Tale of my first bounty!

If you know you know

Hello Folks! How’re you? I hope you’re doing well. I’m Dipak (th3.d1p4k) from India . In this writeup I will going to tell you that How I got my first bounty and approach to hunt bug.

This is my first writeup of my first bug bounty. I’ll be sharing my mindset. (Might not be for experts, I’m a beginner so please leave your suggestions in comment) without wasting time let’s get started.

I found a program which have responsible disclosure program (Premium Chat Application). Then I read their policies n all and start doing hunting. (note: read carefully what is in scope and out of scope, in this program RXSS is out of scope)

I start using basic recon. I gathered subdomains as much as I can then I did probe. Tools I used Sublister, assetfinder, httprobe. And make a list. Then check it one by one opening in browser. Website looks secure(maybe) and their subdomains are also connected to main domain. Then I did signup and checked all possibilities to find a bug. There is no luck😅. It seems secure because you have to pay for other features to unlock. Then I did some more recon about target using Shodan. I used Shodan dork (e.g. hostname: “target”) and found an IP. When I opened it in browser it was showing “This is a server, on the Internet”.

404 response

And I thought maybe I’ll get something, and I use directory brute forcing using dirb and wordlist from SecList (common.txt).

dirbuster

Then I got one directory name is “simple” and status code 301. When I opened it, it’s redirect to index.html file. which contains lots of Repository, configuration file, Scripts, etc.

😍😍😍

There is one directory name “appconfig” I opened it and there was tar.gz file I downloaded it and opened it. And… I got git configuration which leads to expose source code of website(.git) and other sensitive tokens and secrets.

I was like!

I quickly make a good report and submitted to the company. After 15th day later I got mail from their side, that I’m eligible for bounty. And they have Hall of fame and swag too(rare case Reward , Hall of fame & Swag)

Reported: 14–01–2021 (Makarsankranti 🪁)

Response: 27–01–2021 (Eligible for bounty $XXX 🤑)

“ I got Hall of fame and received my bounty, swag is on the way”

Tip: “Got 404? Don’t stop there! Hit it with your favorite enumeration utility!

Instagram: th3.d1p4k

Twitter: Dipak Panchal

Proof reading: Mayur Parmar (aka th3cyb3rc0p)

Thanks for reading! Happy Hunting!

Bug hunter | CCSE