I'm happy to share my story on bug bounty journey. Thanks bugcrowd for choosing me to make inspire everyone in the community ๐
Be patient, focus and keep ethical success will come to you ๐ฏ๐ช๐ฅ
I found an RCE that comes from a secret leak in the JS source file. Always look and mine the secret key, token, and credential in the js file. I think it is a gold mine and many critical bugs are found in it. After seeing Zabbix API and reading the document, you can get an RCE.
I've had a busy month with my son ๐ถ and traveling to Las Vegas and Phuket to join conferences. I'm also happy to announce I just passed the $1 million mark in total bounty I've earned on all bug bounty platforms and external programs. Today is the national holiday in my country
Spring Boot Actuators Misconfiguration is another gold mine in bug bounty. Because many Spring boot apps change time by time, running on microservice architecture exposed the actuator endpoint public to the internet. I found an RCE via Spring cloud gateway exploit ๐
2022 is a great and successful year for me. Bug bounty changed my life. I surpassed 500k$ bug bounty and got invited to many Live Hacking events. With more than 50 Critical vulnerabilities on the HackerOne platform and nearly 200 P1 on the Bugcrowd platform ๐ช๐ฅ
After 4 years since starting the bug bounty journey and getting to know many hackers around the world as well as starting with the two platforms Bugcrowd and HackerOne. Today I passed the $1M milestone on
@Bugcrowd
. I'm just a part time bug bounty hunter.
I had some busy days for my wedding and honeymoon week. Taking a rest before come back to continue hunting with my passion and my fellow hackers ๐ช
Thanks everyone ๐
Last month, I chose Apple to hunt after a successful month of hunting on FIS. I and my leader in Red team of VCS continued to find a Critical 0day affected on the Apple production environment. Apple team fixed the issue within a day. We have been rewarded 32k$ for this finding ๐ฅ
When you hunt targets on Bugcrowd, always check Known vulnerabilities tab and try to reproduce it to learn, you may find another vulnerability without duplicate or method bypass for old vulns ๐
In this time, I didn't have much time to hunt, I spent more time with my family โค๏ธ
You can play with
#ChatGPT
to find subsidiaries of any company without using a paid account from lookup services, and find applications owned by a company easily way but still need to recheck and verify because data from ChatGPT doesn't verify trust source.
#bugbountytips
I was in Las Vegas for 4 days and flew 1 day to get to the H1-702 event. I had to leave early to see my first son. It's a pity that I can't participate in 2 events BlackHat and Defcon with everyone. This is my first time coming to America ๐ฅน
A signature for detection version of Exchange server
URL: /autodiscover/autodiscover.json?
@foo
.com/ecp/&Email=autodiscover/autodiscover.json%3F
@foo
.com
Because some servers blocked endpoint /mapi/nspi/ we can use another path as /ecp/
About CVE-2021-26084, Block endpoint /pages/createpage-entervariables.action
If you can't patch your server. The attacker can exploit without authentication although signup is disabled by default
Mass scan already start and bug bounty hunters are farming it ๐
#RCE
#Confluence
I had an impressive experience with the Starbucks โ๏ธ program. When I found the RCE vulnerability and reported it overnight, the next morning when I woke up to check, the vulnerability had been fixed even though the report had not been triaged ๐
Poor him. He read my bug closed as Informative on a bad program.
Many researchers on
@Hacker0x01
have been stolen bugs including many 0day and sensitive bug reports by a bad triager.
And I really appreciate the transparency and responsible handling of the HackerOne platform.
New adventure on
@SynackRedTeam
platform. I have been waiting a long time for my application to be accepted. And was rejected twice before from the beginning of 2021. It took nearly 2 months to complete the background check. Today I get
#LevelUp
0x03 on the platform.
This is my first report collaborate on
@Bugcrowd
And I feel very happy when seeing it. Love you man
@bsysop
and hope all bug bounty hunters can find a nice collaborators. "If you want to go fast, go alone. If you want to go far, go together."
How long you get reward since report vulnerability to
@Apple
bug bounty program?
I reported RCE on their product domain but still no update from 8 months ago when it fixed after 1 day report.
Report and pray. LoL
If you play a CTF game with many good challenges and new knowledge, trick bypass, it will be good ๐ If you want to make more money and change your life, fight real systems, play bug bounty is best ๐ซก๐ช
Thank you to my colleagues in the Application System Security room for wishing me a happy birthday. I love you all. Talented and passionate people dedicated to their work โค
27 years old ๐ฅ
Got rank 9 in last 30 days from I join
@SynackRedTeam
. I hope I can reach to level 5 soon. I missed many 3k bug. It is my confusion when join new platform, never forget and never give up your target.
#bugbountyroad
OMG. So surprised. I'm on TV.
