android bug bounties but all im doing now is learning java

#

Idk what else i should be learning

umbral fern
#

kotlin

hexed pike
#

hii

still jasper
#

Hey

hexed pike
#

what's up

still jasper
hexed pike
#

yess

#

do you do bug bounties?

still jasper
#

Sometimes yes

hexed pike
#

i also want to but i am confuse when to start or am i ready for it

still jasper
#

This is a good start Nahamsec updated this yesterday during his stream

hexed pike
#

thanks man

flint jay
#

@still jasper Now I know where I saw your profile before Lol ๐Ÿ˜‚ thanks for your help

tawdry horizon
#

Hiii I see you guys like bug bounties ๐Ÿ˜

#

can I help?

still jasper
#

Nahamsec ๐Ÿ‘€ I subscribed to your stream yesterday

tawdry horizon
#

@still jasper Hell yeah!! Thanks! ๐Ÿ™‚

quaint bronze
#

Naham I'm gonna give you pin powers in this chat, have fun from there lol

tawdry horizon
#

@quaint bronze yayayNO

golden wigeon
#

Is it worth going through a targets acquisitions, even though the domain name isnt the same, is it still in the same scope as the target? if all that made sense.

#

because im seeing some other people do it

slender jacinth
#

make sure you read the scope, if you have questions on it reach out to the company posting the bounty

prisma axle
#

@golden wigeon alot of people have acquisitions in their methodolgy such as Jason Haddix but it can depend on scope some are strict some are pretty lax.

wispy notch
#

Nahamsec ๐Ÿ‘€ I subscribed to your stream yesterday
@still jasper yes me too

hybrid geyser
#

Hey @tawdry horizon if you would like to i would be extremly thankful for any tips on how to begin with bugbounty ๐Ÿ™‚ just hmu if you want to ๐Ÿ™‚

prisma axle
#

Why not look at some of his videos where he specifically gives tips? if you wanted to ask something more specific that would make sense but you asked him a generic question that he has already answered multiple times

karmic hollow
#

And of course thanks to @tawdry horizon for putting it together.

hybrid orchid
#

(As a general rule, for the record, it's probably not the best idea to ping the big names just because you share a server. Some are fine with it, and they'll make that clear ๐Ÿ˜›)

tiny briar
#

hi, guys i want some binary exploit challenges for beginner/intermediate if you can give me

vocal folio
#

@tiny briar there are some resources pinned in #resources

tiny briar
#

@vocal folio thanks, didn't see that, sorry

golden wigeon
#

is there any good domain ip address finder tools? i know ANS is one

golden wigeon
#

nvm i think amass just gave some

soft dune
#

I really want to earn 10k finding a RCE lol

prisma axle
#

Haha good luck dood

cloud charm
#

as long as it's not important, spoofing and ends up paying way less

still jasper
soft dune
cloud charm
#

yeah but often you don't get what you deserve

still jasper
#

Yes thatโ€™s the 1%, never said there was anything wrong but doing bug bounties for money is what causes downfall in hunting for bugs

prisma axle
#

Haha ok dood let me know when you become a millionaire

soft dune
#

I dont know, I seen a reward for 10k earlier and thought nice.

prisma axle
prisma axle
soft dune
prisma axle
#

Iโ€™m not trying to crush your dreams but the people getting these large bounties work for days and have been doing this forever

still jasper
#

Even the millionaires will say donโ€™t chase money

prisma axle
#

Itโ€™s not a get rich quick scheme

soft dune
#

Your both thinking too much into this.. chill out

prisma axle
#

it definitely didnโ€™t seem as though you were joking and I donโ€™t want you to have heightened expectations

still jasper
#

I mean you just added something pointless to this chat then if youโ€™re joking

soft dune
#

๐Ÿ˜ด๐Ÿ˜ด

still jasper
#

You say you were joking but then decided to say it worked for the top people donโ€™t seem like a joke

soft dune
prisma axle
#

โœŒ๏ธ

stable finch
#

A website I am bug hunting on has their HappAxis2.jsp open publicly with so much info, anyone knows if there is anything interesting to look for in there?

#

It has a lot of information about the machine

prisma axle
#

Any services and versions

#

you could also just submit it as a finding

#

But save the info first

stable finch
#

yeah already saved it as soon as i got it

#

Services page and the admin page are deleted or changed

#

Guess ill just submit this for now

raven falcon
#

any smaller bug bounty websites other than hackerone? I feel out of my league.

#

lol

#

nm just scrolled up

still jasper
#

You have other websites like bugcrowd and Intrigi

prisma axle
#

Looking for companies with responsible disclosure that isnโ€™t listed on big bounty sites can be a strategy

sly tulip
#

guyssssssssss

prisma axle
#

What

still jasper
sly tulip
#

lol sorry i thought i was in that server

raven falcon
#

@prisma axle that's why I was looking around. I feel like I could look at smaller businesses. I'm not going to bug bounty all the crypto projects or mobile apps.

still jasper
#

Do the H101 CTFโ€™s get invited to a private program that way thereโ€™s less competition

lyric dock
#

Hmmm

#

After spending 4 hours to find a bug, I got to know that the page was out of scope. My bad

lyric dock
#

๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚ I got know that after submitting.

lyric dock
#

Xss

thick lotus
#

hello

#

adb install UnCrackable-Level4.apk

#

do you know use genymotion

#

i can't execte app

#

how to running?

vocal folio
#

That looks like a challenge rather than a bug bounty related thing @thick lotus

thick lotus
#

yes

vocal folio
#

This is the bug bounty channel.

dense sigil
#

hello anyone hacking for vector
xss/html injection

I am hacking on a target. I can really use some help. I need some gentle hints.

prisma axle
#

Can you give more information and context so we can help @dense sigil

dense sigil
dense sigil
#

Anything I put in search box It is encoded once.

hybrid orchid
#

Have you considered that it might not be vulnerable to XSS?

dense sigil
#

I want to validate this. I am trying harder.

hybrid orchid
#

What's in the source code?

vocal folio
#

It's much easier to prove by contradiction than it is to prove by exhaustion

hybrid orchid
#

I'd suspect it's just put in exactly what you entered

vocal folio
#

Eg it's much easier to prove that it is vulnerable than it is to prove that it most definitely isn't vulnerable

hybrid orchid
#

And I suspect that it will encode < and > if you enter those manually

#

Meaning the only way you're getting XSS is if you're entering attributes for an element that's already there

dense sigil
#

damn. yeah.. ๐Ÿ˜…

#

any more advice.

hybrid orchid
#

Show us the source code for the 0 results found... part?

dense sigil
#

yeah.. just a sec...

hybrid orchid
#

And without encoding the search string?

dense sigil
#

yeah.. I tried to encode the input once. It again.. it gave encoed output. .
I am unable to get screenshot of the same.. because strangly.. whenever I give these kind of inputs.. It takes forever to load.. and sometimes 504 Gateway Time-out

latent tree
#

Try different encodings for the < and >. Try double encoding, Try just putting a " or ' and checking the source to see if it breaks(This one got me a recent BB on thm). Just because < and > don't work, doesn't mean it isn't vulnerable.

dense sigil
latent tree
#

The OWASP site has a fair bit of information on filter evasion too.

