My bugbounty journal

• My bugbounty journal
  • Daily Log
  • Notes
  • Automation

This is my attempt to keep a journal of my experience with bug bounty. I want to approach this entire experience coming from a sysadmin and developer background with a lot of vulnerability research on the sides.

I am going to attempt to document my experience, thoughts before and after in the hopes that this may help others.

The reasons I am doing this are:

• Get a better understanding of the bugbounty process and get first hand experience with it
• Get better ideas for making targets for our echoCTF platform
• Learn a few of the tools i never wanted to learn, on the go and on the need, ie force my self to understand what gap each of the tool is trying to fill
• Create a Gitlab and Github pipeline that would allow bugbounty hunters and pen-testers to automate some tasks
• (maybe) Get lucky and score a payout in the process 😊

My trip to the bugbounty world starts at midnight of 25/11/2022. Unfortunately i cannot work on it during the day, so my attempts will have to be more directed and with purpose if i plan on doing anything significant.

WARNING:

1. I have absolutely no idea what i am doing.
2. I am making fun of my self a lot
3. I dont know what i am doing (did i say that already?)
4. I am trying to figure this up as i go…

I may occasionally update a previous days entry to include new details. This will mostly include spell checking and inclusion of details that i believe will be useful but didnt have the foresight to include them in the first place.

Daily Log

• day 1 - nothing ever goes as planned and that is a good thing
• day 2 - this new plan will work for sure
• day 3 - lets use some tooling
• day 4 - lets use some more tooling
• day 5 - the best laid plans often go… to waste
• day 6 - GOTO DAY 5
• day 7 - lets focus some more on DNS
• day 8 - insert meaningful title here

Notes

Here i will keep my notes about specific tools that i use on my daily attempts. I am trying to document ONLY what i use and not create an encyclopedia.

• CDN specifics
• Useful DNS Commands
• Gitlab specifics
• HubSpot notes
• GraphQL notes
• PHP notes
• Useful /.well-known/ locations
• WSDL APIs

Automation

The gitlab pipelines collection has started getting bigger and bigger and it makes no sense to keep them here. A new project repo has been created to hold the gitlab pipelines (and future Github actions).

https://github.com/proditis/bugbounty-cicd