Wrapping Up 120 Days of Frequent Hacking
I and @kuldeepdotexe decided to take @infosec_au as our inspiration to do 120 days of frequent hacking. In this case, I have to recognize the persistence and consistency of @kuldeepdotexe who managed to keep focused and nailed down a good amount of experience and vulnerabilities where you can read his blog “120 Days of High-Frequency Hunting” which was my incentive to keep some discipline into it. There were several takeaways that I could provide that are non-technical such as underestimating how disciplined and consistent you have to be when planning to get good at one skill such as finding vulnerabilities. In my case, I did not complete 120 Days of frequent hacking, due to a lack of discipline, but still, I’d like to share my findings and maybe try out again to see if I can get better results.
During these 120 days I managed to get 20 vulnerabilities which can be considered as the following:
- 9 valid
- 5 duplicate
- 6 low-impact not for acceptance threshold for Synack.
For the sake of learning to show some of my flaws as also learning, I will do a writeup of all valid vulnerabilities gathered during these 120 days with the following submissions:
- Unauthenticated Arbitrary File Deletion through CVE-2020-3187
- Database Credentials Disclosure Through Debug Mode Enabled In CGI files.
- Full SSRF Access to Internal Servers
- Boolean Based SQLi
- Local File Inclusion
- Multiple Local File Inclusions Flaws
- Default Credentials In Presenters Websites
- Sensitive PII Data Being Disclosed
- DOM-Based XSS
Some of the non-technical takeaways that I may provide are:
- Establish accountability to meet your effectiveness standards.
- Be disciplines and set up a time to hunt if results want to be seen.
- Prioritize and measure your progress depending on the type of skills that you’d like to get.
If you want to offer some feedback or just chat, feel free to shoot a DM to my twitter @caffeinevulns.