#

as does payloadallthethings

dense sigil
crisp gate
#

Hey, anybody mind mentoring me on bug bounty-ing? Been meaning to get into it, but don't know where to start

still jasper
#

This is a good start

honest cave
#

hi

still jasper
#

Hey

honest cave
#

ฤฑ want to get in to bug bounty , ฤฑ' m solving web rooms but something is not right

#

ฤฑ need to learn how web works, whats going on behind, but ฤฑ dont know where to start

#

how should ฤฑ study

still jasper
#

I would recommend checking out YouTubers such as Nahamsec, STOK, LiveOverflow, The XSS Rat and check the link up above

honest cave
#

thank you

tawdry horizon
#

I pout this together to help people get started

#

there'll be an update going out soon ๐Ÿ™‚

hybrid orchid
sudden dragon
tawdry horizon
#

@sudden dragon only some pages. I think eventually Iโ€™d have to restructure it

sudden dragon
#

Thatโ€™s a fair point. Looking forward to the pushed update nonetheless, added a few blogs to my rss you showed on stream. nahamsTriage nahamsTriage

scenic mural
#

Please redirect me if this is the wrong place, but could I report a potential issue with a room and the provided instructions?

#

Please disregard, I found the room bugs chat.

crisp gate
#

So

#

Can somebody help me get started in bug bounties?

still scarab
#

Anyone familiar with avastโ€™s bug bounty program here? Iโ€™m fastening my first ever bug report on a recent and unexpected finding. Currently moving into assessment phase at the moment. Wanted to know if there were any success stories from here for this sort of work beforehand.

lavish hollow
#

"Sort of work" - as in bug bounties or specifically related to anti-virus*

still scarab
#

Specific to avastโ€™s program. I found their public web portal for bug bounties very approachable. I wanted to see if anyone here has worked with them previously to some degree of success.

sly tulip
#

and btw anyone knows if when you are doing it (bug bounty) do you need to be stealthy or you can be "loud"?

merry plume
sly tulip
#

ok

still jasper
#

Just donโ€™t make it where it will end up causing a lot of traffic for the site

prisma axle
#

most companies hate using automated tools because they cause needless alerts

#

just use them sparringly

sly tulip
#

thank you

atomic forum
#

Hello i am new in hacking and i am interested in bug bounty and i don't know where and how to start :)
in tryhack me i found this server
any advice for me ๐Ÿ™‚

lavish hollow
#

Iโ€™d say check pins for the resource from Naham sec

livid moth
#

you can refer to this

#

it would help full to you as newcomer

quaint bronze
quaint bronze
fading glade
#

is there a discord group for bug bounty discussion or group for discussing strategies ?

#

Especially, beginners.

merry plume
#

This channel ๐Ÿ˜„

random mulch
#

Hey guys, I'm new to the cyber security field(moving from development sector) and I try do my best regarding knowledge and understanding of things, I watch a lot of tutorials, I try with the THM rooms and I do my research for anything new I see. So if any of you has a place in a team for me, please send me a DM, I'd love to find company for bug bounty and learning as it gets things more fun and enjoyable.

fast fable
trim nexus
#

what the useful plugins for burp pro for bug bounty?

still jasper
#

If you look at the pins Nahamsec has a beginner repo and it has burp extensions on there I would recommend checking them out

trim nexus
#

@still jasper I heard there is a good paid vulnerability scanning burp extension available?

summer crown
#

Hey people :)
After I put in "autofocus onfocus="alert() it looks like this in the inspector
<input id=" bla" type="bla" value="" autofocus onfocus="alert() " >
but it's not working.
Any ideas?
Can I not escape the double quotes or what is happening?
Help appreciated :)

#

Are there good resources where I can catch up on this and deepen my understanding?

blissful merlin
#

Hello everyone,
I found a website without SPF record but to report that they mentioned that you need to give a poc of mail landing in inbox. But to send emails when I use online free tools they land in spams. Anything that you guys can suggest to send mail so that it don't land in spam.

potent gorge
#

Hello, I am a beginner in bug bounties and looking for a partner to collab and do bounties. If someone is interested, message me.

golden zephyr
#

@potent gorge im up for it but im also a beginner

fallen palm
#

hey guys i wanna start in bug bounty and i have a question i wanna start bug bounty as a hobby that will also make me money but idk how much i will get paid for bug bounty or if even i will be getting paid

#

anyone here whos done bug bounty for a while can you help?

prime cipher
#

I've not done any Bug Bounties, but I know enough to know that it's a pretty tough industry to make a living from. You'd need to find the available bounties on a bug bounty website - You can't just start hacking and hope you get paid.

#

As for how much.. The company offering it will have it's own requirements, parameters and reward structure.

fallen palm
#

but tbh i dont even know i really wanna start but at the same time i wanna stick with what im doing now

mossy island
#

Any paths on THM reccomended which can help our journey in Bug bounty?

still jasper
#

The web path

mossy island
#

thanks @still jasper .. is this one?

Level 4 - Web
OWASP top 10 https://tryhackme.com/room/owasptop10
Inclusion https://tryhackme.com/room/inclusion
Injection https://tryhackme.com/room/injection
Vulnversity https://tryhackme.com/room/vulnversity
Basic Pentesting https://tryhackme.com/room/basicpentestingjt
Juiceshop https://tryhackme.com/room/owaspjuiceshop
Ignite https://tryhackme.com/room/ignite
Overpass https://tryhackme.com/room/overpass
Year of the Rabbit https://tryhackme.com/room/yearoftherabbit
DevelPy https://tryhackme.com/room/bsidesgtdevelpy
Jack of all trades https://tryhackme.com/room/jackofalltrades
Bolt https://tryhackme.com/room/bolt

TryHackMe
TryHackMe | OWASP Top 10

Learn about and exploit each of the OWASP Top 10 vulnerabilities; the 10 most critical web security risks.

TryHackMe
TryHackMe | Inclusion

A beginner level LFI challenge

TryHackMe
TryHackMe | Injection

Walkthrough of OS Command Injection. Demonstrate OS Command Injection and explain how to prevent it on your servers

TryHackMe
TryHackMe | Vulnversity

Learn about active recon, web app attacks and privilege escalation.

