Daniel Dusek dusekdan

Description

Announcement: https://www.hackerone.com/blog/Jackpot-h1-702-2018-CTF-here-Win-Trip-Biggest-Live-hacking-Event-2018
CTF: https://h1-702-2018.h1ctf.com/

Web challenge 1

The first challenge was available at http://159.203.178.9. The root page introduces a hidden service that allows to securely store notes. The goal is to find a flag hidden in one of these notes.

Finding the service

Python zipapp web apps

What's a zipapp?

This concept is very much like .jar or .war archives in Java.

NOTE: The built .pyz zipapp can run on both Python 2 & 3 but you can only build .pyz zipapps with Python 3.5 or later.

Initial setup

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output

Bug Bounty FAQ

A list of questions that bounty hunters frequently DM me about. 😄

How do I get started with bug bounty hunting? How do I improve my skills?

I have a simple philosophy that I share with everyone:

Learn to make it. Then break it!
Read books. Lots of books.

	SHELL=/bin/sh
	PATH=/usr/bin

	# m h dom mon dow command
	50 * * * * XDG_RUNTIME_DIR=/run/user/$(id -u) notify-send "Rest break!" "Stand up, stretch and relax"

	#! /usr/bin/python3
	import webbrowser, sys

	if len(sys.argv) < 3:
	print("Usage: openinbrowser.py ./urls.txt 20")
	quit()

	f = open(sys.argv[1])
	tabs = int(sys.argv[2])
	counter = 1

	package main

	import (
	"fmt"
	"io/ioutil"
	"log"
	"net/http"
	"time"
	)

	#!/bin/bash

	# Variables
	BOLD='\033[1m'
	END='\033[0m'

	# Queries
	site_results=$(curl -Ls "https://www.reddit.com/search?q=site%3A$1" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" \| tidy -q 2> /dev/null \| grep "search-link")
	url_results=$(curl -Ls "https://www.reddit.com/search?q=url%3A$1" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" \| tidy -q 2> /dev/null \| grep "search-link")
	self_results=$(curl -Ls "https://www.reddit.com/search?q=selftext%3A$1" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" \| grep "search-title")

	#!/bin/bash

	echo "*** Running..."

	keywords=(
	"password"
	"key"
	"passwd"
	"secret"
	)

	-----BEGIN PGP PUBLIC KEY BLOCK-----

	mQINBFhrJiwBEADCAf2/KIky7iVU+OnU16vXs9yewnevPCkKTNwWfcPbmxGGiN/n
	DAAUOxJ62XiXC5MKVThr2od9kl/VtBI9IYtAqXCQ/hA9yTUJ47/ZcM55RQqyiwjP
	DWjZXzp5V2P+/Ny3nyST1Z7/kH6GlFZ6+nPOkeQSQyYjwqPqwz2UZL0h+rZHTlzE
	edGlilStHFOuwdqfsDZtb0qGaXT7AN1BPmn9ulzNG/8lcssIGio3/xLJ5fLCfoqx
	Qb0iZPtiOCiPSJwM484a8JgHrwmsoBlOJmJ6tZc9HohU4OFgZyCwnxE0fTcNvuDt
	+JDCNCumpoa8/6x7U0eIg2ghJ9EDRliy1O5VxHLttOz/I+1guEedk/EcOx/5Q1Zz
	BPdJuBrB2ryJ1GDEJi+Cy3MCI48VTc3/4toGarGyH/gaVWOfFt1QJAaXPPFkij5Y
	egfAy6yQYY0uYGml65VK0QdsRuZESjAYkXcUpdOiGdrUp77JwgNEuMmBZ7Q1d3jn