How i got my first Letter of Appreciation + Hall of Fame

Rivek Raj Tamang ( RivuDon )
4 min readOct 10, 2024

--

How you can get yours too.

Letter of Recognition + Hall of Fame

Hi, I’m Rivek Raj Tamang (RivuDon), a Security Researcher, Bug Hunter, and an Ethical Hacker currently persuing Master’s in Cybersecurity.

Here’s how I earned my first Letter of Appreciation and a Hall Of Fame.

Feel free to connect and get in touch with me, you can find out more about me on my linkedin, I am active there.

So, let’s start with another tale of how i got my first Letter of Appreciation, and a Hall of Fame. This one was a true test to Patience, Persistence, Determination and Hardwork. Eventually i persevered and was fruitful.

The Hunt Begins

The hunt begins

I put my hacking hat on, selected a target and set out to find bugs and vulnerabilities.

My target was drexel.edu they not only provide a Letter of Recognition but also Hall of Fame recognition in their website.

Drexel.edu Bug Bounty Program

Like any bug hunter I did the usual Recon, Information Gathering and collected Subdomains.

After collecting several subdomains, I began my hunt.

While going through several subdomains i found out that they were using Wordpress a lot. I initially did not have any clue on how to hunt on Wordpress so I started researching, simultaneously. The first thing I found out was Directory Listing enabled so i used some basic dorks like

site:*.drexel.edu inurl:index of/

But I had no luck.

Unlucky

So I learnt about another bug which was the Author Name disclosure via the REST API.

To find it just go to any website having wordpress and go to this directory

target.com/wp-json/wp/v2/users

This will list the author name and sometimes PII information as well, if you’re lucky.

So I finally found something, I was able to access the Authors name and get a list of several authors with their email.

I quickly made a report on it, attached Video POC, Screenshot, and all the essential ingredients of a good report and hit the send button. I was hoping for the best.

Excited for their response

The Battle of Hunting begins

Afer a week of waiting excitedly for the response I finally got an email. Which was …

A dreadful duplicate.
Literally how a Duplicate submission feels like

But I was determined, as I told earlier that a lot of subdomains were using wordpress, that meant I could easily replicate the same and report it. And I did that exactly. I reported again. Waited for a few more days and guess what was the response ?

Me literally after receiving so many Duplicates

Duplicate again !

I then decided I will find out more about how I can exploit Wordpress so I went all in, read tons of articles, read reports and watched a lot of POC videos on Wordpress exploits and vulnerabilities.

So much so I can now literally Give a masterclass on Wordpress, I have few tricks and tips up my sleeves.

*Do contact me if you really want to learn it as well.*

Anyway In short I reported a whopping 22 number of Bug Reports.

Shocking right ?

But for me It felt like a battle I had to keep going on until I was successful and I was very determined to get the letter and Hall of Fame.

The Outcome

The success of persistence and determination.

Finally after countless numbers of Duplicates, I was even reporting 2–3 reports per day. Eventually after literally 3–4 weeks of reporting and getting their responses of Duplicates I finally received an email which had …

Finally a hit!
Happy Dance

I received 5 Valid Bug confirmations on bugs like

  • xmlrpc.php file enabled and exploitation
  • Wp-cron.php file enabled and exploitation
  • Server version disclosure and Security Misconfigurations

Note: I will be writing a detailed writeup on Wordpress Exploitation and Vulnerabilities. So stay tuned.

I was extremely relieved to see the response after so many duplicates.

Then after a few days I got an email from their CISO which was titled “Bug bounty Letter of Appreciation” and My name was added to their Hall of Fame.

Letter of Aprreciation.
Hall of Fame https://drexel.edu/it/security/services-processes/bug-bounty/

Until Next time

To all the people out there, I want you to push past yourself to bring out the best of your abilities. Had i stopped after getting duplicates I would have never received the letter nor the Hall of Fame, Yet I choose to be determined and be persistent, If I can do it. You can too.

“Our greatest glory is not in never falling, but in rising every time we fall.” — Confucius

Stay tuned with me on my bug bounty journey, and don’t hesitate to reach out for advice or collaboration!. I will be writing more in the future for sure and sharing my findings, tips and tricks to contribute to the community i learn from everyday.

We also have a community of 100+ hackers and bug bounty hunters on whatsapp feel free to join: https://chat.whatsapp.com/DD3NTchIGlF9Fg1tRMSpPs

Feel Free to connect with me on linkedin: https://www.linkedin.com/in/rivektamang/

Also don’t forget to follow me and turn on the notifications to get notified about my next writeup.

Support me to write more content like this by buying me a coffee at buymeacoffee.com/RivuDon

Thank you ❤

--

--

Rivek Raj Tamang ( RivuDon )
Rivek Raj Tamang ( RivuDon )

Written by Rivek Raj Tamang ( RivuDon )

Cyber Security | Ethical Hacker | Tech | Lifestyle LinkedIn: @RivekRajTamang

Responses (2)