Adventures Into The MeowCorp Bug Bounty Program

Introduction After hacking into a private program for a while now, I found some nice bugs, mostly through recon and chaining one clue after another. In this blog post, I'll discuss the same as well as my approach to finding them. Since I've signed an NDA with them, all references to the project and company are redacted. For the sake of this blog, I am going to refer to the project as MeowCorp project and their primary domain as  Findings #1 /.git/config file to root shell After running regular subdomain enumeration tools, I picked up some interesting subdomains. One of them was While performing content discovery on this subdomain, I found  git config file. Quickly I dumped the files from .git dir with GitTools  but it was all static CSS, JS files that were of no use. When I was about to close the terminal tab, I noticed that the git repo belonged to a personal GitHub profile.  The company has its own GitHub org profile but the reference to a p

Expanding the attack surface with Shodan's lesser known filter

I have been using Shodan extensively for bug bounty hunting lately and I found some neat tricks to expand the attack surface of the given target. There are many blogs and tutorials on "Shodan Recon" and most of them talk about the same filters - ssl,, org, ip, hostname, etc. but I have not seen anyone talk about this filter - all. So, I won't talk much about the basics of shodan and directly jump to the topic.  Shodan's regular search bar (without any filter) is not consistent and when you search for a keyword, it only looks for the "keyword" in<ip> BUT shodan's raw data (<ip>/raw) contains much more information or what I like to call it as "references" about the target. To find those references and juicy hosts, this "all" filter is very handy. I have been using this filter a lot and it has found many hosts that no other filter could find. The usage

Bugv CTF Writeup - Pwning Thawang Shield

The CTF is designed to pwn an imaginary organization Thawang Shield Security. The only information given to us is their domain - Starting with the domain, usual recon - directory bruteforcing, port scanning,  subdomain enumeration, etc. was done. It didn't give much information to proceed ahead so I started some OSINT on the org. Looking at the "Teams" section of the website, we can find three users. Flag #1 Checking the Facebook profile of Ojasini Shrees, a picture was found which we downloaded, checked its strings and the first flag was obtained. bugv_ctf{MjVFRXNDNWJWeVBBRW} Flag #2 After obtaining flag #1, there's also a link to the discord server The discord server has a bot that is vulnerable to simple SQL injection. Using the payload $get 1'or 1=1-- as an input for the bot, the flag is returned. bugv_ctf{M0Tlo1MkNBcWRwR1ND} Flag #3 While checking Github of Dexa Singh, a repo "for inte

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

I have been using this Crypto Exchange - for at least a year now. I didn't realize they also had a bug bounty program which was mentioned in their footer section. I was quite busy with my day job so I kept the details of the program in my todo.txt so I could check it out later. One night when I was having that itch of doing some bug bounties, I checked my todo.txt and decided to hunt bugs on I started by enumerating subdomains and probing for standard web ports (80/443). After obtaining a handful of URLs, I tried to visit them one by one and noticed a few of them were trying to redirect to another internal domain A quick whois on revealed that it also belonged to (admin email - so I enumerated the subdomains of this domain too. One of the subdomain was running Zabbix instance. I didn't have login credentials and common creds also didn't work but there was "Sign i

My OSCP Journey and PWK Course Review

Intro I signed up for the course with 60 Days of lab time on 27th Nov 2018 to start my labs from 9th Dec. During this period of  ~10 days, I also got VIP subscription of HackTheBox  to pwn some retired machines, solved a dozen of boot2root machines from vulnhub, read many privesc writeups and HTB walkthroughs, watched almost every video of ippsec  and prepared myself for the labs. Lab Days and the journey of learning I got the study materials (PDF + videos + lab connection) early in the morning and I was really excited about it so I just read about the network structure of the lab, watched some intro videos, and directly jumped into the lab. I was expecting the lab environment to be something like HTB with difficulty level, OS info, etc. but nothing was there. Only a list of IP addresses. At this point, I had to go back to pdf, watch more videos, read others' reviews to get some knowledge of how to get an initial foothold on the first subnet. I spent like 4 days more to go

DC-2 Walkthrough

I already got root on DC-1 machine  like 1 month ago, it was a nice box but I didn't had enough time to write about it so I thought of doing DC-2 machine by same author and write about it too :D . Though DC-2 is not available on vulnhub yet but you can download it from here . This machine has 5 flags in total and below is my walkthrough on how I found them :) As usual, I started the box by doing a quick nmap scan and it revealed port 80 only. Only port 80 open? This sounded fishy to me so I hit up arrow key, added -p option to previous command for full tcp port scan and now we can see port 7744 is also open. Since this port is used for SSH and no creds were provided, I went for HTTP service on port 80. On directly opening the ip address of the machine, I got redirected to dc-2/ so I quickly added an entry to /etc/hosts file with machine's ip address and its corresponding hostname. On opening dc-2/ on browser, an wordpress site was found. Welcome, what we