WHO AM I? And My Experiments with Hacking & Bug Bounty Hunting?

in information •  11 months ago

20748089_197100627492923_9222648557994124641_o.jpg

Hey Everyone i hope you all are doing great. Nowadays, every other college or school student wants to be a hacker. Due to media hype, the term hacker is considered both cool and criminal at the same time. Now, since This Note is basically about my journey into hacking, I receive many emails on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. In this article I will attempt to answer these and more. I will give detailed technical instructions on how to get started as a beginner and how to evolve as you gain more knowledge and expertise in the domain. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems.

Introduction!
My Name is Muhammad Khizer Javed And I’m 19 Years Old, Currently Studying in 2nd Year ICS & Living in Islamabad, Pakistan.
Where It All Began!?
I came to Know about the word Hacking about 3 Years a Go when a Friend of mine learned How to perform Phishing Attack and Successfully Takeover My Facebook account & I was like WoW How he did that so After Getting my account back I started to search Google about Hacking..... But At that Time all i need to learn is “HOW TO HACK A FACEBOOK ACCOUNT” So the only thing i was searching on Google was About FB Hacking ( Nothing else ) Then after successfully wastig about a week I learned that trick and Started to HACK Facebook accounts by posting scam links in forums, Emails, Messages, Groups, Anonymous chats etc ( ALL SORT OF SHIT ), Then one day i was searching on Facebook about Hacking when I found a Guy named Mr.Anon (And Now He is One of My best friends) I posted a Comment on his post Highlighting an Issue about something (Please Don’t Disclosed That If You still remember that) he took a screenshot of that and Posted on his profile & I saw many people laughing at me and I was like WTF I can do that stuff Myself so I created a New Facebook account with anonymous Name & Started sending request to the friends of Mr.Anon And after 3-4 Days I got 5000 People in My Friend List And I know Nothing about Them.... Then some of them started Tagging me in their Facebook Posts Like ( Hacked By Team Indi shell, team PCA & Team bla bla bla....) I stared Talking to them about how they do that and Why? etc And In no time I learned 2 Ninja Tricks for Hacking & Defacing Websites...
Using site:.in index.php?id=1 ‘
Going to a Mirror Website Like Zone-h and take a Website from their and Scanning it finding the existing shell or Finding the Vulnerability in it and Exploit it


After some days, I Successfully hacked 20-30 website and Defaced them :p But I was not having Fun in it so I again started googling and After some time I learned to find vulnerable sites from some advanced Google Dorks & Then Exploiting them By Tools like Sqlmap, & I also learned a Little about Manual SQL inj, Shelling Compromising Cpanels etc :/ And After that i get to know about symlink, server jumping, a little about rooting etc... I don’t wanna Mention Many things...... But I have to say It was Fun.............. ;)
I’ve had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have. -MakMan

Changing The Color of my HAT!
If you’re not familiar with the concept of Hats in hacking, you’re probably at the wrong place! -_-
One day i saw that some former Black Hat Hacker Mainly Shawar Khan, Ahsan Tahir were Getting Swag Packs & $$ From Companies & Earning some Good Reputation and All i was doing is Defacing Websites & Posting About them on My Facebook :p, So I Contacted Both of them they Helped me through Guiding me What actually they were Doing and What are the benefits :) They also Reffer me Some Links to Read about White Hat Hacking... I first followed the basic guideline and Reported 2-3 Bugs In Website ( even when I don’t Know what The Bug can do and what problem is causing the issue ) First i got rewarded a T-Shirt and Then some Amazon Gift Cards 20$, 40$ etc The More I try the More I learned and Started to understand the Problems........
In August 2016 I Created an Account on Bugcrowd.com Under Username #MuhammadKhizerJaved and Submitted My First Bug report on 2016-08-03 ( That Report is Still Open :P & I’m sure it's Dup )

Well After Getting No reply I started to search More About Bugs that were New Back Then & I Reported 4 More Issues all of Them Went Duplicate as those were Easy to Look for On August 17 I got an Email from Bugcrowd about New private Program Invite

I was Like WTF! is this :P I opened The E-mail accepted the Invite and When I saw the Scope I was like Naaaa... That’s something I can’t test, But i saw some POC’s About Subdomain Takeover So I scanned all the subdomains of that Program and Found Many Of the subdomains were Vulnerable to Subdomain Takeover(List)

So I made a POC and Send them Without taking over The Subdomain as I was unaware of the process :P and in no time i Got the response!

and the Reward was!

