.png)
3 months ago
17 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello everyone,
Buckle up your seatbelts because I will be sharing how my bug bounty journey started, along with some insights into the Ambassador World Cup 2023 (AWC-2023). I will also share some tips and what I have learned throughout the journey. So, this will be more of an experience-sharing rather than a technical discussion.
It was in 2020 when I was introduced to bug bounty hunting by my fellow brothers @dhakal_bibek and @dhakal_ananda. After many conversations with @dhakal_bibek, he introduced me to the platform HackTheBox, and that’s where I began my journey of ethical hacking. Through HackTheBox, I learned about both web-related and server-side issues. I gained my basics from HackTheBox which got me interested in the field of hacking. And with time, I started to realize that I was more drawn towards web issues. So, I started learning from PortSwigger, which is a free learning platform that mainly focuses on web-related issues. At the same time, I was working a full time job as a security analyst while I tried my luck with bug bounty hunting. Although I didn’t progress much in bug bounty hunting, I gained a lot of knowledge about web-related topics during my working days.
Despite trying day and night, I was not able to find any success in bug bounty hunting for months. It was really frustrating at times. But even while failing miserably, I never lost hope. After putting in a lot of effort, I managed to find an issue on a web application owned by Sony which earned me a T-shirt as swag. This was my first success in bug bounty hunting. I used a public Nuclei template to discover that issue. You could also say that I got lucky. But I believe that I increased my luck by putting a lot of effort into it. After that initial success, I struggled to find any more issues. Even when I did, they were often closed as informative or duplicates (informative status indicates that an issue reported does not pose a security impact and the duplicate status indicates that a report was previously submitted by another researcher). Since I was working full-time, I could only hunt on weekends. Looking back, I now realize I was only spending 2–3 hours a week hunting. Then I decided to change my approach slightly. I decided to stop hunting on programs that offered bounties and instead tried my luck with the Dutch government. A successful bug on the Dutch Government assets would be rewarded not with a cash bounty but with a T-shirt that said ‘I hacked the Dutch Government and all I got was this lousy t-shirt’. And after a week of continuous effort, I earned myself just that. Believe me, it is one heck of a conversational starter.
However, fancy t-shirts were one thing, but it was high time I hunted on real Bug Bounty programs and earned myself some cash. So, I asked @dhakal_bibek and @dhakal_ananda for tips and motivation. I can proudly say that I could not have asked for better mentors. Both of them encouraged me and gave me insights which got me my first bounty on a private program of Hackerone. The issue was reported on September 1, 2022, and was rewarded on October 3, 2022. I also tweeted about it. My excitement crossed all limits when I saw a comment on my tweet by the legend @thedawgyg, a famous hacker who I have followed since a long time back. Not only that, I had comments on my post from other renowned hackers, like @ArchAngelDDay and @therceman. Their support was all I needed as motivation to continue and grow in Bug Bounty.
Here is the link to the tweet: https://x.com/g0ndaAr/status/1577224901089693696
At that time, I was still working a full time job and the workload was heavy on my shoulder. I knew I didn’t want to continue living like that. The sense of security that the job provided was very hard to give up. Also, the idea of not getting a monthly paycheck was quite scary for me. After a lot of self-reflection, I took the bold step and quit my job. I had to succeed in Bug Bounty hunting since I had no other sources of income to pay the bills. I started hunting on a private program that offered bounties. I spent almost 20 days on that program but couldn’t find anything.
One day, My brother @aannjjiill invited me to his house to hunt together. We decided to work on a HackerOne public Bug Bounty program. Being a gamer myself, I quickly familiarized myself with the target which involved buying/selling items from games I used to play. We hunted on that program all night without finding anything. In the morning, I woke up and immediately started hunting again. After a while, I discovered an authentication issue. I got way too excited and tried to reproduce the issue again. Well, I think you have already guessed what happened. Yep, the issue wasn’t reproducible. It worked once but not the second time. I knew I had missed something that made it unexploitable. It took me nearly 2 hours to finally figure out what I had missed. I remember my hands were shaking as I wrote the report. I couldn’t stop thinking about it the whole day. I had also enrolled in an MBA course and had an orientation program the next day, so I went to bed early at 9 PM. The following morning, I woke up around 5 AM and received an email asking for a retest. I was shocked and happy at the same time. I quickly opened my laptop and tried to reproduce the issue again. The issue was fixed, and I submitted the retest before heading to the orientation program. Just before the orientation started, I received another email informing me that I had been rewarded with a four-digit bounty for that issue. I was over the moon with happiness. I couldn’t stop smiling. Looking back, I realize anyone who saw me might have thought I was weird to be smiling to myself. At that moment, I knew that I could do more and never regretted my decision of quitting my job.
