Github recon to P2

hey fellow bug huntrs this is my first writeup so if you found any kind of minor mistakes ignore. I m not pro bug hunter yet bug may be this article gives you some motivation and this story is about my P2 in just 5 minutes. I would like to say that i have got this vulnerability by luck ,i did not have to work hard for this.You will be surprised to know that i myself didn’t know about this bug before finding. But after that i learnt everthing about this vulnerability.

i was hustling for 4–5 month to get my 1st valid bug but i was not getting success because i always hunt on bugcrowd and its hard to find low hanging bugs on bugcrowd public program you would know if you ever did , and you need to find P2 and P1 bugs to increase your reputation for private invite. I did report some low hanging bug which were triaged during hustle. But i was not happy because i wanted high severity bugs😁 .

Then recon part came to roll and i choose a rdp program on bugcrowd and started recon proccess :

During recon proccess i visited github for some sensitive information i got nothing.

Then after 5 minutes i used “example.com”exploits BOOM i found already made khir here 😁

here someone has already posted a directory traversal vulnerability on github i simply visited the link and got directory traversal vulnerability but i wasn’t as happy as i should because i didn’t know what it was but i reported it and its got triaged.

after this i started searching about directory treaversal everywhere

In short

Directory traversal is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application. This might include application code and data, credentials for back-end systems, and sensitive operating system files.

simple payload that i was use :- /../../../../../../../etc/passwd

Tips:-

dont understimate power of reconif you newbie then my suggetion would be learn about low hanging bugs first because low hanging bugs pays well😏.then go to portswigger and learn about all bugs that they teach you solve labs and then it would be enough for you to getting started.make list about your all known bugs and then make your own mathodologyremember first step is always hard#happyhacking

follow me:-

twitterinstagramLinkedin