TryHackMe
TryHackMe | Basic Pentesting

This is a machine that allows you to practise web app hacking and privilege escalation

still jasper
#

Yep those are the ones

orchid depot
#

Does anyone have a suggestion which target I should choose? I want to find my first bug and feel like I am lost in the ocean, because of the huge number of programs on hackerone. Thanks for the help (btw: any bugs I can focus on? something "easy" to find? I am not expecting to find a critical bug, I just want to find my first one)!

still jasper
#

The most common bug you're most likely going to find is XSS

#

These are the most common vulns

prisma axle
#

haha

#

this are the MOST impactful and rewarded that doesnโ€™t mean that you will always find them as other hunters have picked a lot of the big bounties raw

#

either go for smaller targets with those vulns or go for the bigger targets with lesser known or more specific vulns

zealous osprey
#

Does anybody know a way through which I can find how much money a certain CVE has earned the researcher that discovered it?

lament cove
#

+1

frosty vigil
modest vector
manic mango
#

Hello

#

Hello everyone I test xss in site my payload is printing here , is there any bypass

vocal folio
#

Look at your quotes there

#

You're not exiting the noscript part

manic mango
#

i don't know I used this payload I saw in payload all things

vocal folio
#

Do you know HTML and JS?

manic mango
#

How can i use in this case

manic mango
vocal folio
#

I recommend getting some more experience before try to do XSS

#

Because I don't think you understand what's quite clearly wrong with your payload there

manic mango
#

yeah you mean my payload Not closed

vocal folio
#

I mean exactly what I said

#

Look at the quotation marks.

manic mango
#

i used this payload but still

#

hey

past hatch
#

@manic mango Before firing any payload for xss try the simple <h1>Hello</h1> and if it works then proceeds with <script> or others.

gray swan
#

Christmas crisis if i edit cookies in firefox i got 302 but burp can run why๏ผŸ

fallen palm
vocal folio
mellow abyss
#

hmm i wanna join bug bounty too but i am beginner

frail compass
mellow abyss
#

yeah like joining some platforms

summer crown
#

Hello people
Do you know if a post form is exploitable when there is a CSRF Token in the header?
I came across it yesterday and you can just replace the token with another valid one but I wonder if you can do anything with it.

vocal folio
#

It doesn't suddenly make it not exploitable

#

It's meant to prevent CSRF

summer crown
#

Hey, thanks for the answer.

I can exploit it using burp and then just swapping the token because it is not tied to the user session.
But how do you exploit this in reality? You cannot just change the header info, can you?

#

You know of any good resources where I can read up on that topic?

vocal folio
#

@summer crown 'exploit it' what are the trying to do with it?

summer crown
#

Like using one user account to change password or email of other

jagged frigate
#

If you get blocked by your ISP by performing a legal (underscore LEGAL) pentast, just contact them and explain the situation

#

Although it's not very likely to happen

glad patio
#

Seems way too hard to not fall in some trap while testing their site.

#

Perhaps I am wrong?

prisma axle
#

I suggest sticking to known bug bounty programs with safe harbor until youโ€™re more comfortable

#

You can also check out this to help identify best practices

native snow
#

@azure gulch Sorry for ping,
Remember this bug? Adding yourself as friend. I've found same on a bb website, just confused should I report this or not!
If yes, Idk what prob the impact would be! Thanks!

Ps: Again sorry for pinging you!

๐Ÿ“Ž Screenshot_2020-12-26_at_11.24.49_AM.png
vocal folio
dense sigil
native snow
prisma axle
native snow
#

Alrightttt, Gotchaaa!

golden zephyr
#

hello guys iv ben working on a program and i have encountered an adf page is it worth to put time on it?

#

and if yes what can i do exactly im fairly new

trim nexus
#

Every time i connect to host: nc -vvv host.local i get different DNS information: DNS fwd/rev mismatch: host.local != dns.another.local \n host.local [192.168.x.x] 80 (http) open IP is same but i get different DNS. Is it some kind of load balancing?

lavish hollow
#

@fallen palm Please respect rule 9, this seems highly unethical

fallen palm
#

It's my site

#

Don't I have permission to say it's fine?

lavish hollow
#

Actually

#

You need permission from your web-hosters too

fallen palm
#

Oh. Didn't know that, thanks for letting me know !

frozen locust
#

hello guys

open glacier
#

Do I need to learn the full javascript language for bug bounty?

still jasper
#

No it's not needed but it's nice to understand how to read code from JS and how it works

dull seal
#

Hi,

Iโ€™ve got a deserialization bug on an aspx website that server is based on plesk
I cant use powershell. I can just send cmd commands using deserialization bug and see the response in dns requests.
The target owner wants a understandable poc like creating txt file or etc.

I cant enumerate c:\inetpub in the server to find the proper place to create a file or make a poc.

Is there any segustions?!
A method to enumerate folders and find place for poc?
Or an other type of poc that is understandable for simple user?!
Or anything else?!

I appreciate your help

modest vector
frail compass
#

to bypass cloudflare you are very likely to look at a 0day. however you might want to use shodan to find the website's real ip if it is hidden somewhere

merry plume
#

@prisma axle ^^ is that something Shodan can do?

prisma axle
#

maybeeee?

frail compass
#

Here @merry plume

#

There are a few ways. Like checking the name of the favicon or the hash value of it

upper frost
#

see suppose you are doing a penetration test against a site (full permission)
you use any tool (like ZAP) and showed them reports
will they accept it ?

strong crag
#

Running Zap and showing ppl reports is not a pentest.

#

it's not even bug hunting.

#

it's not even compliance verification

vocal folio
#

IIRC anything zap picks up will be incredibly low hanging fruit

frail compass
#

it depends on the plugins you use too

vocal folio
#

I think that applies to all automated scanning really

#

If you're even allowed automated scanning

median sparrow
#

I'm also wondering if there is a reliable way to know which plugins a certain website is using? I was looking at old reports on hackerone (this one https://hackerone.com/reports/365271 ) and found this report which was awarded a lot of money for a vulnerability in a plugin the website was using. I couldn't find any good tool tho or is that impossible without having the source code?

HackerOne
Basecamp disclosed on HackerOne: Remote code execution on Basecamp.com

A critical flaw in Basecamp's profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted (if renamed to .gif). This is probably due to ImageMagick / GraphicsMagick being used for image conversion, which calls a PostScript interprete...

#

my best try at it was to use wappalyzer extension for the browser which looks reliable from the few tests i used. It tells us the backend and the frontend languages/frameworks. Then see which functionalities the website offer (like datetime handeling and image related functionality) and see which plugins are most commonly used to get these functionalities using the technologies that the website uses. Then look for CVE's for those.

orchid depot
#

Is there any way to exploit GraphQL with introspection disabled?

pale plover
#

Why not, if you know or can guess the schema

strong crag
#

Take a look at what calls are issues on that graphQL service from the application. Sometimes you might have some interesting queries that you may want to check if you can get information disclosure out of.

#

without introspection you kind of end up relying on a bit of recon and proxying calls to figure out the schema / queries.

