A $1000 Bounty

Greetings Everyone. Firstly, a small introduction about me. I’m Gaurav Narwani, a bug bounty hunter and a passionate cybersecurity enthusiast. I do bug bounties in my free time and cry on the recursive functions which compute my Engineering Grade after every semester. The sole purpose of a blog is to pen down my experiences of being a bug hunter and cyber security analyst. A blog gives me a platform to extensively document my findings and spread what I learned the hard way. So that’s it I’m a newbie please bear with me, but what I can promise is I will never stop learning and keep on improving my content.

Bugcrowd Private Programs

It all boils down to – How I got into the club of Private Hunters?

I think what worked for me was perseverance and consistency in the span of 6 months. In my initial days on Bugcrowd, I inquired bugs which were the mostly low priority (P4 or P5), yet it did not deter me from reporting it. Down the line, I see those low priority/duplicate vulnerabilities as a trampoline. It gave me the inspiration to learn more and also learn to use more tools such that there will be a point where I would start hunting for high priority bugs. Like you have heard every drop contributes to making of a pond here every point earned from these bugs helped my score go up.

The thing that I’m going to discuss with you today is about my first $1000 Bug, also why recon is the most important step in bug hunting. I’ve had many bugs triaged in the past, but this is a special one as this was my first critical bug and it was just an hour effort.

The program had 4 domain names in scope. (can’t be disclosed), let’s consider example.com as the main domain name and example2.com, example3.com and example4.com as the remaining domains in the scope of the program. There were no subdomains in scope, so we can skip the part of subdomain enumeration.

Note:

Reading the given problem statement is very important as it is one of the common mistakes of ignoring it and that leads to a bug which is an out of scope vulnerability.
Always pick a target which is less visited and most of the times they are the subdomains.

Here in my case, I didn’t have any subdomains, so I targeted other domains in the scope. I had used the dirb tool – an inbuilt tool of Kali for directory enumeration.

Dirbuster commonly known as Dirb is a tool to brute-force files and directories which usually go unnoticed by the spider applications.

Pros:

Easy to use
Accurate relative to dirsearch and gobuster.
It has a recursive character i.e. unlike gobuster it won’t stop the search and show a 301-status code it will keep on finding the sub-directories.

Cons:

It is a tool which uses brute force methodology
The execution time is dependent on the size of the wordlist

Let’s begin

Choose a target from scope:

As mentioned above, pick a target which is less visited, mostly subdomains. In my case we weren’t provided with subdomains, so I chose the domains provided in scope.

Ex: example.com, example2.com, example3.com, example4.com

Run dirb along with the main URL of the domains:

Note: Since Dirb is a tool which follows brute-force methodology, a wordlist needs to be specified which is used by dirb for directory enumeration. You can either use one or many wordlists. You can let dirb run default options or choose options like extensions, proxies, authentication and much more. Below is the usage of dirb and samples of commonly used methods of using this tool.

Dirb usage:

Dirb <url_base> [<wordlist_file(s)>] [options]

<url_base> : Base URL to scan

<wordlist_file(s)> : List of wordfiles. (wordfile1, wordfile2, wordfile3…)

Some commonly used options are:

X <extensions> / -x <exts_file> : Append each word with this extensions.
-z <milisecs> : Add a miliseconds delay keep in mind it can cause excessive Flood.
-i : Use case-insensitive search.
-N <nf_code>: Ignore responses with this HTTP code.

EXAMPLES

dirb http://url/directory/ (Simple Test)

dirb http://url/ -X .html (Test files with ‘.html’ extension)

dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist)

dirb https://secure_url/ (Simple Test with SSL)

Start the dirb tool along with default wordlist separated over 3 terminals for each of the URL.

dirb https://example.com

dirb https://example2.com

dirb https://example3.com

dirb https://example4.com

Check responses with status code 200 if you can find something interesting or capture request in burp to help burp spider through the application more.

Core Finding

After the scan of URL https://example.com, Bingo! I found an URL with status code 200 named

https://example.com/en-US///WEB-INF/web.xml

I copied this URL in my browser and waited for the response. BOOM, the XML file just popped out in front of my face revealing Java classes, source code, j2ee jar libraries, properties files with sensitive credentials and most importantly private API keys.

Investigating Further

Installing the J2EE Extender:

As I had found Java classes, I installed the J2EE Extender in Burp which could help me find more paths like these.

Capture request in Burp and start the spider.
Start Active Scanning after 10-15 minutes of the spider.

After around an hour of Active Scanning, I found around 40 URLs having the same directory and file named web.xml or web.xml.xhtml. Gathered all these URL ’s, sent a GET request and captured their Screenshots. Also, I had started to document the report on Bugcrowd.

The Bug was Triaged Overnight and I was awarded $1000 within 3 days.

20^th July – Created the submission

20^t^h July – Bug Triaged

23^rd July – Bounty Awarded $1000

6^th August – Bug Resolved

That’s all for today. Please subscribe to my blog and also Subscribe to Hackison on Youtube for Videos related to Cyber Security. Until Then! Keep Hunting.

Gaurav Narwani

9 Replies to “A $1000 Bounty”

hamza says:

December 5, 2018 at 9:48 am

can you give wordlist u use on dirb
1. admin says:
  
  December 6, 2018 at 7:59 am
  
  Hello Hamza,
  You can use wordlists like:
  
  1. All.txt from Jason Haddix
  https://gist.github.com/jhaddix
  
  2. SecLists by Daniel Miessler
  https://github.com/danielmiessler/SecLists
  
  3. https://github.com/cujanovic/Content-Bruteforcing-Wordlist
  
  4. Oracle applications word-list
  https://github.com/huntergregal/wordlists/blob/master/app_specific/oracle.txt
  
  5. https://github.com/Bo0oM/fuzz.txt
  
  6. Payloads all the things
  https://github.com/swisskyrepo/PayloadsAllTheThings
azaz says:

January 30, 2019 at 8:03 pm

I really love your writeups. Awesome work Gaurav, appreciate it
1. admin says:
  
  January 30, 2019 at 8:06 pm
  
  Thankyou azaz. Please subscribe to the blog to read the blogs as soon as i upload them 🙂
Narinder says:

April 1, 2019 at 8:30 am

Hello..
I am from Punjab,India.
I am interested in web app pentesting.
I am complete begginer. Can you please help me from where should I start learning. And what are the Main concepts I should know to start.
Hope for positive reply
1. admin says:
  
  April 3, 2019 at 1:15 pm
  
  Hey Narinder connect with me on LinkedIn or twitter. I’ll guide you.
2. balu says:
  
  May 13, 2019 at 5:00 am
  
  start form c or python
  1. admin says:
    
    May 14, 2019 at 1:51 am
    
    Python is a much easier language to understand and also many web app tools are based on python.
Kartikay Parmar says:

January 5, 2020 at 8:58 am

Hello sir , my name is Kartikay, i am from Himachal, actually I also want to be a bug hunter , i know a lot of basics and i know bout all the tools and stuff but my main problem is that i want a guide to help me with my starting findings, like what payloads to use , how to find places to use payloads and that stuff. If you can help me out , please let me know sir. Please

Comments are closed.