Catching a bug in under 12 minutes
This is a writeup from a member of HackenProof community who explains the beginner level fast-track bug bounty hunting.
Hey hunters! My nickname is iamsecure1920, I’m a bug hunter just like you, and here’s my first write-up sharing the tip on how I find a sufficient bug when having limited time 😊
Let’s dive in!
THE PRESET
It’s about midnight and I’m ready to go to sleep, but my playlist is not finished, and I have 12 minutes before the music stops.
Since I don’t want to switch off abruptly but also hate to waste time I decide to try and find a vulnerability within that 12min window, ergo:
THE CHALLENGE — to find a vulnerability in 12 minutes.
So I target a website (let’s call it a random alias “xyz.com” for the sake of the article). The very first minute of research shows that this website does not have search parameters, log in, or signup options (notoriously famous for having easy-to-spot bugs). So what, do I give up and look for another website?
Oh no, I persist! (Also, the time challenge I set for myself doesn’t allow me to switch a lot, so I have to hunt on this one).
Since I’m not able to find any search or input parameters for XSS, there is no registration / sign-in page, or chat support, I opt-in to hunt for sensitive information leakage. My secret move is to try and find Sensitive file leakage due to URL parameter brute-force, because ****this kind of exploit can be completed roughly within 5 to 10 minutes.
WHAT I’M GOING TO USE
Burp Suite and Disearch
To reproduce on your own challenge, download this txt file (dicc.txt)
STEP BY STEP WALKTHROUGH
- Visit the website “xyz.com” (again, here it’s just an alias! use the real website to follow through) and add
/adminin the URL parameter.
- Now capture this request using the Burp Suite and send it to the intruder in the Burp Suite. Set payload at
/adminlike this:
- Next, we have set the payload type as a simple list, and load file dicc.txt.
- Now start the brute-force attack. Follow the steps below to understand more.
- Now the brute force on URL extension parameters will be done with listed sensitive paths that were listed in dicc.txt
- The attack continued for 4 minutes, and guess what happened?
- Makefile got leaked in “xyz.com/Makefile”. In my case, the file contained internal network IP addresses and AWS distribution-id & commands that were used for deploying.
IMPACT
The attacker can exploit this internal network IP and is able to find sensitive paths or listed paths in AWS, recent AWS update time, date&info like this.
You can find more about Makefile in AWS.
Let me give another tip: Sometimes we can find the error “403 forbidden “ as seen below:
In this scenario, we can try this tool to bypass this restriction to view restricted pages.
BACK TO OUR BUG
Checking the timer…. yes, I did as I thought I found a vulnerability within 12minutes. My playlist is finishing, I submit a report on this exploit, and three days later this report is triaged, plus rewarded 200$ as a bounty.
Low hanging fruit like that can easily be caught even by beginners… Hope this helps, and you can get a bit of an easy win to inspire further self-development on the bug bounty journey!😊
Happy hunting everyone.
