You can find easy critical vulnerabilities.

It just takes finding unique attack surfaces.

Here's an example of how you can, using a story of how I hacked a car company: 1/ I went to Shodan (or easy searching with )

Searched for my target with the filter:

> ssl.cert.subject\.cn:*.example[.]com

I found a server with a certificate for:

*.apps.███\.com

If I see wildcards, I think that the server is an ingress endpointcerts.io

I've made $500k+ from SSRF vulnerabilities.

Here are my tricks: 1. Try other URL schemes:

• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!

You might be able to get file read.

Or send multi-line requests to gain additional impact

(Ex: gopher + redis = likely RCE)

I hacked a car company.

Here's how I gained access to hundreds of their codebases. 1. This company ran a bug bounty program.

I came across a web server that responded with:

> 404 Not Found: Requested route ('example.apps.███.com')

I hacked the military.

A system containing the information of military personnel.

Yet, the hack was done legally.

Here's how I did it and how it was done legally: 1. I came across an Army server running ASP .NET

The application was a Learning Management System (LMS).

If you’ve been in school in the past 10-15 years, you’ve likely used one: Moodle, Canvas, D2L, Blackboard, etc.

This LMS allowed anonymous registration.

So I registered!

I hacked a car company last year.

I found a way to steal every customer's

• Name
• Email address
• Phone number
• Address

Here's how I did it: 1. I started with reconnaisance:

- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online

$ subfinder -d example[dot]com | httpx -o target.httpx

I came across a webserver running IIS:

hxxps://installersupport.██████.com/

I hacked a large company (70k+ employees) through social engineering. Legally of course.

• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.

I had access to their AWS console within 2 minutes.

And much more: 1/ I used Evilnginx2 to bypass MFA (Okta & Duo)

From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.

I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.

My favorite hacking stories of 2022: 1/ Hacking a Trans-Atlantic cable.

https://twitter.com/hacker_/status/1512552850831851531

I hacked a phone company earlier last year.

I found a stupidly simple way to view the call logs of 50M customers.

Here's how I did it: 1/ I've been in this bug bounty program for quite some time.

I previously bought a phone plan so I could login and test functionality as an authenticated user.

In the dashboard, there was a tab to view your call logs.

I hacked a gaming company this year.

Here's how I did it: 1/ The scope of this program was *.███.com

With a wildcard, basic recon is:

Subdomain Enumeration + HTTP server probing:

$ subfinder -d example[dot]com | httpx -o example.httpx

Uber was hacked.

The hacker social engineered an employee -> logged into the VPN and scanned their intranet. 👇 Apparently there was an internal network share that contained powershell scripts...

"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"

Information is key.

What sort of information could be in an Airforce Database?

Who would get hurt by that data?

Who would it benefit?

5 years ago, 17-year-old me easily gained access to an Air Force database.

Legally, through hackerone.com/deptofdefense

Here's how I did it: 1/ Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP).

This time, I was looking at the Airforce subdomains.

I decided to look for sites running PHP.

To do this, I used Google.

So, if you use Google, you should know about

The simplest observations can lead to finding huge vulnerabilities.

Here's how @Shlibness & I gained access to data of 25,233 employees: @Shlibness 1/ @Shlibness messaged me.

He had something for me to look at:

https://digitalcontrol.███/workday/workday_profiles_lookup

I'd never seen this endpoint.

But looked juicy!

Workday allows employees to check-in & out of work, get paid, etc.

I requested it &

How you can learn to hack web3 (and protect millions of dollars): 1/
Become a dev (to break you must understand):

• Read "Mastering Ethereum" (It's on GitHub)
• Learn Solidity:
• CryptoZombies
• solidity-by-example[.]org
• Solidity Docs
• Learn how to use HardHat
• Familiarize yourself with widely used contracts (EIP 20)

It's easy to find attack surfaces that others haven't.

You just need to think creatively.

"But Corben, I don't know how!"

That's what I'm here for.

I'll share some simple methodology that works.

(so you can find vulnerabilities...and make money)

A story: 1/ I went to Shodan.

Searched for my target with the SSL certificate name filter:

> ssl.cert.subject\.cn:*.example[.]com

I came across a server that had a certificate for:

"*.apps.███\.com"

Interesting.

When I see wildcards, I immediately think that the server

Authorization.

Easy to understand. Critical if implemented incorrectly.

Want to see an example? (dumb question Corben, yes, why not)

Last month, I found an auth bypass that lead to a full account takeover.

Here's how I found it: 1/ I came across a subdomain.

I used cURL to check it out:

$ curl https://redacted.███\.com

> HTTP/1.1 200 OK
> X-Powered-By: Express
> Content-Type: text/html; charset=UTF-8
>
>--- snip ----
> <app-root></app-root>
> --- snip ----

Nice, AngularJS! Might be interesting. So

Are you into web hacking?

If so, you must have technology-specific wordlists

If not, you're missing obvious vulnerabilities.

Don't believe me?

Let's look at an information disclosure in an ASP[.]NET Core site: 1/ First, let's talk background:

How does ASP[.]NET get its configuration settings? (Like database connections)

In the documentation:

By default, it's "configured to read from `appsettings.json`, environment variables" and more.

It gives an example that shows

Who's your phone provider?

Well, there's a good chance that I've hacked them!

Last year, I breached a major telecom company (many times...)

This time, I stole the data of every employee.

(well, I didn't steal all of it, but I could've)...

Here's how I did it: 1/ I hacked on this company often.

Through their bug bounty program.

I performed recon to see what new assets were up.

I went to Shodan.

Searched by SSL certificate names:

> ssl.cert.subject.cn:*.example[.]com

Scrolled.

Ooooh!

A new host that I hadn't seen before:

302 Military FTP servers.

Imagine you had access to 302 military FTP servers.

What data could possibly be on them?

Who would get hurt by that data?

Who would it benefit?

5 years ago,

A 17-year-old gained access to 300 military FTP servers.

Here's how I did it: 1/ Back then, I practiced in the DoD's Vulnerability Disclosure Program (VDP).

So, I was interested in U.S Army websites.

More specifically, sites that allowed me to register an account.

Why?

Because sites that have logins typically have lots of other functionality.

In 2010, WikiLeaks released a classified document.

A list of infrastructure critical to U.S national security.

The government listed a Trans-Atlantic cable.

3 years ago,

19-year-old me gained ADMIN access to that cable (and another; shared codebase).

🧵Here's how I found it 1/ It began with a bug bounty program.

Of a telecommunications company (that I can't name publicly).

As some of you may know, I love recon.

I had already done subdomain enumeration.

The next step was to scan their IP ranges.

So,

Have you found any ironic vulnerabilities?

I do. One comes to mind that I've never shared:

Access to a company's vulnerability reports.

All of them...Ever...

It will make you facepalm.

Here's how I managed it: 1/ I was invited to a "new" program.

It was a vulnerability disclosure program.

This meant no rewards.

However, their policy indicated they "might reward $ for criticals"

I was bored and intrigued enough.

Maybe some easy criticals?

Hacking CAN be easy.

But, often it's not.

Let's develop your technical skills, they obviously matter.

A roadmap: 1/

- Learn Bash scripting & the command line

- Learn HTML & Javascript (CodeAcademy / W3 Schools)

- Learn Python (or Golang, Java, C#, or whatever).

- Learn some basic SQL.