AMBASSADOR WORLD CUP 2023 (AWC-2023)
After receiving my first four-digit bounty, only 20 days remained until AWC-2023 began. First, a shoutout to @arl_rose and the entire HackerOne team for organizing this amazing competition, which allowed us to showcase our skills and represent our country on a global scale. Also, shoutout to my brother @dhakal_ananda for being selected as a Hackerone Brand Ambassador and forming a strong team. From the start, Team Nepal was incredibly excited and determined to win the AWC-2023 competition.
Group Stage Round
The tournament began with a group stage round. Each group consisted of 3 or 4 teams with the top 2 teams based on points advancing to the next round. Our group included Team Haryana and Pakistan. During the target announcement, I was with @dhakal_ananda and @dhakal_bibek. The targets announced were Yahoo, Epic games, Shopify, Stripe and Opensea. We started to hunt for bugs without wasting time. I chose to hunt on Epic Games. We were hunting for almost 8 hours a day. Over the 14-day round, I found a total of 8 bugs. You must be wondering what the status of these bugs is. Well, you can never always expect success in Bugbounty. I guess you have a hint now. Among them, 4 were closed as duplicate and 4 as informative. Surprisingly, I received a small bounty for two reports that were closed as informative. At that time, I didn’t know how to feel about this. Thinking about it now, those issues did not carry out a direct impact and were low severity so I guess I am happy that I got a bounty for those reports. The Epic Games team members were kind enough to compensate me for my efforts.
Unfortunately, I didn’t earn any points for the team which left me disappointed with myself. As I mentioned earlier, success isn’t guaranteed in Bug Bounty. Kudos to my team members who performed very well in the first round. We managed to get a total of 46 points. We finished at the top of our group and advanced to the next round.
Key takeaways from the round.
Always demonstrate the impact properly. The reason I received a small bonus for both issues was because I showed a clear impactIf you have found a business logic error, explain properly how the issue can impact from a financial or operational perspective.Report and forget. Do not get attached to a report. There are always other bugs to find. Arguing with the triager and Internal Team will not benefit you in the long run. Give your reasoning once and if they still do not agree, move on. If you are still 100% sure that your issue was incorrectly handled, you can request mediation. Try to think from their perspective as well. They may be right.Sweet 16 Round
The Sweet 16 round began with us competing against Saudi Arabia. Battling with one of the strongest teams in the competition, we knew we had to put in a lot of effort to win this round. The targets were A.S Watson Group, Stripe and Opensea. I focused on finding bugs in the A.S. Watson Group’s main web application and discovered 6 bugs. However, only one was accepted, which was a collaboration with @dhakal_bibek. At this point, self-doubt started to creep in as I had only found a single valid bug in a span of 3 months. One thing to note was that my focus during bug hunting was low since I was balancing my MBA studies alongside the AWC rounds. There were times when I was lazy in my hunting efforts as well. I consider myself fortunate to be part of Team Nepal, who carried me to the quarter-finals. Yes, we managed to beat Saudi Arabia and proceeded towards the Quarter Finals.
Key takeaways from this round
You need to maintain an ultra-focused mindset to find valid bugs. Even if you feel lazy, you must set that aside and push yourself to prioritize tasks that matter.Discouragement can lead to failure in bug bounty hunting. You should always have that confidence that there are bugs to be found and dedicate enough time to it. Bugs are everywhere and the thing that’s stopping you from finding them might be your lack of self-confidence. Laziness comes from a lack of passion and determination. You should give your 100%. Focus on the work you do and don’t think about the results beforehand. The more you do it, the closer you get to your goals.Share your findings with individuals that you trust. They might know something you don’t. Working together and sharing the rewards is better than working alone and achieving nothing.Elite Eight(Quarter Finals)
Here comes one of the toughest rounds during AWC-2023, The Quarter Finals, also the deciding round for the Live Hacking Event(LHE). We were both super excited and nervous. We knew USA Team 0 was a very strong team with some of the best Bugbounty hunters on their team. We were mentally prepared to put in whatever amount of effort was necessary to beat USA Team 0. As always, me along with @dhakal_ananda and @dhakal_bibek were together during the announcement. This time, they announced that there would be only one target for this round. We were surprised and hoped it wouldn’t be Yahoo, knowing that Team USA 0 had extensive experience with Yahoo in the past. However, where’s the fun in winning when the odds aren’t against you? After a lot of suspense, the target was announced and well, oh well, it was Yahoo.
