How to get private invitation in HackerOne?

HackerOne gives you the chance to join their private programs if you complete CTFs and get at least 26 points:
https://www.hackerone.com/blog/Hacker101-CTF-Find-flags-get-private-bug-bounty-program-invitations

This post is to give everyone the resources or skill-set needed to complete a challenge, this is not a step-by-step solution to challenges, besides I couldn’t complete all challenges, I jumped from one to another to find out which one suits my skill-set as I only have information about few challenges.

I cover 2 things for you:
1: Resources or skill-set to complete a challenge 
2: How a particular challenge can help you in the wild (important)

Challenge: Trivial (1 / flag)

Well, I would say read source code always & look for something unusual.
This is the first challenge that gives you the idea to look in the source code of a website to find unusual stuff.

How this helps you in the wild?
Reading source code of a website can lead you to:
Find external images, js files used, if the website is too strong for you to hack-in, you might be able to pwn external site or file.
Find enternal/internal JS files, then find their versions, you don’t always need to test 100 payloads in search-box to get XSS-popup, just find version of JS libraries and start looking for their known vulnerabilities or you can simply read code (if you are good at it) and find a better way to exploit some certain feature on the site.

Easy (2 / flag)

I found two flags only which I can’t number them (lazy to do so).
1: Look for how the pages are indexed, if you don’t get ‘indexed’, see how pages are numbered, pages are numbered by increment-ing a number (i.e. 1 > 2 > 3 > 4), well if you don’t see a number you can simply change the ID.

2: Do you know about XSS? Well you should have basics of XSS here, you can try to learn prompt.ml, it will help you a lot, now in here popping alert(1) is not only to execute JS alert but also to give you the flag, here I figured a way about how this challenge works:
*** if a user puts XSS payload in title=n00b&body=”><script>alert(1)</script> then give them this flag: $flag$I_AM_LEARNING$flag$
*** but if a user puts XSS payload in another part, give them another flag

Well this is how it works for me, I don’t know about your ideas but try putting payloads everywhere to get flags.

How this helps you in the wild?
This challenge will give you the basic idea of how XSS can be used to get flags & pop-up some stuff on the screen, well XSS is not just about pop-ups, it’s a wide shit & I am not a big fan of it since I don’t know much of JS.

Micro-CMS v2

I found only 2 flags which I didn’t number them as well
1: What is the first thing that comes in your mind when you see a login panel?
Well may be it is brute-force but I am no fan of that, there might be other ways to get inside the admin panel without brute-forcing and for that you must know what type of Database or technologies the website uses
Well I figured out how a simple admin panel works like this:
*** You give admin username & password > Your data is sent to database > if it’s correct and match the credentials inside database > you can login 
Well, this is a challenge and we can’t check technologies used in the backend, otherwise I would use https://www.wappalyzer.com/ this is a challenge and requires you to think different or try each and everything you know or learn something new.

Well the thing is what if you want to break syntax of how username and password is stored in the database?

This challenge requires us to know basics of SQL Injection, now go out there and search for basics of SQL injection but hey, don’t just search ‘basics of sql injection’ first look at what type of challenge you are having, is this a admin panel? well yeah it is, so you must learn SQL injection admin panel bypass, but I have my tool-kit ready so I don’t have to do the hard work to get a flag, I just figured out a way to use sqlmap against admin panel and easily retrieved databases, I didn’t even need to try 100 different admin panel bypass payloads, well if you use intruder in BurpSuite, you can easily try 100 admin panel bypass payloads and that might work but I used sqlmap.

2: Look around interesting db names, you will get the flag.

How this helps you in the wild?
Find admin panel of a website, find out what type of database is in use or how your information in admin panel is handled, then attack, either test manually or use sqlmap, who knows you might get lucky?

Hard (9 / flag) — first flag

1: Make a post and you get a hash right? Well I have learned in some of root-me.org challenges that if you play with HTTP headers too much then you can try abnormal stuff too, why don’t you just clear that hash from GET request?

How this helps you in the wild?
I didn’t figure out how the first one helps you, it just needs CTF mentality.

Easy (3 / flag) Petshop Pro

Can you buy something for 0$? 
Well if you don’t know what I am saying it’s because you don’t know about payment price manipulation, here is a writeup:
https://medium.com/bugbountywriteup/bugbounty-how-i-was-able-to-shop-for-free-payment-price-manipulation-b29355a8e68e

How this helps you in the wild?
Well I would like to be honest with you, I don’t think websites can be still vulnerable to this one, I just couldn’t find this vulnerability at all so I can’t feed you with bullshit or wrong info but it worth trying at least once, may be you get lucky, who knows?.

Easy (4 / flag) Postbook

This is the last of em, and this one is one of my favorite vulnerabilities which I always look for.
For completing this section you need to know about IDORs & as I really love this vulnerability, here I am going to give you resources to learn more about it:

https://www.secjuice.com/idor-insecure-direct-object-reference-definition/
http://www.pranav-venkat.com/2016/12/idor-in-facebooks-acquisition-parse.html
https://www.slideshare.net/narudomr/owasp-top-10-a4-insecure-direct-object-reference

https://shahmeeramir.com/how-a-simple-idor-become-a-4k-user-impersonation-vulnerability-705291b55c0d
https://medium.com/@yogeshtantak7788/how-i-was-able-to-delete-google-gallery-data-idor-53d2f303efff
https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/
https://www.jonbottarini.com/2018/10/09/get-as-image-function-pulls-any-insights-nrql-data-from-any-new-relic-account-idor/
https://s0cket7.com/idor-account-takeover/
https://blog.securitybreached.org/2018/09/16/idor-account-takeover-using-facebook/
https://blog.securitybreached.org/2018/01/27/how-i-was-able-to-download-any-file-from-web-server/

How this helps you in the wild?
Well this helps a lot and I mean it, just go through these above write-ups, see where others find IDOR, list everything and try to find those features in your own target and try to manipulate them if you can, mostly these vulnerabilities can be found in websites where people can create groups or basically communicate with each other, or create communities and etc…

Takeaways:
# You can jump from one challenge to another, especially if you are doing CTFs 
# 403 Forbidden pages are not always a good protection 
# XSS always worth trying 
# Brute-Forcing is not the only way to break into admin panel
# Playing with HTTP headers is a good habit
# IDORs can always be there 
# Payment price manipulation is worth trying 
# It’s a lab and there are no rules, you can break stuff, do whatever the hell comes in your mind (this gave me flags)

I hope this helps you to get your flags, I didn’t post the solutions because if I do so & you don’t even try to pass these easy CTFs then how can you find vulnerabilities in the private programs?
Instead in this post you got a lot more resources that will definitely help you to find vulnerabilities, I am not saying this post is perfect but these basics can help you a lot, especially IDORs ❤.

Thanks for reading