Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
mehdisadir Profile picture
@silentgh00st
Apr 25 11 tweets 4 min read Twitter logo Read on Twitter
🧵NEW THREAD🧵
Here is how I was able to takeover the whole company's AWS infrastructure under 10 min after a new asset launch at @Hacker0x01 private program ImageImage
1. I was invited in the morning to a private program at H1 and the program updated the scope in the evening, So I decided to take a look to see if there is something to hack
2. I visited the main website in scope, to my surprise and thanks to @trufflesec Chrome extension Trufflehog which could be found here chrome.google.com/webstore/detai…
This extension is mandatory for every bug hunter, pentester .. , it works in the background and scans every JS file for every website you visit and alert you if there are any found credentials-- checkout more info at their website github.com/trufflesecurit… ...
3. I got the popup that contains the AWS access and secret keys, and then used enumerate-iam.py found here github.com/andresriancho/… which will gives me all privileges related to the keys I found
4. The found keys have limited privileges such listing S3 buckets and lambda functions
5. I listed the lambda functions and while i was scrolling my terminal, I found another AWS keys that were used as Variable env creds
6. I then used enumerate-iam.py again, and this was the jackpot! The keys found have root privilege against the AWS account of the company running the BB program
7. I added this finding as a comment to my first report and then in the same day my report was triaged and paid with $2000 as a maximum payout for a Critical finding in the program
Note: Install the Trufflehog browser extension that will helps you automatically scan an JS file even if your are not in the hacking mood!
Also read JS files manually if you are not willing to install the extension, because developers sometimes forget their variable env in JS...
#hackerone #bugbountytips #bugbountytip #BugBounty

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with mehdisadir

mehdisadir Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @silentgh00st

mehdisadir Profile picture
Apr 21
🧵NEW Thread🧵

Here is how I found the easiest SQLi and possible RCE in less than 30 min of recon and dorking

1. I was invited to a private program at @Hacker0x01 and the first thing I usually do is to look at the scope and see if it is a wildcard domain or just a small scope. ImageImage
2. Found that the program accepts all vulnerabilities related to their assets and of course third party assets are OOS
3. I used @leak_ix search engine at leakix.net and used this dork [+target_name ++plugin:"GitConfigHttpPlugin"]
Note : this is used to search for already scanned websites that have /.git exposed
Read 13 tweets
mehdisadir Profile picture
Mar 11
Here is how I chained two bugs to exploit a UUID based IDOR and gained access to admin panel.

🧵THREAD🧵
1. How I knew that the target uses the same panel for both (normal users and admins)?! This is because of two things, the first one is through subdomain enumeration
The second one is from the JS files.
After enumerating the subdomains, no admin panel was found for the main app.
But when reading the main JS file of the target, there was some keywords like is_admin or administration or anything related to the super users privileges.
Then I started digging to find what should I have to access the admin panel.
Read 9 tweets
mehdisadir Profile picture
Feb 28
Here is short writeup on how I found some hardcoded credentials inside of an exe file and got paid 2000$ even the asset was OUT OF SCOPE!

📌THREAD📌

1. I got invited to a private program with new assets
2. The asset was a web application for an Electron desktop app ImageImage
3. I tried to find the executable for the In scope app just to understand what the app will looks like when installed in the machine
4. I finally downloaded the app from the official website lf the target and tried to extract the Exe with tools like Winzip (Electron app can be easily extracted)
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(