So! Basically Without Knowing what actually happening at the end, i GOT My First Reward that was way more than expected After That I become addicted To BugBounty Hunting & I started to Hunt More and More for Bugs, The first bug i understand was Cross Site Scripting(XSS) ( I will follow up The Learning process under this Note ) and After reading Some More Articles & Books, I learned Quite Few Bugs Like ( XSS, CSRF,SQLi,LFI,RCE,SSRF,Open redirect, DLL hijacking, Clickjacking etc etc .... )
after learning Process.... I started to Look for XSS issue and Found One in #Bugcrowd itself

From Time to Time I was receiving Bounties and I was happy with It. and I made an Account on Hackerone.com on and started to hunt Their as well and got some Good Bounties From Their To....

My Most Recent Bounty On HackerOne was......

Well I think its Enough of The Introduction and Story Line Now Lets get straight to The point “How To Become a BugBounty Hunter/Pentester/WhiteHat.......”
"Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation."

I receive Many Messages Daily about teaching me, Hack this for me, How to earn etc....... So Basically i’m Writing this for All of You Guys Who Wanna Learn BugBounty hunting... i’ll Attach couple of books, References, Blogs, YouTube Channels & Other Material Hope That will Help all Of You who wanna Learn :)
First of all I want you guys to Read The article by Eric Raymond http://www.catb.org/esr/faqs/hacker-howto.html It has become the de-facto standard guideline for aspiring hackers.......... As Mentioned In This Article
One of The Most Important Thing You Need to Have If You want Become a Hacker is Attitude!

To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work.
Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is valued. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best.
If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker.
Resources!
Basically I What I’m sharing here is a Collection of Different Books About Penetration testing & Reverse Engineering That I have Picked from Google and Now Wanna Share With you all.., Along with Some Blogs Links, & YouTube Channels

BOOKS:
I prefer Reading books Like Mastering Modern Web Penetration Testing, The Hacker's Underground Handbook, web hacking 101 etc

These are the Important Books to Read Otherwise Here are Some More Books That May Help you :)Google Drive Link
Also :) For Those Who Want something Related to Reverse Engineering Follow this Google Drive
So These were Some Important Books Which I shared With you Guys :) Lets Get Towards Blogs!
Their are Plenty of Blogs Shared By Hackers on Daily Basics That You can read to learn More and More..........
https://blog.it-securityguard.com/
https://blog.innerht.ml/
http://brutelogic.com.br/blog/
https://klikki.fi/
http://philippeharewood.com/
https://seanmelia.wordpress.com/
https://respectxss.blogspot.com/
https://www.gracefulsecurity.com/
https://whitton.io/
https://tisiphone.net/
http://archive.nahamsec.com/
http://danlec.com/blog
https://wehackpeople.tumblr.com/
https://bitquark.co.uk/blog/
https://www.arneswinnen.net/
http://bugbountypoc.com/
https://medium.com/@arbazhussain/
https://shahmeeramir.com/
http://www.shawarkhan.com/
https://blog.detectify.com/
http://www.rafayhackingarticles.net/...
https://forum.bugcrowd.com/
https://securitywall.co/
https://www.hackerone.com/blog
http://www.securitytube.net/
https://hackasia.org/
http://www.gangte.net/
https://mukarramkhalid.com/
https://securitytraning.com/
https://jubaeralnaziwhitehat.wordpress.com/...
http://hackaday.com/
http://www.securityfocus.com/
https://packetstormsecurity.com/
http://www.blackhat.com/
https://www.metasploit.com/
http://sectools.org/
https://labs.detectify.com/
https://blog.rubidus.com/
http://www.securityidiots.com/
https://hackernoon.com/
https://sqli-basic.blogspot.com/
https://bugbaba.blogspot.in/
https://vulnerability-lab.com/
These are some Of the Websites That I like to Visit regularly to b updated and Read Their Articles.......... Their are Plenty of Other Blogs, Websites That are Missing from This List so be sure to add them In Comments :) sharing is caring.........
Now Lets get Towards YouTube Channel Links... These Channels are Shared By Hackers where They Upload their Video POCs.. Watching them u can actually understand how to demonstrate these type of attacks ...

