Day 1 Bug Bounty — 60 days 60bugs challenge

-

 

Hi there, its Hacker Yadav again, So I woke up at 5 energetically and by 5.30 I was down with my laptop to hack. I decided what program to hack and was searching for the programs to hack. I discovered Mastercard and T-Mobile has its program on Bugcrowd but later on decided to hack on Mastercard.

Something that I noticed is that there are some programs that explicitly says to register using the @bugcrowdninja domain. Something you should never forget to do. Till now, I was not using the bugcrowdninja email. You can get its documentation [HERE]. I was kinda skeptical where to access it from so I sent a sample email from my email and saw that it was coming to to the email where the account was registered from.

I started exploring the in-scope domains and all its environment. They have rate limiting functions and will block you if you try to do active reconnaissance. I got kicked out from one of the domains but was able to got access to it again after some time. I was trying from CSRF to XSS to every possible ways that I had skills on. But without a luck.

In the afternoon, I was logged into a domain and when i changed the url to admin, it gave me an unauthorized error revealing all the internal server paths! I tried escalating it but couldn't find a way to do it. So I tried reporting it with some hopes to get the report accepted.

Later in the evening, I got response that they have marked it to P5 bug, as I was only able to see the whole stack trace and not able to access it.

I was happy that I was at least able to submit a bug today but was not able to gain a bounty from that. Probably will find a way to exploit this soon.

I spent almost 7 and half hours doing for the first day for the bug. I use the app called Toggl track and it has got lot of features(not sponsored). I have pulled it under Mastercard project so you would not be able to see other hours.

My learning:

  1. Always use bugcrowdninja email or hackerone email for testing purposes. You might get banned from the program just not using testing accounts.
  2. Starting to hack first thing in the morning has helped me a lot since I believe to wake up early in the morning. There is no problem being a late night owl but covering most of the hours in the morning tends to make an impact on me.
  3. I was skeptical if I would find any bug but keeping self confidence helps a lot in having the mentality.
  4. Do read potential vulnerabilities on hackactivity from HackerOne and Crowdstream from Bugcrowd. It helps a lot. Not to mention, Youtube :)

I hope this post has helped you gain some knowledge. Thank you for reading this post. See you soon!

Comments

Post a Comment

Popular posts from this blog

Diamond Hack Website FF Latest December 19 2023 100% Working

-
Image
D iamond Hack FFMax Diamond Hack FFMax APK  for Android Free In English V  1.0 4.3 (126 ) APK Status Free Download for Android Free diamond tool for Free Fire Diamond Hack FFMax  is a free-to-use  utility  designed to help players better manage and grow their diamonds, a valuable in-game resource in the  battle royale  game,  Garena Free Fire . This third-party app makes quick  price checks and conversions  for you, checking different  locations  on your behalf. Aside from this economic tool, this app also offers a couple of game  optimization  options to improve your gameplay experience. Unlike other literal diamond hacking apps, Diamond Hack FFMax only helps players manage diamonds and improve game performance. It’s like a cross between  Love FF Diamond  and  GFX Tool - Free Fire Booster . Manage diamonds and optimize the game Despite the seeming misnomer, Diamond Hack FFMax  doesn’t hack into the game  in any form. Instead, it serves as a third-party platform that lets you  view dia
Read more

Java Runtime Setup for win10

-
JAVA RUNTIME ENVIRONMENT Java Runtime Environment  (JRE) allows you to play online games,  chat with people around the world , calculate your mortgage interest, and view images in 3D, just to name a few. It's also integral to the intranet applications and other e-business solutions that are the foundation of corporate computing. It provides the libraries, the Java Virtual Machine, and other components to run applets and applications written in the Java programming language. In addition, two key deployment technologies are part of the JRE: Java Plug-in, which  Enables Applets to Run in Popular Browsers ; and Web Start, which deploys standalone applications over a network. Many cross platform applications also require Java to operate properly. Itis a programming language and computing platform first released by Sun Microsystems in 1995. There are lots of applications and websites that will not work unless you have Java installed, and more are created every day. The program is f
Read more

DOWNLOAD DROIDJACK 4.4 FULL VERSION – REMOTE ADMINISTRATION TOOLS

-
Image
DOWNLOAD DROIDJACK 4.4 FULL VERSION – REMOTE ADMINISTRATION TOOLS There is nothing that you can do with a PC, you can’t do using an Android phone. Since the power in the hand has grown so much, a control over that power is also needed. DroidJack is what you need for that. DroidJack gives you the power to establish control over your beloveds’ Android devices with an easy to use GUI and all the features you need to monitor them. Build a custom APK or bind the payload to an already existing APK such as a game or social media app. Download droidjack 4.4 full version free of cost. FEATURES: Bind your server APK with any other Game or App. Explore Files with full access. Read/Write Messages. Make a call, record a call and browse call logs. Read and write contact list. Capture photos and videos. Listen live conversation through mic, record mic sound live. Check browser history. Get GPS Location. Check installed apps. Get phone’s information (IMEI, WIFI MAC, PHONE CARRIER). Fully Stealth. DOWN
Read more