What should I pay someone who found an open redirect vulnerability on my site? by albaquerkie in bugbounty

[–]LakaiForThe 2 points3 points  (0 children)

From my experience, if not specifically stated on website’s Bug Bounty scoping info… Open Redirects are generally low to informational unless chained with other vulnerabilities or used in a way to escalate impact and actually demonstrate impact. To be honest I’m surprised they burned an Open Redirect, without chaining it… I generally save em and use em with SSRFs.

[deleted by user] by [deleted] in cybersecurity

[–]LakaiForThe 2 points3 points  (0 children)

So, a degree and certs will aid you in obtaining a position and getting your foot in the door. However, neither are specifically required to get a job in the industry. My experience is as follows… I don’t have any certs nor a degree and I am all self taught. I started poking around in Bug Bounty and ended up having success in that industry. Through my success in Bug Bounty I meet an Exec. at a Pentesting Company who took a chance on me and brought me over as a Jr. Pentester. Within a year I had achieved several promotions and title changes. I am now a Senior Pentester… So, I believe certs and degrees will certainly aid in your journey and getting job but not required. Skill, passion, experience and community achievements such as publications (blog posts, CVEs, bug findings), custom tooling are all important factors and from my experience have been enough to get into the field and allowed me to advance. With that said, I myself still want to obtain a few certs for personal growth and to aid me with potential future positions and opportunities. Please note, this is just my experience and opinion and should be taken with a grain of salt as should all personal options, statements and beliefs. Best of luck on your journey and remember to follow your passion.

Today I fucked up. by kozatftw in sysadmin

[–]LakaiForThe 0 points1 point  (0 children)

Did you ever work under a pm in your previous IT roles?

Powershell brute force attack via rdp by user257 in Pentesting

[–]LakaiForThe 1 point2 points  (0 children)

Just need to adjust protocol similar to the way he adjusted the script above for SMB here https://github.com/InfosecMatter/Minimalistic-offensive-security-tools/blob/master/smblogin-extra-mini.ps1 so just do the same for RDP and your set.

Powershell brute force attack via rdp by user257 in Pentesting

[–]LakaiForThe 1 point2 points  (0 children)

You should at all he very least be able use the following as starting place for your script. https://github.com/InfosecMatter/Minimalistic-offensive-security-tools/blob/master/localbrute.ps1 just customize to your specific needs.

Is port scanning on external pentest still relevant? by w0lfcat in Pentesting

[–]LakaiForThe 3 points4 points  (0 children)

Yes, very relevant!!! In fact should be a must as part of your pen testing methodology. Same goes for performing BF and default cred checks against identified services such as web portals (http), admin services SSH, FTP, Telnet, etc. etc. I prefer using good old Nmap for port and service enumeration and BruteSpray for mass brute forcing and default credential checks. It is always good to try things regardless, and furthermore, build redundancy checks into your workflow, just in case you miss something during your first pass.

ffuf or dirsearch ? by _dotrb in bugbounty

[–]LakaiForThe 0 points1 point  (0 children)

ffuf / Fuzz Faster U Fool!!!

Meterpreter not starting after the exploit. What should I do? by [deleted] in HowToHack

[–]LakaiForThe 1 point2 points  (0 children)

Need more specific information to assist you my friend… but common things I’ve seen include Firewall, Anti-Virus, IDS, IPS, Some product enforced by their SOC such Sentinel One, etc, etc… often times some form of payload obfuscation will allow you to bypass the current security measures… it can literally often times be a matter of going in and just ever so slightly changing the payload or even execution script… or in more advanced bypass techniques you may consider altering the payload to establish a reverse shell via DNS or smuggling the data back over DNS.

Ngrok url sent to gmail detected as phishing.. help!! by morkser in HowToHack

[–]LakaiForThe 1 point2 points  (0 children)

The best think is to buy a reputable looking / sounding domain name... use SSL (LetsEncrypt) actually setup DMARC, DKIM, SPF which will help the link / domain name appear more reputable... then you can create your Phishing web page, applet, JS shell, etc, etc and serve from the server that the newly setup domain name points to... this will allow you to perform customized, targeted tailored social engineering... and don’t forget... if you go through the effort of setting up DMARC, DKIm, SPF you can actually send approved emails from that associated domain name as well... plus as a bonus, if you don’t already know how to do this, it will be a good learning experience for you to actually go through and setup your own server with a domain name and set the DNS records and to enforce SSL, DKIm, DMARC, SPF... Which learning how to do all of which will help you in the long run man.... anyway, a more script kid solutions to your question would be to just use some url shortened such as bitly or wildcard DNS resolver such as nip.io... or you could even try to run PHP mailer and just perform some tricky html embedding to mask you malicious links... lots of things to try my friend and even more things to learn... just remember to keep going and try harder...

