Hi there, its Hacker Yadav again, So I woke up at 5 energetically and by 5.30 I was down with my laptop to hack. I decided what program to hack and was searching for the programs to hack. I discovered Mastercard and T-Mobile has its program on Bugcrowd but later on decided to hack on Mastercard.
Something that I noticed is that there are some programs that explicitly says to register using the @bugcrowdninja domain. Something you should never forget to do. Till now, I was not using the bugcrowdninja email. You can get its documentation [HERE]. I was kinda skeptical where to access it from so I sent a sample email from my email and saw that it was coming to to the email where the account was registered from.
I started exploring the in-scope domains and all its environment. They have rate limiting functions and will block you if you try to do active reconnaissance. I got kicked out from one of the domains but was able to got access to it again after some time. I was trying from CSRF to XSS to every possible ways that I had skills on. But without a luck.
In the afternoon, I was logged into a domain and when i changed the url to admin, it gave me an unauthorized error revealing all the internal server paths! I tried escalating it but couldn't find a way to do it. So I tried reporting it with some hopes to get the report accepted.
Later in the evening, I got response that they have marked it to P5 bug, as I was only able to see the whole stack trace and not able to access it.
I was happy that I was at least able to submit a bug today but was not able to gain a bounty from that. Probably will find a way to exploit this soon.
I spent almost 7 and half hours doing for the first day for the bug. I use the app called Toggl track and it has got lot of features(not sponsored). I have pulled it under Mastercard project so you would not be able to see other hours.
My learning:
- Always use bugcrowdninja email or hackerone email for testing purposes. You might get banned from the program just not using testing accounts.
- Starting to hack first thing in the morning has helped me a lot since I believe to wake up early in the morning. There is no problem being a late night owl but covering most of the hours in the morning tends to make an impact on me.
- I was skeptical if I would find any bug but keeping self confidence helps a lot in having the mentality.
- Do read potential vulnerabilities on hackactivity from HackerOne and Crowdstream from Bugcrowd. It helps a lot. Not to mention, Youtube :)
I hope this post has helped you gain some knowledge. Thank you for reading this post. See you soon!