The story of my First Bug

Just like other newbies, I had been practising on portswigger academy, feeding on writeups day in and day out waiting for my first valid bug and then when it came I wasn’t able to believe what I had found.

This is the story of my first bug which I had found last october. As usual I was reading writeups and practising, watching other hackers’ videos and hovering from one discord bug bounty community to another when I saw a guy posting on nahamsec’s server that Logitech has launched a new public program with huge scope. I ran towards it.

The scope was huge and it consisted both paid and unpaid scope. I started my recon with unpaid scope as they are usually less crowded. Got bunch of subdomains and started looking at each one with my burp open in background. Day1 passed and nothing much apart from some “maybe type scenarios”.

Day 2: Started again looking at various subdomains and clicking at every link possible on the page. I was also keeping a look at the burp logger tab and saw that a POST request is made to upload some image file(Sorry, I can’t go in more detail as public disclosure request of the bug was declined). I saw that the image was uploaded with the data passed in as base64 encoded value and the extension of the file was passed in another parameter. As usual changed the extension and put PHP, it passed on and the file now had php extension.

Wappalyzer extension showed me that the server was IIS so I got the asp web shell, base64 encoded it and passed it with extension as aspx. Didn’t thought I would get RCE this easy as this was similar to doing labs on HTB.

Takeaway: I hadn’t thought I would get my first bug as RCE, just keep your head up and keep learning.