#

if the graphQL does provide information on your user, try and see if it has IDORs that let you access other users information

low dagger
#

I have walked through many sites like this , payload reflects on the page but i dosent fires, what the reason behind this.

thorn parcel
#

the input is probably filtered so it isn't an actual tag

stable osprey
#

Did you try closing strong tag ? @low dagger

low dagger
#

Yup it only reflects same like this one

paper night
#

If anyone has done the SSRF with whitelist based input in port swigger web academy, then pls dm me, I have a doubt

#

Or just tell me how does the # in urls actually work, like yea ik it works as an anchor and if the web app doesn't support it then the contents after # are just ignored but say I am embedding username#@url/somepage then it goes to username/somepage, but username/somepage@#url doesn't work, pls explain why

past hatch
#

@paper night thats a lab specific question.That lab support embedded cred. Like username@stock.shop.org (eg.) ,,also it rejects # so u need to double encode it so it perform search query on that username (u can use localhost there) and then access /somepage.

paper night
#

Yea

#

But m asking something different

past hatch
#

The later one wont work bz there # is acting as query terminator for username so query will block username/somepage direct but can access by username#@domain/somepage (follows embedded cred format)

paper night
#

oh i c, can u refer me to the rfc?

shell sage
#

If I have found a bug in some organization and they have validated that but not fixed yet can I share my findings without making the asset and vulnerability visible?

lavish hollow
#

Depends on your contract

shell sage
#

Okay thanks @lavish hollow

atomic forum
#

i want to inject sql injection in a website which is protect by cloudflare i inject all basic sql injection but i can not bypass so what should i do?

quaint bronze
#

Generally speaking, while there are WAF bypasses it's not traditionally worthwhile to try to evade them

prisma axle
#

Thatโ€™s a lot of injection

vocal folio
#

Especially cloudflare, a cloudflare waf bypass is gonna be super notable

strong crag
#

Could try to find the actual IP behind cloudflare

frail roost
#

I am a beginner in bug bounty could anyone pls guide me the right study material to be studied (for free) and the rooms which are available in tryhackme answers are welcome thanks in advance...

rich parcel
lavish hollow
#

Web fundamentals

#

Uhh

#

I don't think I can get a room list because it's a subscriber path

mossy sphinx
lavish hollow
#

But look for things that are web-related

golden zephyr
#

anyone wanna collab doing hands on bug bounty and learning (beginner)

#

if theres someone dm me

fallen palm
#

i'm noob....

lavish hollow
#

Hi noob, I'm dad

fallen palm
tall slate
fallen palm
#

hello

still jasper
#

Hey

slender jacinth
#

!docs verify

marsh falconBOT
low crest
#

idk where to start in bug bounty can someone pls guide me ๐Ÿ™‚

ebon tapir
foggy bone
#

Hello Everyone

#

Need someone help me in bug bounty please i am new in here?

nocturne flame
#

hi every one

tall slate
heady raptor
#

umm... i have the basic-est basic question.
HOW DA HECK I CHOOSE AN ENGAGEMENT?

strong crag
#

you mean a program?

#

welllllllllllll... choose one you understand the scope and allows you enough things to poke. Then enumerate a bit and see if it interests you.

#

H1 and bugcrowd should have plenty for you to search around...

#

stay away from programs that have bad reptutations of closing bugs without explanations or not replying forever

#

if they have disclosed reports, take a look at the kind of reports that have been disclosed and figure out if their tech matches your skillset (or use shodan for that)

#

the list goes on, but go through a bunch of targets that have programs with RoE that you are willing to accept.

nocturne flame
fallen palm
#

hi

#

people

#

any bug bounty specialist here

#

i need some sort of advise

lavish hollow
#

Just ask, someone will help you when they can

heady raptor
#

ya anon_me kekw just ask. ask ask. ask away

hybrid orchid
#

(Good luck, they got yeeted)

regal crypt
#

does h1 require a lot of knowledge or a beginner is able to start picking some programs?

still jasper
#

I would watch their videos first so you get an understanding

#

Then do the H101 CTF's and get invited into private programs

regal crypt
#

thanks ๐Ÿ˜„

#

I'll do that

past hatch
#

Also dont forget to do H101 grinch ctf its pretty goodkekw

regal crypt
#

I loved the THM advent

past hatch
regal crypt
#

I will try then ๐Ÿ˜†

slender crescent
#

When we fuzz all the endpoints in target tab in burp it sends a lot of requests so can this crash a site or lead to DoS?

paper night
#

Hey guys
So recently I found a bug in web app where the same pin is given to a user if he does forget password, I triedmultiple times from a browser, then it's incognito then a different device with same external IP and then a different device with different external IP and all times I get the same pin for forgot pw so what can be the impact here
M writing a report to the firm but I cant think of an impact of this bug

ionic prism
paper night
#

@ionic prism yea it does, but shouldnt it give different new arbitrary codes whenever the user does reset pw, and then terminate those previous unused pins?

ionic prism
#

The PIN should definitely expire eventually, though I could understand if they just re-send the same PIN if you try to do a reset within the window of time before it has expired? ๐Ÿค” That could help prevent a UX problem like clicking the submit form button twice and then getting two codes and not being sure which one to enter

#

That said, if it's been a few hours/days/etc and the PIN hasn't changed, that's a cause for concern because it should expire

paper night
ionic prism
#

Just to clarify, since I realized I made some assumptions: is the password reset flow something like:

  1. Enter Username (or Email) on password reset form
  2. Email with PIN and link is sent to account owner
  3. Account owner has to follow the link, enter the PIN, and then enter a new password
  4. Account owner is shown the login screen and has to log in again

Or is it different from that?

#

I should also say, in the name of transparency: I'm a newbie with security stuff, though I've been an application developer for the better part of a decade. So, I'm not necessarily an expert on this even though I have had to work with stuff like authentication in the past and have read up on best practices ๐Ÿ™‚

paper night
#

different

#

its like

#
  1. Enter registered email of the account
#
  1. Code sent to email
#
  1. Enter Code from email
#
  1. Change pw
#
  1. Login again
prisma axle
hybrid orchid
#

-undelete -a

uneven galeBOT
#

Up to 10 last deleted messages (last hour or 12 hours for premium):

43 seconds ago (Sat Jan 9 18:50:39 2021) Raman_MG#8864: Hi

hybrid orchid
#

@daring rune Hi

last elm
#

Hi chat
I found endpoint in subdomain which allow me to upload pics
Want to make asp.net shell ? Any idea ?

prisma axle
#

@last elm there are plenty of resources online for how to make any kind of shell
also just because you can upload pics to an endpoint doesnt mean anything
does it have filters? client-side or server-side? does it allow you a way to execute those files / view them? do they have a WAF?
Its typically not as easy as just oh I can upload pictures

last elm
foggy bone
#

Hi Everyone any best book for bug hunting. blobheart

fallen palm
trim nexus
#

Using burp suite scanning found a Reflected XSS. But browsing the vulnerable URL does not reflect anything.

#

I opened the chromium with disabling protection chromium --disable-web-security

#

The browser maybe filtering the request ... right?

floral arch
#

I found a google bug

#

What to do next ?

still jasper
still jasper
floral arch
#

It is a cross bug or something, i dont know the names ()

#

It is in Google drive with google classroom

#

With the permission access type error

#

IDK what to say... ๐Ÿ˜ฆ

still jasper
#

Ok and how is that a security bug?

odd sable
sand mason
#

I found a Try Hack Me bug
What to do next?

still jasper
#

!docs bug-bounty

marsh falconBOT
still jasper
sand mason
ebon tapir
#

Just make sure, it's a security bug.

sand mason
abstract cargo
#

I thought I found a security bug in Facebook, but it appears facebook let the passwords don't be exact at all (skipping some letters, mayus, numbers) lol

lament cove
#

This may not be the right platform to ask but can some recommend web exploitation resources that I might be helpful to a beginner?