Some of our teammates were demotivated right after the announcements while others didn’t lose hope and were super hyped. We had a mindset that we were going to beat USA Team 0 on their home ground — that was the motivating factor that we used to hype ourselves up. I remember @dhakal_ananda kept this tweet on a new tab of a browser and looked at it when he needed motivation to hunt. The exact words that he used was “The heat that we bring should be unbearable to USA Team 0”.
Here is the link to the tweet https://x.com/ArchAngelDDay/status/1679204136972320768
Personally, I knew winning this would be a lot difficult but this time, I gave my all in finding bugs. Within yahoo’s scope, I focused on yahoo calendar. For the first three days of the round, I didn’t make any progress, but I didn’t lose hope and kept working on the target. On the fourth day, I found something interesting and reported it. Later, I found more issues that I knew were valid.
Here’s where it gets even more interesting, I found a lead on an issue that I shared with @dhakal_ananda. He came up with an exploit which I tried but there was a missing piece which we couldn’t figure out. The next day, we had gathered for a meetup where we hacked together for a whole day. That same day, I finally identified the missing piece and combining it, we uncovered a serious issue. Without wasting any time, we provided all the information regarding the exploit and its impact. The issue was classified as High severity and we were rewarded with a handsome amount which was my highest payout up to that day. In total, I reported 11 issues, among them 6 were closed as informative and 5 were triaged and rewarded. At that moment, I realized that giving 100% effort is the only way for me to progress in Bug Bounty. We all had worked really hard during the round. I remember that from the 12th to the 14th day of the round, we were exhausted and struggling to focus, feeling tempted to quit. But, we did not let that stop us from grinding. We carried on till the 14th day until the submissions were closed.
During the point calculations, USA Team 0 was significantly ahead of us. One of their top hackers, @cdl was uncovering multiple Criticals, nearly dashing all our hopes of winning. We were prepared to face any outcome from this round. There was still a tiny hope left as our reports were still left to get reviewed. As our reports started to be validated and triaged, the hope of victory grew, and we eagerly awaited the results. After a long wait, the results were finally announced. And guess what? We crushed it and won the round! I was on vacation with friends at the time. I remember jumping from my chair, shouting with joy that we had won. My friends were confused at first but later, I explained to them and we celebrated together. It was one of the happiest moments in my life. The feeling was indescribable and the achievement felt surreal. The thought of being invited to Live Hacking Event (LHE) was beyond my wildest dreams. We began preparing for the Semi-Finals.
https://x.com/dhakal_ananda/status/1681688478659268608/photo/2
Key Takeaways From This Round
Sometimes hard work can surpass talent. Talent is essential for growing your knowledge, but hard work is equally important. One talented person might be outperformed by three hard-working individuals.You will never progress in life if you are afraid of losing. If you believe you will fail before even starting to put in effort, there is no way you will ever succeed in life.The Final Four (Semi Finals)
We faced Spain in the Semi-Finals, and I want to highlight first that Team Spain was exceptionally active in communicating and sharing points. Their sportsmanship was outstanding.
After a couple of days of waiting, the Semi-Finals began. The targets were announced shortly which were Tinder, Shopify and Metamask. Since most of my teammates chose Shopify, I decided to hunt on Tinder. That’s the only reason why I switched to Tinder 😛. I started my hunt on Tinder and reported two bugs on the first day. Reporting my second bug, I had a gut feeling that I could find more bugs there. Just to clarify, I am not a regular Tinder user 😹.
Everything went smoothly as I was finding lots and lots of bugs here. Now, one of the dumbest mistakes I had made was during this round. I think you guys are wondering what it was. Well, I reported two different issues in a single report. I was hard on myself at first but I moved on from it later. Meanwhile, most of my teammates faced challenges with Shopify such as issues were wrongly closed, internally duplicated or severity reduced without explanation. Almost everyone was fed up at this point and we only had 4 days left. In the remaining four days, everyone switched their focus to hunting on Tinder.
So, the round ended and we began preparing our documents to apply for visa applications to attend the LHE in Argentina. Since there was no Argentinian Embassy in Nepal, we had to travel to India to apply for a visa. Among the selected 10 members, only 8 of us were traveling due to various reasons. Without delay, the 8 of us from Team Nepal, we booked our flights and traveled to India.
