Hello Folks! How’re you? I hope you’re doing well. I’m Dipak (th3.d1p4k) from India . In this writeup I will going to tell you that How I got my first bounty and approach to hunt bug.
This is my first writeup of my first bug bounty. I’ll be sharing my mindset. (Might not be for experts, I’m a beginner so please leave your suggestions in comment) without wasting time let’s get started.
I found a program which have responsible disclosure program (Premium Chat Application). Then I read their policies n all and start doing hunting. (note: read carefully what is in scope and out of scope, in this program RXSS is out of scope)
I start using basic recon. I gathered subdomains as much as I can then I did probe. Tools I used Sublister, assetfinder, httprobe. And make a list. Then check it one by one opening in browser. Website looks secure(maybe) and their subdomains are also connected to main domain. Then I did signup and checked all possibilities to find a bug. There is no luck😅. It seems secure because you have to pay for other features to unlock. Then I did some more recon about target using Shodan. I used Shodan dork (e.g. hostname: “target”) and found an IP. When I opened it in browser it was showing “This is a server, on the Internet”.
Then I got one directory name is “simple” and status code 301. When I opened it, it’s redirect to index.html file. which contains lots of Repository, configuration file, Scripts, etc.
There is one directory name “appconfig” I opened it and there was tar.gz file I downloaded it and opened it. And… I got git configuration which leads to expose source code of website(.git) and other sensitive tokens and secrets.
I quickly make a good report and submitted to the company. After 15th day later I got mail from their side, that I’m eligible for bounty. And they have Hall of fame and swag too(rare case Reward , Hall of fame & Swag)
Reported: 14–01–2021 (Makarsankranti 🪁)
Response: 27–01–2021 (Eligible for bounty $XXX 🤑)
“ I got Hall of fame and received my bounty, swag is on the way”
Tip: “Got 404? Don’t stop there! Hit it with your favorite enumeration utility!”
Twitter: Dipak Panchal
Thanks for reading! Happy Hunting!