120 Days of Frequent Hacking

Wrapping Up 120 Days of Frequent Hacking

I and @kuldeepdotexe decided to take @infosec_au as our inspiration to do 120 days of frequent hacking. In this case, I have to recognize the persistence and consistency of @kuldeepdotexe who managed to keep focused and nailed down a good amount of experience and vulnerabilities where you can read his blog “120 Days of High-Frequency Hunting” which was my incentive to keep some discipline into it. There were several takeaways that I could provide that are non-technical such as underestimating how disciplined and consistent you have to be when planning to get good at one skill such as finding vulnerabilities. In my case, I did not complete 120 Days of frequent hacking, due to a lack of discipline, but still, I’d like to share my findings and maybe try out again to see if I can get better results.

During these 120 days I managed to get 20 vulnerabilities which can be considered as the following:

• 9 valid
• 5 duplicate
• 6 low-impact not for acceptance threshold for Synack.

For the sake of learning to show some of my flaws as also learning, I will do a writeup of all valid vulnerabilities gathered during these 120 days with the following submissions:

1. Unauthenticated Arbitrary File Deletion through CVE-2020-3187
2. Database Credentials Disclosure Through Debug Mode Enabled In CGI files.
3. Full SSRF Access to Internal Servers
4. Boolean Based SQLi
5. Local File Inclusion
6. Multiple Local File Inclusions Flaws
7. Default Credentials In Presenters Websites
8. Sensitive PII Data Being Disclosed
9. DOM-Based XSS

Some of the non-technical takeaways that I may provide are:

• Establish accountability to meet your effectiveness standards.
• Be disciplines and set up a time to hunt if results want to be seen.
• Prioritize and measure your progress depending on the type of skills that you’d like to get.

If you want to offer some feedback or just chat, feel free to shoot a DM to my twitter @caffeinevulns.