How i got my first bounty of $$$
How you can get yours too.
Hi, I’m Rivek Raj Tamang (RivuDon), a Security Researcher, Bug Hunter, and an Ethical Hacker currently pursuing Master’s in Cybersecurity. and here’s how I earned my first Bug Bounty of $$$.
Feel free to connect and get in touch with me, you can find out more about me on my linkedin, I am active there.
So, let’s start the tale of how i got my first bounty of $$$. A huge amount for a first ever bounty. I had never thought i would get that much amount I had thought my first bounty would be like $10, $50 or $100 but I guess I was wrong. This was a true surprise as i had no clue that i would be getting a bounty or not.
The Hunt
I initially had made a goal of finding bugs and vulnerabilities in websites for the sole purpose of learning, researching and gaining experience with that in mind i had set a goal of getting a number of Hall of Fames first.
*If you want to get your first hall of fame read here.*
So I had collected a bunch of Private Programs via Google Dorking that have VDP (Vulnerability Disclosure Program) or RDP (Responsible Disclosure Program) which provides Hall of Fame recognition for finding bugs.
One of which was that target, I cannot disclose the target name so let us call “bugsbunny.com” for reference.
The Hunt Begins
I had my target “bugsbunny.com” ready, and a special note that this target was in another language which was in Dutch, So like any other Bug hunter I did my usual reconnaissance, found subdomains, ran some nuclei templates and other stuff just basic bug hunting things and I found nothing interesting and juicy.
So it was time for manual testing, I have my own checklist and I suggest each bug hunter to create their own, You can definitely get inspirations from other people’s checklist but creating and using your own is the way to go for the long run.
I tried several vulnerabilities from my checklist and it was a dead end.
Or was it not ?
I then found a subdomain of the main domain for example chat.bugsbunny.com , when i opened the site a chatbox appeared,
So I tried the first thing HTML injections and tried to see if it reflected or not, which did not. The chatbot support had no option to upload as well and the difficult part was that it was not in English as well.
Like any other chatbot it uses a few commands to contact the live support for user interaction so an Idea hit me.
Let us use Google translate to chat with the Bot and see how it goes,
I have seen few chatbots that lets us to upload an image if there is a problem with the product or something of that sort so I wrote in the chat
“I have a problem please help me” in Dutch.
The bot asked me for my email which i gave a temp email “xyz.@gmail.com”
To which i replied back
“I have a problem with a product, please check this image”
and guess what surprisingly a new upload feature popped up in the chatbox out of nowhere.
I was trying to upload an image to check for ExifMeta Data Exposure, The image upload feature had popped and i was very happy, I uploaded the Image and checked if the Meta Data was exposed or not, and It was not !
All the trouble for nothing 😫.
But I wanted to see and test out a few things, I tried uploading the image again, I was able to upload the image three times and after that i was not.
But this is only for the Client Side, Let me check what is happening on the backend so I fired up my Burp Suite and tried to upload it again.
I retried uploading the same image and was still not able to upload after the third time. So i thought of changing the name of the image’s last letter n number of times so that the system takes the image as a new image.
For example Mando.jpg would now be Mando1.jpg Mando2.jpg … and so on.
So i tried to upload again and I was able to bypass the 3 time limit and all the images were uploaded with a 200 OK status code.
I was like we hit something really cool.
This is known as No-Rate Limit vulnerability.
A No-Rate Limit vulnerability allows users to send unlimited requests, which can lead to system overload and security issues. In my case, it let me upload multiple images without restrictions.
In my case The No-Rate Limit vulnerability was in the Hidden Image upload feature.
This could exhaust the storage consumption of the organization by overloading the server with a number of images. A person should only be able to upload a limited number of images, but in my case this had no limit so I exploited the feature “For ethical reasons and proof of concept” remember this was just to confirm the vulnerability so that i could report it and help secure them.
Reporting my Finding
After successfully exploiting and confirming the vulnerability it was time to report my findings with a proper and detailed Bug Report.
I wrote all the key elements of a good Bug Report i.e. Description, Steps to Reproduce, Impact, Remediation, Video POC, Screenshots my intro and outro, and hit the send button.
Now it was time for their end to reach me back with their end of the reply.
If my findings were valid or not or If it was out of scope vulnerability etc.
Finally after few days i got a reply …
I was shocked to see that they would like to invite me to their Bug Bounty Program and Possible be rewarded in the future.
I was happy but, wait .. what about my current Bug Report ? Will i get rewarded or not.
So we went back and forth with the email, I asked for the status of the Bug but they did not answer me back with that but I was invited to their Private Bug Bounty Program on Hackerone.
The Mind-Blowing conclusion
I then asked again about the status of the Bug Report
To which i got a reply of
As you can see, I was to simply report my findings on Hackerone. For folks who do not know what Hackerone is
HackerOne is a platform that connects companies with ethical hackers to find and fix security vulnerabilities. Hackers report bugs, and organizations reward them for their findings. It's a popular platform for improving cybersecurity through crowd-sourced testing.
Inshort it’s the no 1 platform where hackers hack and earn money. A huge ton of money if you’re good at it.
I had no plan to jump into HackerOne as I told you, that my only intention for now was to collect some Hall of Fame and learn more to get better for the Long Run, but somehow, someone or the other had other plans for me.
So i Immediately started writing a report on HackerOne and It was my first report. I was hoping i could get my first bounty, I hit the sent button and slept the night.
I was out at the gym and returned home, then after freshening up, I sat on my Computer and I had received an email saying.
With this Bounty and achievement, Marks my place in the Bug Bounty Hunting community. I plan to continue working hard, learning, researching, securing and sharing with the community as much as possible.
For everyone out there who faces doubts or setbacks, remember:
“𝑩𝒆𝒍𝒊𝒆𝒗𝒆 𝒊𝒏 𝒚𝒐𝒖𝒓𝒔𝒆𝒍𝒇, 𝒃𝒆𝒄𝒂𝒖𝒔𝒆 𝒊𝒇 𝒚𝒐𝒖 𝒅𝒐 𝒏𝒐𝒕, 𝒘𝒉𝒐 𝒆𝒍𝒔𝒆 𝒘𝒊𝒍𝒍?”
Keep working hard, and eventually it will definitely be fruitful.
Link to my linkedinpost regarding the same.
Stay tuned for more tips and tricks on my bug bounty journey, and don’t hesitate to reach out for advice or collaboration!. I will be writing more in the future for sure and sharing my findings, tips and tricks to contribute to the community i learn from everyday.
We also have a community of hackers and bug bounty hunters on whatsapp group feel free to join: https://chat.whatsapp.com/DD3NTchIGlF9Fg1tRMSpPs
Feel Free to connect with me on linkedin: https://www.linkedin.com/in/rivektamang/
Support me to write more content like this by buying me a coffee at buymeacoffee.com/RivuDon