Ps- I'm clueless about it. A bit familiar with burp and wireshark

I'm trying to explore bug hunting

still jasper
lament cove
coarse latch
#

i have a doubt regarding subdomain takeover can anyone help me clearing this out...

I have seen reports for "subdomain.example.com" this type of subdomains in hackerone and other bug bounty platforms and know that this is eligible but if there is "subd.subdom.subdomain.example.com" this type of domain which an attacker can takeover..is also counted in subdomain takeover attack ?

sand mason
#

When TryHackMe reply my email report?

still jasper
#

It depends when one of the staff are online and are doing the emails

elder saddle
#

spaghetti aglio e olio, and some spicy sausage for dinner.. yum

#

unibic can you explain to me what a subdomain takeover is ?

#

so if you have a nameserver for the zone *.zone.example.com and achieve access, then you can create as many subdomains as you wish

mellow abyss
#

Any idea how to bypass waf lol ๐Ÿ˜‚

terse moat
#

can we report as a bug

#

is this valid

merry plume
#

is thatr the but

#

bug

#

i wouldnt post the bug

#

cause soomeone else may report lol

terse moat
#

pls confirm

#

can any one pls check and confirm back asap

merry plume
#

you want us to check whether this is a legit bug?

#

you know if it is, someones gonna steal it and claim the money right?

#

i would highly suggest deleting your bug and doing your own research ๐Ÿ˜„

lavish hollow
#

@terse moat Have you had permission to do that

strong crag
#

Please note that responsible disclosure means you should be responsible about disclosing things.....

#

follow program guidelines at all times

#

you can get in trouble otherwise ๐Ÿ™‚

hardy prairie
#

can anybody recommend a guide for getting started with API testing, for somebody who already tests web? basically want to get up to speed on API-specific tools, bugs to look for, etc. will move this to the resources channel actually, probably a better place

fallen palm
fallen palm
# elder saddle so if you have a nameserver for the zone *.zone.example.com and achieve access, ...

It's basically a misconfiguration vulnerability caused by a CNAME entry which points to an external service which is no longer there (and so can be taken over by an attacker).

For example, if you find a subdomain which used an S3 website bucket to show its content and used a CNAME to show that content within the site context as a subdomain (thus showing the subdomain URL and not the bucket URL), you could possibly claim that bucket name if it no longer exists. This would allow you to de facto control that subdomain.

So roughly this would mean first enumerating a web site's subdomain and then testing for the possibility of takeovers via an HTTP request (there are several basic tools that can you help with this). This 2nd step depends roughly on (a) understanding if there's a CNAME entry behind that subdomain's DNS (which can be generally tested using the terminal command 'dig A subdomain.website.com' and looking for a CNAME entry to an external service) and (b) reviewing the HTTP response from the subdomain/service to check for a possible response text that could indicate an unclaimed service (e.g. in Amazon this would be 'The specified bucket does not exist').

Here's a good place to start reading about this vulnerability: https://github.com/EdOverflow/can-i-take-over-xyz.

elder saddle
#

I can't begin to comprehend how things like this exist when the service is no longer maintained... That level of abandonment should be criminal

fallen palm
#

It's actually one of those misconfiguration vulnerabilities, like internet-open DB ports, that are potentially very risky (e.g. cookie theft might be possible if the subdomain is in the site's cookie scope) and relatively quite common and easy to exploit :/

elder saddle
#

I just mean that if I set up a service, and send it to a landing page somewhere.. then decide to stop using that service, then i should probably pull the record out of the zone file... It seems common sense. poor sysadmin work

#

Then .. much too often the vulnerabilities are just that, capitalizing on the product of lazy admins.

sand mason
#

Hello...
When TryHackMe staff response my email report? Now 3+ Days my email has not received a reply

lavish hollow
#

Please be patient they will answer it when they can. If they do not respond in 7 days, send a follow up email.

sand mason
#

Okay thanks for the information

hoary gust
#

Hi. I need some help. While testing a web app, I found they're using a load balancer or some reverse proxy. So I focussed on Host header. Adding my Burp Collab on Host header gets me a DNS request in my Collab. But the response is a 503...
I tried some private IPs ranges but getting 503 only.

Any recommendations I can try which I missed?

frozen anvil
#

Any one here I can ask about anti csrf bypass? I am running through burp with macro fetching the csrf token and changing the token for every new request, it works however I when I run the request with intruder with the dictionary provided and still no success. It is a lab so I donโ€™t think brute forcing should take longer than 15min? I must be missing something.

blissful egret
#

Hello, I want to ask that , Is it okey to use metasploit in bug bounty ? For example let suppos someone has found an old version of Apache running is he/she allowed to exploit that using msf payloads or he /she has to just report that update server software to new version. (Thanks)

wintry hemlock
#

I think it depends on the situation. Are you asking whether to hack it or to report it?

#

Hello fellow bug hunters ๐Ÿ›

#

New here. I'm not entirely new to cyber and coding etc. But 0% into bug bounties. I suspect that's exactly what I am wired to do, so I'm here, diving into this world ๐Ÿค˜

blissful egret
harsh sleet
#

Hello I want to ask that why companies don't pay for rate limiting vulnerabilities in there authentication mechanism.

#

They are like we know are aware of this thank you sir

vocal folio
#

At the end of the day, it's their program.

dim tusk
still scarab
#

Hey so question, for bug hunting, is it a good idea to report miscellaneous bugs found that aren't in scope but helpful for the company along the way?

lyric dock
#

Depends on the company @still scarab

lavish hollow
#

If itโ€™s not in the contract I would avoid going there. If you accidentally break something and you were not supposed to be there youโ€™ll be in a lot of trouble.

past hatch
tall slate
#

Hey, i found something on a site, I wanna make sure if it should be considered bug or not before reporting.
If we do curl to example.com/, it shows 400 request along with awselb/2.0

#

Which isn't visible otherwise

past hatch
#

@tall slate what is the impact of the bug matters.

tall slate
#

It's like information disclosure. I tried to do some research on awselb 2.0 but didn't find much

still jasper
#

It's been reported before

tall slate
#

I read that thread

#

As per the thread

#

It seems to be information disclosure

still jasper
#

If you show what's disclosed and can prove the impact then I guess you could report it

tall slate
#

Isn't the server and it's version disclosed?

still jasper
#

Yea I guess so

#

From that thread it's a load balancer

tall slate
#

Actually it's only the 2nd bug I found so confirming

#

Not someone who knows how to write good reports haha

still jasper
#

If you don't know how to make one look at others

#

This also may help

tall slate
#

Yup

#

Now i am getting what should I report

#

Thnx for the help

tall slate
#

Reported.

tall slate
#

@still jasper it got accepted as informative

merry dock
#

good job!

foggy pond
#

hi guys I want to ask, is it possible to trigger xss inside html tags meta? I found a parameter where the value or data input will be returned to the attribute meta tag content="Here" but I don't know how to trigger it, I have done many event handlers but the results are not there

wraith hamlet
#

I believe that's because it's very limited to browsers. It's practically useless, but for testing purposes, I believe it only works in Safari. Don't take my word for it though

still scarab
#

Finding your first in scope bug in a real world setting feels amazing :D

#

I'm just wondering how they'll respond to it next, lol

robust crescent
#

should you be using a vps for everything from recon to testing? just learned about akamai.

robust crescent
merry plume
#

if your VPS allows that?