Meanwhile, the Semi-Finals results were about to be announced. Before that, I would like to give a shoutout to Spanish Hackers @iamboualiI and @djurado for their assistance with translating documents from English to Spanish which we needed for visa processing. As the 8 of us from Team Nepal were in the same room, the atmosphere was tense when the results were announced. The room was completely silent when they announced the result. To our dismay, we had lost to Team Spain by 8 points. That same day, the battle for the First Place in AWC-2023 and for the third place was about to begin. We cleared our emotions and started preparing for the third place.
Key takeaways from this round
Adding excessive details in a report can result in two distinct issues being merged into one. As a result, you might receive only one reward instead of two separate ones. To avoid this, it’s important to keep reports clear and focused on individual issues.Sometimes you have to stop putting effort into something that is not worth the effort.Don’t hesitate to ask for help. You might receive something unexpected.Trust your instincts. In my experience, instincts are never random. Trust your gut feeling and go for it, you might achieve wonders just by trusting it.Championship and Third Place Round
So, the final round was about to start. I was with 7 other members of Team Nepal in Delhi, India, waiting for our visa results and preparing to compete for third place. Spain and Israel were battling for first place, while we were up against Team France for third place. The targets were announced which were Adobe, Mercado Libre, AS Watson and Tiktok. As soon as I heard Tiktok, I had already made up my mind to hunt in Tiktok. Later, I realized that Tiktok was banned in India🥲. I tried using VPN but the connection was really poor so I moved on to Mercado Libre. The language barrier was too much for me, so I skipped it. I applaud my team for exploring alternatives and finding multiple high-severity issues in Mercado Libre. Afterward, I shifted focus to Adobe.
As the LHE approached, we still hadn’t received a response from the Argentinian Embassy. Despite facing challenges away from home, we tackled them together, united by our goal to secure third place. I managed to find some bugs in Adobe. Here comes the sad part, the LHE was about to start in a day and we still hadn’t got any response from the Embassy. The sadness took over all of us as we had to withdraw from the visa process. Even if we waited, we could not make it to the LHE on time. We packed our stuff and traveled back to Nepal.
We still had 3 days left for the round to end. We devoted all remaining energy to finding more bugs. The round had ended, and MyOhMy! The Ambassador World Cup 2023 was nothing less than a roller coaster ride for us. Filled with mixed emotions, the tournament was really a wholesome experience for all of us. As part of Team Nepal, we all shared the same energy and determination to achieve success. I can assure that the room that we stayed in had never experienced the level of productiveness before we arrived there.
The results were being announced. We were watching it live virtually. It was time to announce the third place. We were barely able to speak with each other. After a long wait, the third-place winner was announced — DRUM ROLL!!!!!!!!! TBD 🤦. Apparently, many bugs remained to be validated, affecting the results. We understood the challenge of validating reports in a short time span. Kudos to the HackerOne triage team for their immense hard work. Shortly after that, they announced the first place winner, DRUM ROLL!!!!!!!!! Team Spain. We could see their excitement and happiness through our screen.
After a couple more days of waiting, a tweet from HackerOne’s official handle finally declared the third-place winner — DRUM ROLLLLL!!!!!!!!!!! Team Nepal ❤️. We celebrated the third place victory. This was a massive achievement for us. From being an underdog team with no recognition in the community to securing the third place and receiving praises from everyone was a monumental achievement. Defeating legendary teams like Haryana, USA Team 0, Saudi Arabia, and France was a significant accomplishment. Rest assured, we will return even stronger in AWC-2024.
Key takeaways from this round
Team work makes a dream work. The final round, we shared and collaborated with each other which led us to discovering high impact vulnerabilities. By working together and sharing knowledge, we identified numerous vulnerabilities. The main advantage of working together was the motivation part, everyone was equally energetic and there was never a lack of motivation. We worked together, motivated each other and pushed forward, achieving third place.Believe in yourself. Never underestimate your abilities. With dedicated effort, you can achieve anything. The effort you invest in your work undoubtedly determines your success in that field.“If you are the smartest person in the room, you are in the wrong room”. This was a quote written by my brother, Mr. Sushant Bhattarai. I totally agree with this statement. Being in the same room with one of the smartest bug bounty hunters from Nepal, I learned so much in 10 days that I wouldn’t have learned in a year or more.So, that’s a wrap!I hope that my journey was interesting for all the readers. Also, goodluck to everyone who is participating in this year’s Ambassador World Cup (AWC-2024). 😀
Bengali (Bangladesh) · 
English (United States) ·