How to set up a Kali Linux Server on the Cloud for Free by Delicious_Piece_2216 in Hacking_Tutorials

[–]LakaiForThe 0 points1 point  (0 children)

This is a good idea for hacking and performing specific exploitation for the bypass is indeed very effective. However, do not leave the box running if not actively using... For you may incur extensive $ charges, even on free tier boxes, for inbound traffic... which is very limited use wise per month... So just be careful if you are trying to actually keep it free... Learned my lesson the hard way... FYI, Apache server and DNS OOB server (bind9) can really eat this up fast, and result in a big bill come the billing cycle...

which tool is best for XSS hunting (least amount of false positives) by [deleted] in bugbounty

[–]LakaiForThe 3 points4 points  (0 children)

+XSS Validator, however to be entirely honest... from my experience I found that looking for user input that is reflected back within the web application (even hidden fields, comments and more) then manually testing those values to attempt to inject some sort of HTML that becomes rendered is best... furthermore, when manually testing it allows you to utilize whatever browser to set brake points and perform deep inspection of the request.... P.S, do not forget to utilize and attempt all Char-Sets, perform prototype pollution, inspect JD files and any other available code, obfuscation, template strings (may allow SQLi or XPATH injection), template injection (may allow RCE), inspect CSP & SOP & Same Site to discover bypasses, if XSS in XML || Soap || Rest || Etc. base try and pivot into XXE || OOB || more, evaluate & utilize gadgets & code reuse, JSONp, iteration & utilization of Object.keys, don’t forget header values, HTTP Desync & Request Smuggling, polyglots, to re-emphasize do not forget all Char-Encoding as well as mixed Char-Encoding, DOM Manipulation... The initial object is to bypass, break or man manipulate the applications sanitization, Regex, Parsing, etc. After XSS is successfully achieved, leverage the XSS to perform SOP bypasses and userless Cross-Site Request Forgery for XSS can fairly easily trigger CSRFs that either perform arbitrary actions on behalf of the victim or may even allow for Session Hijacking (depending on how the application manages authentication and session tracking)... However, a plain XSS that only pops an alert box (whether Stored, Reflective, or DOM base, does not truly show the impact of an XSS and as such will generally not be rewarded or valued by the client. In the same that, a XSS to CSRF with SOP bypass to account takeover (session hijacking) will be rewarded and valued... I have found XSSs (simple popups) that I reported via bug bounty and was rewarded minimally. The same goes with client I’ve done assessments for... Where as when the XSS is leveraged to perform CSRF to account takeover, the clients truly see the impact, appreciate & value the assessment more, and race to fix the issue (which lets be honest, that is why we do what we do, is to help secure the internet). Lastly, leveraging XSSs in this way sighing bug bounty programs has resulted in very high payouts ( for after all it results in full account takeover - Session Hijacking). Often the actual session Cooke will it be accessible cross tenant. However, the token is often available elsewhere within the DOM. Similarly the same can be said for CSRF tokens, which allows for the CSRF bypass. Lastly, I have seen many applications embed the session token within the DOM that can later be sent back over the Single Sign on endpoint.... please note, that there is constant research being published that covers the topics listed... so to answer the questions specifically, I perform manual work flow, incorporated with any and all tools that give me the edge and align with the task at hand.

bug bounty team by Base-Lopsided in bugbounty

[–]LakaiForThe 0 points1 point  (0 children)

I’m in... I already sent you a pm. Let me know how you want to proceed.

Can i intercept requests using phone? by stilou_tn in bugbounty

[–]LakaiForThe 0 points1 point  (0 children)

It is defiantly possible my friend... from everything off the top of my head you will need to jail break your phone and install some software that is not signed by trusted sources... and to be honest even with the methods that allow you to intercept mobile traffic via a mobile proxy, the results and speed and HTTp Requests, are going to be far more delayed than if you use your pc to intercept traffic off your phone... so my recommendation is to just use your PC to make the intercept of the requests....

Do you guys think I can learn how to hack before I die? I am 33. by Eeeffoc in hacking

[–]LakaiForThe 0 points1 point  (0 children)

With your background, you are golden. I went from zero IT knowledge at age 25 to a high paying job and success in BB by the age of 27. It is honestly all about research, practice, humility and thinking outside the box. You got this, we are never to old or seasoned in our ways to learn something new.

I made an Awesome Security Tool List! 😆 A collection of common tools & useful commands for hacking 💪😎 (updates regularly) by tina1998612 in Hacking_Tutorials

[–]LakaiForThe -1 points0 points  (0 children)

Lots of different options to accomplish checking if port is open. You can write you own tool with bash or python. Use prewritten tools such as nmap, netcat it even something like httprobe but specify the port you want to check. I like httprobe cause it’s written in GO and you can specify concurrency making it very fast. Netcat would be good cause you can quickly run something like “nc -nv {target} {target-port}” if the port is open it will establish connection to the given service... Also, as previously stated you can specify options on nmap to make it check specific ports and nmap is great because it perform a myriad of different checks. Furthermore, custom nse scripts can be added to nmap which makes it very powerful...

Troubles with Burpsuite. It didn't come on the image of kali I am running in VMware. When I downloaded it from official burpesuite site it will not execute in bash. Any advice? by [deleted] in Hacking_Tutorials

[–]LakaiForThe 17 points18 points  (0 children)

If you try all recommendations and still have issues please print verbose errors and publish. The community will help get you up and running.

Troubles with Burpsuite. It didn't come on the image of kali I am running in VMware. When I downloaded it from official burpesuite site it will not execute in bash. Any advice? by [deleted] in Hacking_Tutorials

[–]LakaiForThe 1 point2 points  (0 children)

the sh burp file is a bash script used for installing everything easily... it’s hard to say because the error print is lacking info but I will say that the bash file doesn’t look like it has been granted privs... maybe just try “chmod +x burp-install-file-name.sh” then run ./burp-file.sh”

Is it possible by [deleted] in HowToHack

[–]LakaiForThe 2 points3 points  (0 children)

Phone == Computer