#

i doubt it will tbh

#

AWS wont for sure ๐Ÿ˜„

mild token
west echo
#

new premium user on tryhackme , trying to learn bugbounty ๐Ÿ˜„ , would appreciate room recommendations

modest vector
# west echo new premium user on tryhackme , trying to learn bugbounty ๐Ÿ˜„ , would appreciate ...

Web Hacking Fundamentals: https://tryhackme.com/module/web-hacking-1

TryHackMe
TryHackMe | Web Hacking Fundamentals

In this module, we'll be exploring the basic components of the modern web including both the basic protocols used, as well as various server components that make up the world wide web. You'll be diving into how to use BurpSuite, a tool which is widely regarded to be at the heart of web hacking. Additionally, you'll learn how to perform basic enu...

west echo
#

yea currently using this room , ty ๐Ÿ™‚ , any other rooms to try after that?

modest vector
west echo
#

thank you ๐Ÿ™‚

robust crescent
merry plume
#

you can pentest your own machines

#

you cannot use it to pentest others

#

you can attack your OS

#

you cannot attack the lcoud

robust crescent
merry plume
#

idk what those books say, but I passed an AWS cert about ~10 days ago and I had to study specifically what AWS does & doesnt allow with pentesting

#

You cannot attack others with AWS, that is 100% against their ToS. You can attack your own software on your own AWS instances ๐Ÿ™‚

#

If you are being attacked by an AWS instance, contact their security team who will destroy the attackers

robust crescent
#

just asking if vps is a must for bug bounty recon/testing, because i've been gathering from multiple sources its neccesary.

merry plume
#

here

#

@mystic moat hey uncle rat!!!!

merry plume
#

XSS is very very very good at bug bounties, far better than I am ๐Ÿ˜„

robust crescent
still jasper
#

He also did an AMA on the reddit about bug bounties ๐Ÿ™‚

robust crescent
still jasper
#

Yep

#

It was a few weeks ago

still jasper
robust crescent
robust crescent
mystic moat
#

Hey @robust crescent it depends ๐Ÿ˜„ the only thing really required for bug bounties is a browser imo but if you want to do recon or make a reverse shell back to somewhere a VPS sure is handy ๐Ÿค— it can also be used for any out of band testing that you need to.

Sorry for the shameless self promo but maybe this helps as well https://youtu.be/xOMLqIN7gfc

YouTube
The XSS rat
Should i get a VPS

Virtual private servers are very useful in bug bounty's, let's explore some use cases and go over which VPN to get.

Affiliate link will follow: https://www.linode.com/

You can now Buy me a block of cheese:
https://www.buymeacoffee.com/thexssrat

Patreon:
https://www.patreon.com/TheXSSRat

Instagram:
thexssrat

Follow me on twitter to be notifi...

โ–ถ Play video
analog glen
#

@merry plume What are the rules for notifying AWS that a pentest of your own resources is going to occur? Can you do an external pentest, or does it have to originate within the VPC?

robust crescent
merry plume
mystic moat
#

Some programs require you to keep it low and slow on the automatic tools, always read the scope page ๐Ÿค— I tend to keep my requests to 1req/sec if the target says โ€œno automatic scanningโ€. That being said, recon does not tax your target perse if you are for example doing subdomain recon by waybackmachine

crystal dawn
wind walrus
#

Since we're on this AWS topic, do you guys know if it is legal to set-up an EC2 instance to proxy my traffic while performing recon?

prisma axle
#

why would it be illegal lol

#

I mean not a lot of reason for it if youโ€™re being chill in your recon or use a vpn

modest vector
fleet fern
#

Hey all, yeah I'm very interested in getting into bug bounties but I'm afraid I will just be wasting my time since I know most bounty hunters searching are more knowledgeable than me and have had time to exploit. Any suggestions? How hard is it?

vocal folio
#

Don't expect to make money from it

fleet fern
#

That's what I thought

#

I make tiny bits of money doing qmee surveys and playing games on mistplay

#

I expected it might be harder to find funds out if bounties

#

*of

vocal folio
#

Private programs are better, but you're not likely to get rich off it. Depending where you are and the cost of living, it might pay for stuff tho

modest vector
#

Please don't post the same thing in multiple channels. The other two have been deleted.

hybrid orchid
#

As has this one because it's in the wrong place and it's been posted a good 20 times

vocal folio
#

@fossil sail Specifically, Rule 3.

fossil sail
#

oh i apologize thank you!

vocal folio
#

You should also verify, after reading the rules

fallen palm
#

Hey everyone!

#

I found open-redirect on a website's reset-password page, I can change the Host to atacker.com & it will redirect there + email which user will receive will contain attacker.com/user/token.
Now, I want to take a video of this & send it to the security team, but can anyone help me out on how can I capture cookies in my terminal, or from 000webhost?

#

When I insert Host:<attacker.com>, the user gets redirect to https://attacker.com/user page. So, I am a bit confused on how to capture cookies & show them on my terminal.

fallen palm
#

A reply would be greatly appreciated.

quasi pivot
#

Are you able to do the attack through burp? It'd also might be easier for them to see and replicate. It'd also show cookies etc

fallen palm
#

Why when we do a command injection we use two pipe symbols and not one?
email=||whoami>/var/www/images/output.txt

#

and for example email=x||ping+-c+10+127.0.0.1

tall slate
#

One | is for piping output of first command to second. On other hand, || means OR, i.e 2nd command will execute if 1 st one gives error.

#

Plz correct me if wrong xd

#

& - run in background
&& - execute 2nd after 1st execution finish
| - pipe 1st output to 2nd as input
|| - execute 2nd if 1st gives error

fallen palm
#

oh i see because this was the challenge i had to solve was.
Use Burp Suite to intercept and modify the request that submits feedback. Modify the email parameter, changing it to: email=||whoami>/var/www/images/output.txt||
Now use Burp Suite to intercept and modify the request that loads an image of a product.
Modify the filename parameter, changing the value to the name of the file you specified for the output of the injected command: filename=output.txt
Observe that the response contains the output from the injected command.

#

So im assuming we are piping "whoami" to the email command then piping it to /var/www/images/output.txt so we can read it?

tall slate
#

> is used to redirect the output

#

Like

whoami> a.txt

#

This will create a file a.txt containing output of whoami

tall slate
fallen palm
#

What are we piping that to?
Are we piping it to /output.txt?

fallen palm
low crest
#

how do i get into bug bounty?