https://www.youtube.com/channel/UCP...
https://www.youtube.com/channel/UCJ...
https://www.youtube.com/channel/UCR...
https://www.youtube.com/channel/UCY...
https://www.youtube.com/channel/UCw...
https://www.youtube.com/channel/UCa...
https://www.youtube.com/channel/UCt...
https://www.youtube.com/channel/UC5...
https://www.youtube.com/channel/UCM...
https://www.youtube.com/channel/UC_...
https://www.youtube.com/channel/UCq...
https://www.youtube.com/channel/UCV...
https://www.youtube.com/channel/UCs...
https://www.youtube.com/channel/UCa...
https://www.youtube.com/channel/UCP...
https://www.youtube.com/channel/UCX...
https://www.youtube.com/channel/UC4...
https://www.youtube.com/channel/UCs...
https://www.youtube.com/channel/UCo...
https://www.youtube.com/channel/UCy...
https://www.youtube.com/channel/UCS...
https://www.youtube.com/channel/UCO...
https://www.youtube.com/channel/UCh...
https://www.youtube.com/channel/UCo...
https://www.youtube.com/channel/UC9...
https://www.youtube.com/channel/UCe...
https://www.youtube.com/channel/UC2...
https://www.youtube.com/channel/UCP...
https://www.youtube.com/channel/UCz...

another advice...... Regularly follow http://h1.nobbd.de/ to b updated with hackerOne Public Bug reports You can learn alot from them, Follow OWASPhttps://www.owasp.org/index.php/Cat... Also alternatively You can Join Slack Community fro Hackers https://bugbounty-world.slack.com/:)
Also You should Consider practicing Your Skills on http://www.itsecgames.com/ , http://www.dvwa.co.uk/ And Other Applications Like this

HackerOne Public Reports!
These Reports might help you guys to get some indepth idea of BugBounty hunting..

Bug Bounty Reference
A list of bug bounty write-up that is categorized by the bug nature, Written by ngalongc this is inspired by https://github.com/djadmin/awesome-bug-bounty

Following form a recent Blog post from My Friend Arbaz Hussain I’m Sharing out “10 rules of Bug Bounty”
Targeting the Bug Bounty Program
How do you Approach the Target ?
Don’t Expect Anything !
Less Knowledge about Vulnerabilities and Testing Methodologies :
Surround yourself with Bug Bounty Community to keep yourself Updated.
AUTOMATION
GET BOUNTY or GET EXPERIENCE:
FIND THE “BUG” or FIND A “BUG’S CHAIN”:
FOLLOW MASTER’S PATH:
RELAX & ENJOY LIFE:
If You want to Learn about these Steps In Details Follow Up the link
https://medium.com/@arbazhussain/10-rules-of-bug-bounty-65082473ab8c

Being a security researcher, it is really tough to keep yourself up to date. I’d ask the beginners to focus on self study and learn things by themselves as everything is possible all you need is the passion of taking a step after that you can achieve anything. Nothing is impossible to achieve. All i achieved was by doing self-study and self motivation and without any certifications. You are never a perfect person, but you are still better then the rest of the people. For being a security researcher, all it takes is the passion to achieve something. I hope this article helped you motivate to take a positive step in life..
Well That’s All I can Share With you Guys :) At this Phase :) Will Keep this Note Updated If I found anything :) That can b helpful for Others......... I still Have to Learn alot,

!Thanks For Reading!
I Wrote this Note Originally on my Facebook Profile This is the Updated Version of the note :) Feel Free to Look at the Note on my Facebook Profile ;)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Congratulations @khizerjaved, you have decided to take the next big step with your first post! The Steem Network Team wishes you a great time among this awesome community.


Thumbs up for Steem Network´s strategy

The proven road to boost your personal success in this amazing Steem Network

Do you already know that awesome content will get great profits by following these simple steps, that have been worked out by experts?