50€ Rabbit Hole — Plain as Cake Bugs

Hey there! I’m Abu Hurayra, aka rootplinix — daytime hunter, nighttime writer, and early morning philosopher. You know, those 3–4 AM moments when inspiration strikes? Well, let’s kick things off with this story about a simple bug worth 50€, one that I think is perfect for new hunters or beginners.

This all started around September 5th or 6th — don’t ask me to remember exactly; I’m like Batman, always on the go. After wrapping up my remaining signal reports on HackerOne, I had a few Bugcrowd reports still waiting for responses. A friend of mine (who prefers to stay out of the limelight) nudged me to give Intigriti another shot.

Now, I’d tried my hand at several platforms — HackerOne, Bugcrowd, Intigriti, YesWeHack, and others. But every time, I gave up halfway due to burnout and frustration. Finding bugs felt like chasing ghosts; I reported plenty but couldn’t land anything significant. Everything I found was labeled Informational, Out of Scope, or Duplicate. You name it, I got it.

But this time, I was determined to stick with a program, come what may. I wanted to either find a real bug or die trying. I submitted five reports to this one program, and guess what? Four of them came back as Informational. I almost gave up, but one report — marked Undecided — gave me a sliver of hope. The triager asked for more information, and I thought, ‘Okay, I might be onto something.’

At this point, I’d tried all the usual suspects: open redirects, XSS, SQL injection — you know, the low-hanging fruit. But no luck. That’s when I decided to ditch automation and go manual. I remembered watching a video by Greg from BBRE (Bug Bounty Reports Explained). He said he doesn’t rely on automation or fancy methodologies; instead, he just dives straight into the landing page and starts hunting. Inspired by this, I jumped right in.

Using katana, I scraped all the JavaScript files linked to the main page with this command:

echo ‘redacted.com’ | katana -d 5 -jc | grep ‘$.js’ | anew js_ends.txt

What I found were the usual suspects: default JS libraries like Lodash and various plugin files. But then — boom! — I spotted a file named main.js. It caught my attention, just like Shahrukh Khan noticing Kajol in Dilwale Dulhania Le Jayenge (sorry for the dad joke, couldn’t help it).

I copied the push.js link and ran it through a JS beautifier because, honestly, it looked uglier than my face. Once beautified, I thought, ‘Why not throw it at ChatGPT and see if anything interesting comes up?’ I asked it to extract endpoints, but as the file was huge — around 5,000 lines — I decided to manually search for credentials myself.

After some careful scrolling, there it was:

$(user:”xxxx”, pass:”xxxx”)

My heart skipped a beat. I thought, ‘Gotcha! This is it!’ But before rushing to report it, I wanted to check the impact. Back in ChatGPT’s tab, I prompted it to generate raw HTTP requests with those credentials. To my surprise, the bot crafted beautiful requests that looked as perfect as a wedding cake.

I fired up Burp Suite and tested the credentials. These creds were used to create notification hooks for the site — meaning I could make, delete, and track notifications using them. Out of curiosity, I altered the username slightly to see what would happen. The server responded with a 200 OK even for a wrong password!

Initially, I felt disheartened because it seemed like the system wasn’t properly validating credentials. But I figured, ‘What the heck? I’ve already submitted a bunch of reports that went nowhere — what’s one more?’ So, I reported it anyway.

Two days later, the triager responded, saying, ‘If the system accepts wrong credentials, what’s the risk here?’ I honestly had no good answer, so I just quoted the line from my original report. I thought, ‘Well, this one’s going down as Informational too.’

With other targets demanding my attention, I almost forgot about the report. Then, one night — after a long, exhausting trip to the hospital (I’m dealing with a rare medical condition, in case you didn’t know) — I was stuck in Dhaka traffic. To pass the time, I opened my email, and there it was: Intigriti had awarded me 50€! 🎉

They mentioned that although the impact was low, the issue still posed some risk because it involved internal systems. So, they decided to mark it as Low and reward me for my effort.

In Bengali, we have a saying: ‘Nai mamar cheye kana mama bhalo’ — ‘Something is better than nothing.’ And that’s exactly how I felt. This 50€ may not be a jackpot, but it’s my first bounty from Intigriti, and that makes it special.

Sometimes, persistence pays off, even when things seem bleak. As a beginner, don’t get discouraged by informational or out-of-scope reports. Keep pushing, try new strategies, and don’t rely solely on automation. You never know when you might stumble upon a hidden gem — just like I did with this bug. For now whisper in my ears —

- Katana
- BBRE (Bug Bounty Reports Explained)
- ChatGPT