#

what shd i focus on

#

and where can i learn

#

learn and practice

lavish hollow
low crest
#

โค๏ธ

finite elbow
#

hello

still jasper
#

hey

finite elbow
#

are you doing this

#

the hacker one channel

still jasper
#

what do you mean?

finite elbow
#

on tryhackme are you in the hacker one bug bounty room

still jasper
#

Oh yea

finite elbow
#

can you help

#

im new and dumb

still jasper
#

What do you need help with?

finite elbow
#

the second question

vocal folio
#

Is that even released?

still jasper
#

The room got accepted today

finite elbow
#

Where else do you need to submit flags to in-order to win prizes and private bug-bounty invites?

still jasper
#

It's not out yet

finite elbow
#

thats the question

vocal folio
still jasper
#

If you read it it says 20th feb

vocal folio
#

Because if it's not released, don't ask for help please

finite elbow
#

oh

still jasper
#

It said accepted in the queue

finite elbow
#

so i cant answer the questions

still jasper
#

No

finite elbow
#

dude its been 2 hours lol

#

are there anymore rooms for bug bounty

still jasper
#

https://tryhackme.com/module/web-hacking-1

TryHackMe
TryHackMe | Web Hacking Fundamentals

In this module, we'll be exploring the basic components of the modern web including both the basic protocols used, as well as various server components that make up the world wide web. You'll be diving into how to use BurpSuite, a tool which is widely regarded to be at the heart of web hacking. Additionally, you'll learn how to perform basic enu...

finite elbow
#

thanks

#

@still jasper what should i do first (i do have premium so i can do all rooms)

still jasper
#

Go from top to bottom

finite elbow
#

ok

waxen folio
#

hello guys

#

how to start bug bounty?

still jasper
#

Check the pinned resources

#

Check out Portswigger labs, pentesterLabs and OWASP

#

Do some H101 CTF's

waxen folio
#

okey thank you

#

#blackout

fallen palm
#

is owasp zap good for vuln finding?

still jasper
#

Yep but don't rely too much on tools because they can give you false positives

fallen palm
#

Okay thanks

still jasper
foggy pond
#

hello guys, Is hacking a wordpress site only through a theme plugin? or is there something interesting? Please let me know

vocal folio
#

What do you mean by hacking here?

foggy pond
vocal folio
#

What are you trying to accomplish here?

#

RCE from the dashboard? Hack in without access to the dashboard?

foggy pond
#

I just want to know if the person here when doing the bug bounty and finding subdomains/domains using wordpress is just doing a wpscan scan to get a list

#

Because when I found a wordpress site, I just did a scan using wpscan

vocal folio
#

Yes you can list plugins using wpscan.

foggy pond
#

Ok nice thanks

vocal folio
#

There are more things you can do with wordpress though. And listing the plugins really isn't much of a pentest.

foggy pond
#

sorry i don't know much about wordpress

vocal folio
#

You look at the scope

#

See what is in scope

foggy pond
#

ok i understand a little, thank you๐Ÿ˜†

wind walrus
vocal folio
#

I mean I just said it's feasible

wind walrus
#

I know, I know. Just sayin' ๐Ÿ˜‹

lavish hollow
#

What CTF is this?

last elm
ebon tapir
gray shard
#

Good luck wish u the best

vocal folio
#

-warn @last elm Asking for help with interview CTFs is unethical and arguably fraudulent

uneven galeBOT
#

โš  Warned DoSec101#5909

void meadow
#

:sus:
@ebon tapir ... yooo๐Ÿ™‹โ€โ™‚๏ธ

ebon tapir
#

Yo? ๐Ÿ‘€

fallen palm
#

@al have you checked the revslider exploit for wordpress yet?

#

Any1 here wanna collab??(bug bounty on hackerone)

last elm
#

Hi chat
Now i found subdomain when i open it , it redirect me to admin login page
And i typed normal username(name of the company) and pass same
And it opend with me dashboard
Should i report it and what severity ? + what name of this vuln ?

lavish hollow
#

Oh wait

#

@last elm What is this for exactly?

last elm
lavish hollow
#

As you recently asked a question relating to an interview and you're now asking something fairly straight forward, I'm going to retract my comments.

prisma axle
past hatch
last elm
#

Thx for you chat โค๐Ÿ’ช
I already report it and they now reviewing the report

eager violet
#

imagine if it was as simple as <h1><script>alert(document.domain);</script><h1> all the time

#

..... ๐Ÿ˜†

modest vector
#

Import-Module Gib-EnterpriseAdmin.ps1

young spoke
#

Hahaha!

ancient ridge
fallen palm
#

hey! Anyone here?!

#

Can anyone please tell me how to start bug bounty hunting?!

fallen palm
#

I'm really interested in the field but I can't seem to find any good learning material

fallen palm
vocal folio
fallen palm
#

I'm a newbie

#

๐Ÿ˜ฆ

fallen palm
vocal folio
fallen palm
#

i recommend networkchuck if u wanna get started with some hacking

vocal folio
#

!website

marsh falconBOT
short drift
#

explore the target site, see how it works, see what you can interact with, check for any subdomains or weird api endpoints. enumeration enumeration. learn how what ur attacking works and how you can break it. lots of good web vulns to explore in the web exploitation learning path

vocal folio
#

But before bug bounty

#

Learn some basic webapp.

fallen palm
still jasper
#

I also recommend Portswigger labs

short drift
#

Portswigger labs is such a good resource and will help anyone new to web out exponentially, their site helped me master SQLi

misty mountain
#

i just did their sqli stuff and its great, i'd suggest doing the challenges where you need to use automation in python though

fallen palm
#

What is "spring.datasource.password", found it on a github of a company (bug bounty), just wanted to know what it is and if its worth reporting?

bronze mulch
#

I know error and vulnerability types but I dont know where and how to find the vulnerability

vocal folio
#

You'll want to learn web hacking then

jagged frigate
bronze mulch
#

thx

jagged frigate
bronze mulch
#

no

#

I teach something

jagged frigate
bronze mulch
#

no

#

I am beginner

jagged frigate
# bronze mulch no

I'd suggest learning how to do this stuff first, and then maybe going into bug bounties

bronze mulch
#

thx

jagged frigate
marsh falconBOT
jagged frigate
#

Do these challenges and you'll learn a lot

bronze mulch
#

thank you so much

#

I can't use virtual machine because my system properties

Operating System
    Windows 8.1 Pro 64-bit
CPU
    Intel Pentium P6200 @ 2.13GHz    62 ยฐC
    Arrandale 32nm Technology
RAM
    3,00GB Dual-Channel DDR3 @ 532MHz (7-7-7-20)
Motherboard
    Hewlett-Packard 1413 (CPU 1)    62 ยฐC
Graphics
    Generic PnP Monitor (1366x768@60Hz)
    Intel HD Graphics (HP)
Storage
    465GB Hitachi HTS547550A9E384 (SATA )    33 ยฐC
#

