Hi everyone in the HackingBlogs community! Greetings from Day 7 of our free 10-day Bug Bounty course. We are going to be improving your bug-hunting skills today. My name is Dipanshu Kumar. No matter where you are in the process, we will discuss advanced approaches to help you find more vulnerabilities and maximize bug bounty programs.
After reading this post, I would advise you to quit learning and begin hunting. Choose a program, engage yourself in it, and devote no more than two weeks to it. Investigate each subdomain and do your best. After that, try another application if you do not discover anything, but be sure to look for at least one paid bug. Continue and remain persistent!
We go further into the process of actual exploitation on Day 7. Your foundational knowledge from Days 1–6 should be strong by now. I will teach you how to find low-hanging bugs today so you can start bug bounty hunting and succeed. We will go over subdomain takeover procedures, Githubs Dorks, and information leak via GitHub. Now let us begin!
The exploitation phase is about hacking your targets assets.
Many experienced bug hunters begin by targeting low-hanging fruit vulnerabilities that are quick to find and offer solid payouts. The focus is on maximizing rewards while minimizing time spent hunting for bugs, preferring to spend just 10 minutes on a bug rather than 10 hours. Subdomain takeover, GitHub, and cloud services are key areas to focus on.
These techniques are proven, easy to spot, and often result in impressive payouts, making them a reliable choice for consistent success.
Low Hanging Bug : Subdomain Takeover
What is Subdomain Takeover ?
A subdomain takeover happens when a subdomain points to a resource that is no longer in use but is still available to the public, such as a storage bucket or service. This implies that a hacker may seize that resource and take over the subdomain.
Let’s Understand with a beautiful Example
Consider a scenario where a project hosted on a cloud provider such as AWS is referenced by a subdomain on a company’s website, such as dev.company.com. An attacker may be able to claim the subdomain and use it maliciously if the project is removed but the subdomain is still operational.
Exploiting Subdomain Takeovers Flaws
Getting a list of your target’s subdomains is necessary before you can look for subdomain takeover; this ought to have been done during the recon phase.
$ host subdomain.example.com
subdomain.example.com has address 192.30.252.153
subdomain.example.com has address 192.30.252.154
$ whois 192.30.252.153 | grep "OrgName"
OrgName: GitHub, Inc.On Checking if a host is up or not you fire up the Host command along with the subdomain which points to a CNAME, but the mystery is when you try accessing the same subdomain you get something like this :
When hackers see a 404 page like this, they frequently become alarmed. They could attempt adding the subdomain to their own GitHub repository since it indicates that no content is served under the top-level directory. Not every application, meanwhile, is vulnerable to takeovers. Some might not be at all vulnerable, while others might require you to examine both HTTP and HTTPS responses.
The contents of the repository will be delivered on subdomain.example.com after the custom subdomain has been added to our GitHub project, effectively assuming control of the subdomain.
You should be searching for subdomain takeovers on a daily basis. Just because you checked your target yesterday doesn’t mean they are safe today.
Another Way: Integrating Subjack
./subjack -w <Subdomain List> -o results.txt -ssl -c fingerprints.json 
The subdomain trace-psdev.starbucks.com may be under attack. Finding out where this domain is pointing to so we may attempt to take it over is the next step.
dig <Domain Here> 
The domain we wish to register, s00174atww2twsps.trafficmanager.net, is referenced by the CNAME record. Since it points to the trace-psdev.starbucks.com subdomain, we can take control of it if it can be registered. Azure’s Traffic Manager serves as the host for this subdomain. You only need to register the domain on Azure to gain control.
Low Hanging Bug : Information Disclosure
Github Dorks To Find Flaws
Google dorks and GitHub dorks operate in a similar manner. By focusing the search, they help with locating specific details in a vast volume of data. You have the option to search by names, file extensions, or specific keywords. Passwords, API keys, sensitive files, and more can be found using this.
filename:.bash_history DOMAIN-NAME
People are always uploading sensitive files to GitHub, it’s a gold mine. It’s also a good idea to look for exposed passwords, tokens, and api keys, usernames.
Live Bug Example : Finding Secret_Key Inside Source Code
Here is a simple example of digging out actual secret key from the code which was mistakenly written by the devloper and offcrs devloper is a human and human make mistakes.
List Of Popular Github Dorks To Use while hunting
filename:.npmrc _auth
filename:.dockercfg auth
extension:pem private
extension:ppk private
filename:id_rsa or filename:id_dsa
extension:sql mysql dump
extension:sql mysql dump password
filename:credentials aws_access_key_id
filename:.s3cfg
filename:wp-config.php
filename:.htpasswd
filename:.env DB_USERNAME NOT homestead
filename:.env MAIL_HOST=smtp.gmail.com
filename:.git-credentials
PT_TOKEN language:bash
filename:.bashrc password
filename:.bashrc mailchimp
filename:.bash_profile aws
rds.amazonaws.com password
extension:json api.forecast.io
extension:json mongolab.com
extension:yaml mongolab.com
jsforce extension:js conn.login
SF_USERNAME salesforce
filename:.tugboat NOT _tugboat
HEROKU_API_KEY language:shell
HEROKU_API_KEY language:json
filename:.netrc password
filename:_netrc password
filename:hub oauth_token
filename:robomongo.json
filename:filezilla.xml Pass
filename:recentservers.xml Pass
filename:config.json auths
filename:idea14.key
filename:config irc_pass
filename:connections.xml
filename:express.conf path:.openshift
filename:.pgpass
filename:proftpdpasswd
filename:ventrilo_srv.ini
[WFClient] Password= extension:ica
filename:server.cfg rcon password
JEKYLL_GITHUB_TOKEN
filename:.bash_history
filename:.cshrc
filename:.history
filename:.sh_history
filename:sshd_config
filename:dhcpd.conf
filename:prod.exs NOT prod.secret.exs
filename:prod.secret.exs
filename:configuration.php JConfig password
filename:config.php dbpasswd
filename:config.php pass
path:sites databases password
shodan_api_key language:python
shodan_api_key language:shell
shodan_api_key language:json
shodan_api_key language:ruby
filename:shadow path:etc
filename:passwd path:etc
extension:avastlic "support.avast.com"
filename:dbeaver-data-sources.xml
filename:sftp-config.json
filename:.esmtprc password
extension:json googleusercontent client_secret
HOMEBREW_GITHUB_API_TOKEN language:shell
xoxp OR xoxb
.mlab.com password
filename:logins.json
filename:CCCam.cfg
msg nickserv identify filename:config
filename:settings.py SECRET_KEY
filename:secrets.yml password
filename:master.key path:config
filename:deployment-config.json
filename:.ftpconfig
filename:.remote-sync.json
filename:sftp.json path:.vscode
filename:WebServers.xml
filename:jupyter_notebook_config.json
"api_hash" "api_id"
"https://hooks.slack.com/services/"
filename:github-recovery-codes.txt
filename:gitlab-recovery-codes.txt
filename:discord_backup_codes.txt
extension:yaml cloud.redislabs.com
extension:json cloud.redislabs.com
DATADOG_API_KEY language:shellI assure you that the information I have provided is more than sufficient now that you are aware of how to identify subdomain takeovers. Now you just have to choose an application and begin looking for these two issues. I will be looking for the same two bugs and presenting my results in the next blog post, which will be published the day after tomorrow.
We will go on to further information disclosure strategies like JSON files and incorrectly setup S3 buckets if I do not find any, and then we will explore some more complicated problems that are not as hard as they seem. Keep an eye out on content