So many unknown 1day, 0day in many popular products still not public and exploited in the wild come from trivia bugs. It is really a hole in many enterprise software vendors.
Really nice Keynote from
#OffensiveCon23
Thanks
My stat on
@Bugcrowd
this year. Only need more 6 P1 to reach a new level P1 warrior with 100 P1 and I have +10 P1 still pending. Hope it can change to unresolved in the final week of the year ๐๐๐
I feel very lucky and the best year for my bug bounty journey in 2 years.
Oh no. His account seems disabled after he disclosed about Spring core RCE.
Does this have anything to do with the Chinese government?
Chinese hackers are actively exploiting this 0day?
After many years of participating in the Pwn2Own arena, we have won the Master of Pwn. Congratulations to my outstanding colleagues. They are young people who are very talented, united, and have a high fighting spirit. I have witnessed their tireless efforts for the past 3 months
About
#CVE
-2021-22205, I and some hunters know it before it was published as Pre-auth RCE. Maybe Gitlab knew it but they keep it silent because If public this, will have many servers will be compromised and APT, ransomware attack before bug bounty hunter report it to programs.
Thanks
@Bugcrowd
for the bonus of 150 P1s ๐
No more swag for the P1 incentive program ๐ฅฒ
I am really curious the next level will get what?
How long time to reach 250 P1s? ๐ฅน
I already write a nuclei template to scan this vulnerability before. Not many server vulnerable. It cause due to misconfig in reverse proxy. Read more about this vuln here:
Bug of the day: SSRF via Proxying
GET
http://localhost:22
HTTP/1.1 Host: target
Connection: close
Response:
SSH-2.0-OpenSSH_7.4Protocol mismatch.
#bugbounty
Finally, I got top 100
@Bugcrowd
all time ๐
Hope I will have more good finding in the future and help more organizations and corps more secure ๐
Thanks everyone in bug bounty community and security research โค
I will be taking part in-person LHE event in Las Vegas for the first time after being unable to attend previous LHEs. Although the visa interview schedule is at the end of July, I hope that luck will smile on me ๐
After 10 months of waiting I finally got my reward from Apple team. Thanks for the sweet reward. I will think about continuing to hunt on Apple bug bounty program ๐
I had some lucky when play with some IIS default page instance. Do fuzzing path and found some good RCEs from leak machine key like a Red Teamer ๐ฅท Will share it soon. It seems is 0day in some products with hardcoded machine key on these products.
I love machine key โค๏ธ
IIS Hacking tips from the latest episode with the master himself
@infosec_au
:
1. NEVER leave that blue IIS page un-touched
"You see that blue page that comes up when you hit an IIS server? That should be your point where you think, I'm gonna find criticals on this bad boy.
Redirect/SSRF payload generator opened by
@intigriti
This online tool will generate payloads for you to bypass filters to reach open redirect/SSRF vulnerability.
I'm very excited to announce I has been selected as Brand HackerOne Ambassador in Hanoi, Vietnam. This will help me to build and connect bug bounty hunter in my region and help beginner start with cyber security industry ๐ค๐ช๐ฅ
#togetherwehitharder
The newest additions to the network of HackerOne Brand Ambassadors have been announced! We can't wait to see the amazing things everyone will accomplish in their regions. ๐
#togetherwehitharder
I ranked 1st on Amazon VRP and top 30 all-time on Bugcrowd. I bought a house and a car this year and got married and am expecting my biggest Bug ๐ถ next year.๐โค๏ธ
I recommend using Beeceptor to make a mocking server without self self-hosted server. It is really useful for SSRF bypassing using the redirect method, creating a fake response, and some cool other features. It helps deploy a mock server quickly without use your resource ๐
Next week, we're rolling out an exciting new feature to enhance your testing and integrations. Take a look at this video for a sneak peek and start guessing what's coming!
Researcher who reported log4j vulnerability is a hero of the internet but he and his company get suspend by his country. If APT groups owned by china govermence know it before public, I can't imagine what will happen to both the internet and the world ๐
โกChina has suspended its partnership with
#Alibaba
Cloud Services โ whose researcher discovered the critical
#Log4j
vulnerability โ because the company did not first report this flaw to the government as required by the country's new law.
Read:
#infosec
A group of young Vietnamese people quit their jobs at the company and established a full-time bug bounty group and this is the group's 1-month performance. Very Impressive ๐๐ฏ๐ฅ
FlySec Journey's 1st month:
๐ฅFired by A Critical Vulnerability affects massive companies
๐ฅWrite-Up coming soon. Stay tune!
โค๏ธโ๐ฅFlySec try our best to save the internet!
#FlySecJourney
You can use JS Miner Extender on Burpsuite to active scan all js files when crawling the target. But sometimes it can missing secret by custom variable and not available in regex.
