Greetings Everyone. Firstly, a small introduction about me. I’m Gaurav Narwani, a bug bounty hunter and a passionate cybersecurity enthusiast. I do bug bounties in my free time and cry on the recursive functions which compute my Engineering Grade after every semester. The sole purpose of a blog is to pen down my experiences of being a bug hunter and cyber security analyst. A blog gives me a platform to extensively document my findings and spread what I learned the hard way. So that’s it I’m a newbie please bear with me, but what I can promise is I will never stop learning and keep on improving my content.
Bugcrowd Private Programs
It all boils down to – How I got into the club of Private Hunters?
I think what worked for me was perseverance and consistency in the span of 6 months. In my initial days on Bugcrowd, I inquired bugs which were the mostly low priority (P4 or P5), yet it did not deter me from reporting it. Down the line, I see those low priority/duplicate vulnerabilities as a trampoline. It gave me the inspiration to learn more and also learn to use more tools such that there will be a point where I would start hunting for high priority bugs. Like you have heard every drop contributes to making of a pond here every point earned from these bugs helped my score go up.
A $1000 Bounty
The thing that I’m going to discuss with you today is about my first $1000 Bug, also why recon is the most important step in bug hunting. I’ve had many bugs triaged in the past, but this is a special one as this was my first critical bug and it was just an hour effort.
The program had 4 domain names in scope. (can’t be disclosed), let’s consider example.com as the main domain name and example2.com, example3.com and example4.com as the remaining domains in the scope of the program. There were no subdomains in scope, so we can skip the part of subdomain enumeration.
Note:
- Reading the given problem statement is very important as it is one of the common mistakes of ignoring it and that leads to a bug which is an out of scope vulnerability.
- Always pick a target which is less visited and most of the times they are the subdomains.
Here in my case, I didn’t have any subdomains, so I targeted other domains in the scope. I had used the dirb tool – an inbuilt tool of Kali for directory enumeration.
Dirbuster commonly known as Dirb is a tool to brute-force files and directories which usually go unnoticed by the spider applications.
Pros:
- Easy to use
- Accurate relative to dirsearch and gobuster.
- It has a recursive character i.e. unlike gobuster it won’t stop the search and show a 301-status code it will keep on finding the sub-directories.
Cons:
- It is a tool which uses brute force methodology
- The execution time is dependent on the size of the wordlist
Let’s begin
- Choose a target from scope:
As mentioned above, pick a target which is less visited, mostly subdomains. In my case we weren’t provided with subdomains, so I chose the domains provided in scope.
Ex: example.com, example2.com, example3.com, example4.com
- Run dirb along with the main URL of the domains:
Note: Since Dirb is a tool which follows brute-force methodology, a wordlist needs to be specified which is used by dirb for directory enumeration. You can either use one or many wordlists. You can let dirb run default options or choose options like extensions, proxies, authentication and much more. Below is the usage of dirb and samples of commonly used methods of using this tool.
Dirb usage:
Dirb <url_base> [<wordlist_file(s)>] [options]
<url_base> : Base URL to scan
<wordlist_file(s)> : List of wordfiles. (wordfile1, wordfile2, wordfile3…)
Some commonly used options are:
- X <extensions> / -x <exts_file> : Append each word with this extensions.
- -z <milisecs> : Add a miliseconds delay keep in mind it can cause excessive Flood.
- -i : Use case-insensitive search.
- -N <nf_code>: Ignore responses with this HTTP code.
EXAMPLES
dirb http://url/directory/ (Simple Test)
dirb http://url/ -X .html (Test files with ‘.html’ extension)
dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist)
dirb https://secure_url/ (Simple Test with SSL)
Start the dirb tool along with default wordlist separated over 3 terminals for each of the URL.
dirb https://example.com
dirb https://example2.com
dirb https://example3.com
dirb https://example4.com
- Check responses with status code 200 if you can find something interesting or capture request in burp to help burp spider through the application more.
Core Finding
After the scan of URL https://example.com, Bingo! I found an URL with status code 200 named
https://example.com/en-US///WEB-INF/web.xml
I copied this URL in my browser and waited for the response. BOOM, the XML file just popped out in front of my face revealing Java classes, source code, j2ee jar libraries, properties files with sensitive credentials and most importantly private API keys.
Investigating Further
- Installing the J2EE Extender:
As I had found Java classes, I installed the J2EE Extender in Burp which could help me find more paths like these.
- Capture request in Burp and start the spider.
- Start Active Scanning after 10-15 minutes of the spider.
After around an hour of Active Scanning, I found around 40 URLs having the same directory and file named web.xml or web.xml.xhtml. Gathered all these URL ’s, sent a GET request and captured their Screenshots. Also, I had started to document the report on Bugcrowd.
The Bug was Triaged Overnight and I was awarded $1000 within 3 days.
20th July – Created the submission
20th July – Bug Triaged
23rd July – Bounty Awarded $1000
6th August – Bug Resolved
That’s all for today. Please subscribe to my blog and also Subscribe to Hackison on Youtube for Videos related to Cyber Security. Until Then! Keep Hunting.
can you give wordlist u use on dirb
Hello Hamza,
You can use wordlists like:
1. All.txt from Jason Haddix
https://gist.github.com/jhaddix
2. SecLists by Daniel Miessler
https://github.com/danielmiessler/SecLists
3. https://github.com/cujanovic/Content-Bruteforcing-Wordlist
4. Oracle applications word-list
https://github.com/huntergregal/wordlists/blob/master/app_specific/oracle.txt
5. https://github.com/Bo0oM/fuzz.txt
6. Payloads all the things
https://github.com/swisskyrepo/PayloadsAllTheThings
I really love your writeups. Awesome work Gaurav, appreciate it
Thankyou azaz. Please subscribe to the blog to read the blogs as soon as i upload them 🙂
Hello..
I am from Punjab,India.
I am interested in web app pentesting.
I am complete begginer. Can you please help me from where should I start learning. And what are the Main concepts I should know to start.
Hope for positive reply
Hey Narinder connect with me on LinkedIn or twitter. I’ll guide you.
start form c or python
Python is a much easier language to understand and also many web app tools are based on python.
Hello sir , my name is Kartikay, i am from Himachal, actually I also want to be a bug hunter , i know a lot of basics and i know bout all the tools and stuff but my main problem is that i want a guide to help me with my starting findings, like what payloads to use , how to find places to use payloads and that stuff. If you can help me out , please let me know sir. Please