I have 3gb ram

#

like a joke

jagged frigate
tall slate
#

@bronze mulch u can use liveboot

#

I have i3 2nd gen, with 2 gig ram. So i used to use liveboot

#

It will get job done

bronze mulch
jagged frigate
bronze mulch
#

thx

bronze mulch
jagged frigate
#

but you can buy VIP if you want

bronze mulch
#

can you look this

#

@jagged frigate can I send photo

lavish hollow
#

You need to verify

#

!docs verify

marsh falconBOT
bronze mulch
lavish hollow
#

What's wrong with the room?

bronze mulch
lavish hollow
#

It is free...

bronze mulch
#

I cant see video

jagged frigate
lavish hollow
#

Videos are subscriber only, not the rooms.

bronze mulch
bronze mulch
jagged frigate
#

Great

still jasper
#

@hybrid orchid

vocal folio
#

Banned

fallen palm
#

Hi guys,
I'm new on this, want to start a career on bug bounty's, but don't know where or how to start...

still jasper
#

Check the pinned resources, do the web stuff on TryHackMe and Portswigger labs

native token
#

I'll just throw in as Blackout mentioned really good resources. Aiming to go into bug bounty is really difficult as a beginner, the people you see doing really well have put years upon years in to make it look so easy. Most people are lucky to make $500 per month from bounties

jagged frigate
fallen palm
jagged frigate
native token
#

I'm not trying to scare people away from bounty but it really isn't as easy as it looks on Twitter

fallen palm
still jasper
#

^^ People will rely too much on tools and copy and paste payloads

native token
#

The big bugs come from finding ways to bypass wafs

quasi pivot
#

Finding bug bounties that aren't on hackerone etc too is a good way to find programs where all the low hanging fruit hasn't gone.

native token
#

truth be told there's plenty of bugs on public programs on h1

#

people just get stuck in the mindset of "My payload from payload all the things didn't work, nothing here"

#

or rely too heavily on scanners

quasi pivot
#

true true

bronze mulch
#

at least the free ones

#

and how can ฤฑ try myself

#

about bug bounty

#

I have this

#

this is like a ctf but to use it I must know xampp but ฤฑdk xampp

vocal folio
#

There's a hosted version for you.

bronze mulch
#

thx

craggy ocean
#

So actually bug bounty is to search for bugs in website and web application? Do you first need permission from the creator/owner?

still jasper
#

In web apps, mobile apps and etc

craggy ocean
#

Oh mobile apps also๐Ÿค”

lavish hollow
#

If it's not yours, you need permission. Just go by that rule.

still jasper
#

There are platforms that allow you to hack on them legally as long as you follow their policy

craggy ocean
#

Interesting, but how you can find bugs in mobile apps? With kali linux or with your mobile

craggy ocean
still jasper
#

By learning swift I would imagine

craggy ocean
#

Yeah

still jasper
#

with ios anyway

lavish hollow
#

There are tools that allow you to take apart application etc.

craggy ocean
#

So you can't search for bugs on every website

still jasper
#

Nope

craggy ocean
#

Ah ok

still jasper
#

Only ones that have programs or you have permission

craggy ocean
#

So actually I need to search for bugs via hackerone per example

craggy ocean
still jasper
#

If you want to then yea, hackerone has a lot of big programs on there

#

such as snapchat, tiktok, facebook etc

craggy ocean
#

Hmm ok

#

Nice

#

Ty for Everything

modern shale
#

What are the possible ways to attack CMS based web application

violet basin
#

Hi all

tall slate
#

Hii

wintry hemlock
#

Hi, quick question:

#

In Hackerone, how can I make sure I have permission to probe and try to bug hunt? I've been shy about bug hunting because I don't think there is enough information on Hackerone about legal implications

still jasper
#

Each program has their own policy and scope

wintry hemlock
#

I don't want to test agressively because of this

#

Thanks, I'm aware of my scope of work, but I may make noise so

still jasper
#

Don't rely too much on tools as long as you keep in scope you'll be fine

wintry hemlock
#

That's that

quasi pivot
#

Programs who don't want u to make noise or use automated tools will say so

wintry hemlock
#

Do you guys anonimize yourselves as you try things or just head on?

still jasper
#

I have a vpn, some may use a VPS some may not use either

quasi pivot
#

Not really, I use a VPS, I'll use a VPN if they automatically block me/limit me or w/e

still jasper
prisma axle
#

@wintry hemlock If youโ€™re really worried about legal stuff just make sure the program has safe harbor and a clear scope and youโ€™ll be fine

wintry hemlock
#

I reached out to an engineer of the company and told me it's okay as long as there's no lateral movement etc

#

๐Ÿ‘๐Ÿ‘

terse kestrel
#

hey guys I am new in this chat serveur

young spoke
#

Welcome ๐Ÿ‘‹ @terse kestrel come and join the lovely folk over in #general (:

fallen palm
#

Hey everyone, is their anyone willing to collaborate on some bounty programs with me (Hackerone)

fallen palm
#

@native token Hey brother, sorry for the bug (pun intended), but what helped you become a bug bounty hunter and start looking for bugs ? Do you have a background in cyber security or programming ?

native token
#

Yo, I only really do bug bounty once in a blue moon, but background wise I work as a pentester and have done for around 6 months now ๐Ÿ™‚

hot basin
#

Hi all! Anyone with Yogosha account here? (Collab pls I want to report a security issue on a program that use Yogosha, kindly DM me please)

fallen palm
native token
#

pentesting pays really well yes, I only really do bug bounty when I'm bored, have an abundance of time on my hands or just testing a technique/tool

fallen palm
#

Define "really well " lol

native token
#

Enough to pay the bills and live comfortably. Not really sure how else to define it

fallen palm
#

That's awesome, maybe I'm beating myself too much over this bug bounty stuff

#

I think I'm sticking with my cyber sec path

native token
#

I have a really cynical view point on bug bounty, though I can be successful in it. it's a lot of effort for potentially no payout.

#

Not to talk crap about them but they aren't healthy for people starting out in this field as people go into it after seeing people on Twitter/Social Media posting "LOOK AT ME I MADE $$$$$ FROM BUG BOUNTY" when in reality that only happens on a very rare occasion. Bug bounty is literally going over webapps with a fine tooth comb to find what pentesters missed. If a company has a good testing team, there won't be much

#

That being said pentesters are also restricted on time depending on the client or scope, so it isn't uncommon for them to miss the insane and obscure stuff

fallen palm
#

Interesting point of view. There is a lot of hype on social media about this stuff. After reading your thesis I think I am safe to stick with my cyber sec path and the eventually look at bug bounty later for extra income

native token
#

How long have you been learning in this field? If you don't mind me asking?

fallen palm
#

Going on for 2 years

native token
#

I'd probably say don't stress trying to get into bounty though, it's not easy in the slightest and people only post the earnings on social media. They don't show the hundreds of hours that went into getting that payout

#

There's a big jump going from THM/HTB into bug bounty/industry to say the least

fallen palm
#

Appreciate your professional insight on this. It's perfectly clear what I should do now ๐Ÿ˜Š