Tale of my first bounty!

If you know you know

Hello Folks! How’re you? I hope you’re doing well. I’m Dipak (th3.d1p4k) from India . In this writeup I will going to tell you that How I got my first bounty and approach to hunt bug.

This is my first writeup of my first bug bounty. I’ll be sharing my mindset. (Might not be for experts, I’m a beginner so please leave your suggestions in comment) without wasting time let’s get started.

I found a program which have responsible disclosure program (Premium Chat Application). Then I read their policies n all and start doing hunting. (note: read carefully what is in scope and out of scope, in this program RXSS is out of scope)

I start using basic recon. I gathered subdomains as much as I can then I did probe. Tools I used Sublister, assetfinder, httprobe. And make a list. Then check it one by one opening in browser. Website looks secure(maybe) and their subdomains are also connected to main domain. Then I did signup and checked all possibilities to find a bug. There is no luck😅. It seems secure because you have to pay for other features to unlock. Then I did some more recon about target using Shodan. I used Shodan dork (e.g. hostname: “target”) and found an IP. When I opened it in browser it was showing “This is a server, on the Internet”.

404 response

And I thought maybe I’ll get something, and I use directory brute forcing using dirb and wordlist from SecList (common.txt).

dirbuster

Then I got one directory name is “simple” and status code 301. When I opened it, it’s redirect to index.html file. which contains lots of Repository, configuration file, Scripts, etc.

😍😍😍

There is one directory name “appconfig” I opened it and there was tar.gz file I downloaded it and opened it. And… I got git configuration which leads to expose source code of website(.git) and other sensitive tokens and secrets.

I was like!

I quickly make a good report and submitted to the company. After 15th day later I got mail from their side, that I’m eligible for bounty. And they have Hall of fame and swag too(rare case Reward , Hall of fame & Swag)

Reported: 14–01–2021 (Makarsankranti 🪁)

Response: 27–01–2021 (Eligible for bounty $XXX 🤑)

“ I got Hall of fame and received my bounty, swag is on the way”

Tip: “Got 404? Don’t stop there! Hit it with your favorite enumeration utility!

Instagram: th3.d1p4k

Twitter: Dipak Panchal

Proof reading: Mayur Parmar (aka th3cyb3rc0p)

Thanks for reading! Happy Hunting!

--

--

--

Bug hunter | CCSE

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

BurgerTime

FinCEN Links More Than $5 Billion in Bitcoin Transactions to Ransomware

ransomware

5 Step Pre-built Malware Analysis Lab

EaseUS — Best File Or Data Recovery Software for Windows

Are you sure that you really deleted your files?

Cypherium (CPH) Token Sale: September 16, 2020 9PM PT(UTC-7) Update

Fish Catch Casino Online Hack

Eliminating online piracy and counterfeiting: Our most recent investment in Smart Protection

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
th3.d1p4k

th3.d1p4k

Bug hunter | CCSE

More from Medium

IDOR vulnerability on invoice and weak password reset leads to account take over

IDOR EXPLAINED!

2fa Bypass by changing Request method to DELETE

My experience of Hacking The Dutch Government