I’m DarkieDuck, I am from the Netherlands and I have been hacking for the last 15 years or so. I started getting into hacking pretty soon after getting my first PC, being curious how everything works and trying to break things of course,also the movie Hackers might have had some influence in this ;)
I have known about bug bounties for a while but never started doing it myself until I decided to jump onboard around a year ago. I am mostly active on Bugcrowd.
At the moment bug bounties is hobby but I am considering switching to full-time Depending on how the situation is at my work I try to spend around 1-2hrs a day on bug bounties and a bit more in the weekends.
Around 1-2hrs a day. Again this depends on my job but I try to submit 20-30 bugs a month.
Not very long at all I believe it was within my first month that I found a P1 bug on a public program on Bugcrowd.
Unfortunately I can’t really go into too much details about this because of policies. My first high impact bug was pretty interesting. I found a LFI but there was a WAF in place that kept me from accessing anything decent. Then I found out that I could actually read the /etc/motd which contained instructions on how to recover the server in case of disaster. These instructions lead to a “/path/serverbackup.tar.gz” file that contained a full server backup which I could access with the LFI
About a year ago I started getting into it for the sake of learning/keeping up After I found my first major bug I got a big motivation boost to find more and more bugs.
As for problems I think most hunters have this problem and that’s getting burned out It can be pretty overwhelming and after not finding a bug for weeks you start to lose motivation also. It’s best to just take a break if you reach that point.
I used to read some mailing lists but most of them aren’t active anymore. I would say my main source for information these days is Twitter/IRC/Slack
No not really, it’s somewhat difficult because I mainly work on private programs and I can’t really share any details about that with others.
This really depends on the scope but let’s say it’s a *.domain.com scope
*.domain.comAfter that’s done we got a pretty nice list of things we can access within the scope, this is when the manual testing starts. Then I visit each website I found to see what it is running, try out as many functions as I can on it. Gather as many endpoints as I can find and start poking at them.
Make sure you keep some kind of documentation for yourself where you store any interesting requests you have come across specially the ones you don’t understand yet I just keep all interesting GET and POST requests in a text file because Burp has crashed on me a bit too often and I lost all this information. The longer you spend on a application the better your understanding of it will become and these requests you saved earlier might be useful.
No I only look for P3 or above based on the Bugcrowd VRT
Most tools I use are mentioned above. I also use sqlmap for SQL injection ofcourse.
For Burp extensions I use the following - Authmatrix: Great for testing authorization with different roles - Backslash Power Scanner: For detecting possible server side injection points - Error Message Checks: Will keep track of any errors that the server might have given you,sometimes you might miss a error if its commented out but this extension will still find it - Java Deserialization Scanner: Used for handling deserialization in java applications - Reflected Parameters: Keeps track of parameters that got reflected back - Wsdler: Can read wsdl files and make soap requests based on that.
I don’t think there is a one way solution to test for this. Most important thing is you need to figure out why an application is responding in a certain way. For SQLi it’s also important that you try and think of how the SQL query will look within the application and how you could abuse that. For RCE you can of course try the ones that are known like ImageTragick,Template injections,XXE
It all depends on what the application is made of, which language is used? which framework? Read up on these different aspects and one day you will find a RCE.
This happens pretty often, I like to go back to some old programs every once in a while. Code gets changed all the time and not many people look at older programs.
Yes it does, having basic understanding of what is happening behind the application you are trying to hack is a big help.
Depending on my mood of course but when hacking I like to listen to some Chillstep Selection/Collection,Trap Nation or allot of Nightcore (mix) When not hacking I can listen to the most random playlists.
I like to play squash,play videogames or watch some series.
Pretty big impact in terms of financial. Skill wise it keeps me sharp
Not bug bounty related but in short: RTFM
Hardware hacking for sure, I plan to learn more about this once our days are 40 hours long instead of the 24 we got now.
Cheese of course.
Besides some very long waiting times on a few programs I had one program with a limited scope were they wanted us to test only one application, I found a pretty bad bug in the login process and it was marked out of scope by them because the login process wasn’t part of the application they said.
The legend from congo aka mongo
I guess some kind of feedback option would be nice.
Notepad++