Three Months as a Bug Bounty hunter/Hacker

July 2020 at the height of the global pandemic, I took an interest in Bug bounty. I have been into information technology for over 10 years, doing mainly Cisco networking, information security and system administration. Then one day I stumbled across a YouTube video called the million-dollar hacker and I was hooked.

From that day on I was everywhere online looking for how to get into this new freelance work force. The first thing I notice was that it took a lot of time and patience (that is an understatement). I took to twitter which in my option is the home of information technology, searched out a lot of the bug bounty guru like Stok, Nahamsec, insidePHD to name a few. Even found a few fellow hackers on LinkedIn. Then I started reading books like Web Application Hackers Handbook, WEB HACKING 101 and watching videos like

I quickly found out that using my own home system to hack would not be a good idea, because any WAF (web application firewalls) on the internet, could identifie my home IP and blacklist it. So, I invested in a VPS (virtual private server) on digital ocean. Silly me I was not patient if I had used the link in Nahamsec video I could have gotten a $100 worth of credit of digital Ocean, well you live and you learn.

I also joined a couple of Discord channels (I prefer Discord to Slack :), the gamer in me talking). A few days later I found what I thought was my first bug an unpatched php server but that was it I could not prove anything, I just knew it was an old version because I had looked up the vulnerabilities in a CVE. Like a newbie I jumped on the report bottom and reported it in, taking as many screen shots as possible but again as a newbie I didn’t read the program details and part of what I had read about the bug, was an attacker would need to use social engineering to get the bug to work which was out of the program scope. So, I got a deduction on my reputation score on hackerone That was a wakeup call for me.

I stopped hacking and went back to the books. Got a few courses on udemy.com, participated on a few CTF (capture the flag) events, stayed away from Google CTF (my kung fu is not strong enough) but I plan to take part in the event next year. A few weeks later I got back on the horse and went hunting again this time I found a html redirect on a subdomain, but the triage personnel from hackerone explained to me that for this vulnerability to work the attacker had to use a man in the middle setup and if the attacker was in that position he could do more than just redirect so it would be marked as informative, I saw this as a step up from the out of scope position I was in.

Back to the books again this time I was hunting on a RDP (responsible disclosure program) when I found a Self XSS deep in one of the programs subdomain I immediately put together a report and sent it in and the security engineer assigned to the program reached out to me and informed me that it was not valid because the alert only pops up for me and no one else. After reading the email I checked on the URL in question and found out the XSS bug had been fixed, I could no longer inject JavaScript payloads, this made me happy because I had made a difference in that organization.

Then came the hackerone live hacking event which I registered for. First day in I found something but didn’t know what it was — I was looking at the output from burp suite which showed a windows 10 system, I knew it was out of place but because I could not explain it, I moved on that was a wrong move on my part. I should have reported it.

That’s my journey so far. What have I learnt?

Google, Twitter and YouTube are your best friends

The learning never stops

Be friendly a lot of bug bounties folks are willing to help as long as you have done the work before asking questions on forums

If you hunt for low hanging fruits you will find low hanging fruits but if you hunt for the big boys — LFI, RCE, RFI you will find them. — Stok

all you need to invest is time.

So that is it. I am out.

Stay safe