.png)
4 months ago
39 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi you all, hackers ❤
I wanna describe how i was able to make some common or little complicated bug, but unfortunately i was not paid, but im here to share it with you all, Lets move
For First lets “take on wallpaper” domain that i will call here ‘hackme.com’, so i started enumerate a few subdomains using combination of soo many tools which I combined (including this mainstream like subfinder, assetfinder, knockpy etc.), then i weed 404,301 out using httpx and throw all this subdomains to different crawlers included katana, waybackurls and all that are avaible in github, kali official tools etc.
Okay, move to what i have done, After The crawling phase, one directory chain my sight, that was ‘media’ directory in the main domain so the link now looks like ‘https://www.hackme.com/media’ and the status was ‘403 Forbidden’, so i was like
First, i performed classic 403 bypass using byp4xx, 403 bypasser etc. but nothing happened, so then i decided to use some kind of fuzzers (in my case ffuf) to move forward, so i combined a few wordlist togheter (this from seclists, this from bug bounty wordlist etc.), then i perform a testing phase to exclude default size, then i started this real fuzzing phase and guess what?
One of 20 ‘403’ directorys fired as ‘200OK’ this is good news, bad news i have not screened it :( This file was ‘gitignore File’ So i decided to ask my bug bounty friend is this qualificates as sensitive
F@CK!, But hovewer my high of happines increased when i got into that path (‘https://www.hackme.com/media/.gitignore’) as if this wasn’t enough the file starting downloading by itself
I was like…
I reported this but i had to significate this as ‘P5-Informational’ on bugcrowd, my bug bounty friend GPT helped me to make this sound grimly like “Exposure of gitignore configuration combined with 403 bypass blah blah blah” and the bugcrowd team accepted this but with no payment, but i think i helped, the file not always have to be non sensitive :*
May God bless You, hackers and keep pushing I wait for my another shot❤️
NnFace :*
Bengali (Bangladesh) · 
English (United States) ·