Calling bug bounty hunters ๐ฅท in Hanoi and Ho Chi Minh areas to participate in HackerOne's biggest Ambassador Worldcup 2024 event of the year ๐ฅ
If you want to try your hand at difficult targets and collaborate in a strong, experienced community. Please join us ๐ป๐ณ ๐ค๐ฐ๐ช
@LamScun
Don't trust anyone. Keep your small trust circle when sharing a target or unique PoC exploit.I learned a valuable and disappointing lesson about this when I shared it with the wrong people. Someone can trick you and will defeat you in the spirit of not sharing and steal your work
Chose your collaborators carefully when doing bug bounties. Build a community of trusted and vetted individuals that live and share your values :)
"A wise person should have money in their head, but not in their heart." (Jonathan Swift)
#BugBounty
#bugbountytip
#bugbountytips
Happy Friday Blue team ๐ฅน
CVE 10.0 vulnerability in PAN-OS ๐จ๐จ๐จ
Coincidentally, several serious 0day vulnerabilities that can ๐ฅthe internet were made public on Friday ๐
Seems an triager of Uber has been hacked account and threat actor can access to all reports of researchers on Uber program. This is incident never see it before ๐ฑ
#bugbounty
is so magic. I have a question how he can do it with a program with limited scope and received more than 100k$ with 4 reports resolved on
@Hacker0x01
?
Anyone know him?
You don't know to choose the target for research and hunting bugs. Let's ask
#ChatGPT
, it shows with accuracy very good. So amazing. I can play with it to see some interesting I need to focus on hunting ๐ฅน๐ง
#bugbountytips
I just landed a flight to Phuket and will be attending the
#HITB2023PK
conference tomorrow. Looking forward to great presentations at this event ๐คฉ
Thank to my company
#Viettel
Cyber Security for bring me this opportunity โค๏ธ
@bxmbn
No luck with me. If you are a professional hunter, it is 50% perseverance and 50% skill + experience. If you are a hunter use automatic tools. I think it's 80% luck and 20% skill๐
From Vietnam, Happy New Year to everyone, bug bounty and security research community around the world ๐ป๐ฅ๐ฅณ
Wish you all a successful new year with lots of health and energy ๐โค๐ฅ
Anyone are doing bug bounty hunting in Vietnam can join. Message me and we can get high together in Ambassador world cup event ๐ช๐ค๐ฅ
#togetherwehitharder
The
#AmbassadorWorldCup
is back! ๐ March marks the beginning of 9 months of epic competition. Are you up for the challenge?
Ambassadors all over the world are recruiting teams now. Contact your regional leader to join in. More details coming soon. ๐
New 0day post-auth RCE on Exchange Server is being exploit in the wild and has been detected by team GTSC. They catched the PoC on some targets which has been attacked by threat actor and reproduce it success also reported to ZDI ๐ฅ๐ฏ
@Hacker0x01
has developed many great new features, effectively supporting researchers. I very like this new feature. It help me have insight into 3rd parties and a statistic about techniques, and products used by companies around the world. Very cool feature ๐ฏ๐ฅโค๏ธ
Trust me. Bug bounty hunter guild is a fantastic group and strong top hunters worldwide ๐ช๐ฅ
I feel lucky when I become a part of this guild ๐โค๏ธ
This is the cutest video I've received from my
#bugbounty
friends. Thank you all for your wishes. Much love everyone. This community is AWESOME. โค๏ธ
Vietnam is a developing country and racing in the 4.0 era. It has produced many generations of hackers since the early 2000s and has a tradition of inheritance and continuity between generations of hackers. CTF competitions are held annually among universities ๐๐งโ๐
Why does Vietnam produce so many really really good computer hackers relative to Thailand which seems to not have that many at all? Is there a particularly strong STEM focus at the universities here?
CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server
Donโt use and never use this vulnerability lightly,because it is a master of data cleaning
To newbie: Don't hesitate and get started with VDP programs to learn how to report and find critical vulnerabilities and get a good start on the platform. VDP programs will be less competitive and you will have more space without fear of duplicates ๐ช
Research recently by VCSLab regard log4j exploit by threat actors before the vulnerability has been public ๐
Follow us to see interesting research in the future from Viettel Cyber Security ๐ฅ๐ฅ
We luckily found some evidence to believe that: The Log4Shell vulnerability may have been exploited since August 2021.
At least 10 targets have been found, including government, banks, entertainment, betting companies, etc.
Thank
@Hacker0x01
for the great design logo for each Ambassador club. It is really cool.
Everyone from Vietnam who enjoy bug bounty hunting can join this club and together grow, learn and share, help, and collaborate to achieve something bigger, target bigger. Dm me to join ๐ค
Swag for MVP both 4 quarters 2022. It looks very cool ๐
Thank
@Bugcrowd
and can't wait to see exclusive swag for my team winner
@Hackercup
2022 ๐ฅ๐ฅน