morkin1792

bug bounty

mindset

• Everybody has problems
• Bugs are created along the time
• Reputation and amount of reports means less than what you are thinking
• Create an account in the target, be patient, check everything, try harder

starting

• choose a few targets (3 ~ 4)

morkin1792

create gpg key pair

gpg --full-generate-key

export public key

gpg --export --armor email@email > key.asc

morkin1792

function findGithubEmails() {
    username="$1"
    remove_fork="${2:-N}"
    if [ -z $ZSH_VERSION ]; then
        printf "$(hostname): Oops, this script requires zsh! \n$(whoami): Why?\n$(hostname): Well... there are some problems, one of them is https://stackoverflow.com/q/59289355 \n$(whoami): You convinced me, how can I install zsh? \n$(hostname): https://itsfoss.com/zsh-ubuntu/ or https://github.com/ohmyzsh/ohmyzsh/wiki/Installing-ZSH\n"
        return
    fi

    function checkRateLimit() {
        if $(printf "%s" "$1" | grep -q 'rate limit'); then

morkin1792

#!/usr/bin/env zsh
# reference
# https://wordlists.assetnote.io/
# https://github.com/danielmiessler/SecLists/
# https://github.com/fuzzdb-project/fuzzdb

BASE=(
    'https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt'
    'https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Common-DB-Backups.txt'
    'https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/Logins.fuzz.txt'

morkin1792

exploiting xss

what can you inject in the affected point?

1. html tags

• 1.1. Easiest case
• 1.2. Try to create a script tag

2. attributes with event handler value (onload, onerror, ...)

• 2.1. There are some examples here and more here
• 2.2. You can try a brute force using this list
• 2.3. Base64: You can replace alert(1) with location=window.atob`amF2YXNjcmlwdDphbGVydCgxKQoK`

morkin1792

adding BURP (or another) ca certificate in android

Firstly export the certificate: Proxy > Options > Import/Export CA certificate > DER Format or download this via http://burp

without root

• put the certificate in android, access with a file manager, and install for "VPN and apps" (can be needed to rename the extension 'der' to 'cer')
• since android 7 (nougat), Apps that target API Level 24 and above no longer trust user or admin-added CAs for secure connections, by default. [1]
  • bypass here

with root

morkin1792

const test1 = (name) => {
    console.log(name)

    {
        console.log(name)
    }
}

const test2 = (name) => {
    console.log(name)

morkin1792

#!/usr/bin/env bash
start=$(date +%s)

link="$1"
price="$2"
command="$3"

function end() {
    echo -e '\nBoas compras...\nRodou por '$(($(date +%s)-start))' segundos'
    exit 0

morkin1792

-- Fonte algorítmo: https://en.wikipedia.org/wiki/Maze_generation_algorithm#Recursive_division_method
math.randomseed(os.time())
function generate(x, y) --gera uma table de table com # e ' ' no centro representando uma maze
  local r = {}
    for i=1,y do
        local ry = {}
        for j=1, x do
            if i ~= 1 and i~=y and j~=1 and j~=x then -- se não for das bordas
                table.insert(ry, ' ')
            else

morkin1792

#Multiboot USB - https://gist.github.com/morkin1792
#1.
#Instalar grub:
# grub-install --target=i386-pc --root-directory=/local/usb/montado /dev/sdX --force #instala grub no modo pc/bios
# grub-install --target=x86_64-efi --root-directory=/local/usb/montado /dev/sdX --removable #instala grub no modo uefi

#2.
#para instalar no modo uefi a particao do grub deve ser fat32 (esp partition), já no modo pc pode-se usar outros sistemas de arquivos
#as isos podem ficar em qualquer particao com 'qualquer' sistemas de arquivos, apenas deve-se setar o uuid dessa mais abaixo
#pode-se instalar em ambos os modos, pc/bios e uefi, se nao for feito apenas pcs com suporte para o modo escolhido bootarao o pendrive