How we won 2nd Place in HackerOne Brand Ambassador World Cup 2022 - CTF & Public Programs Hunting

Hello folks, Today I am going to share my experience in HackerOne Brand Ambassadors World Cup 2022. There were many teams from different regions of different countries. From India, there was Haryana Club, Delhi Club, Pune Club, Gujarat Club. I was in the Haryana club and @DrSniper was the team leader of Haryana Club.


1st Round - CTF

First-round was web-based CTF where the top 16 Clubs would go for the next round. In CTF, anybody can participate even individuals but only Clubs will go to the next round. So CTF started on 17th January and ended after 7 days.

Day 1 - Wordlists of parameters, passwords, and directory were already provided by them but the website was enforced with rate-limiting security features which were making it difficult to fuzz endpoints. So we tried fuzzing with 20 req/s and we got most of the easy and medium flags. But there was one directory that was returning 403 error on accessing it. So we all tried our methods like trying admin headers in burpsuite, changing the request method and many other. But nothing fetched out of it, so at the end of the day, Aman(testingforbugs) came up with the idea of changing letters of the directory to upper case and lower case like:-

/app/betA/

Yes, it worked and we were overthinking about this flag.

Day 2 - We found few more flags from medium and few from high. There were many SQL Injection endpoints where we found flags. Then we got stuck at one medium flag which was related to directory traversal vulnerability and only two endpoints were left, one is "/beta/flag.txt" which is 403 forbidden, and "/app/betA/?file=template.html". So I spent a few hours on this "/app/betA/?file=template.html" endpoint where it was filtering "../" from the payloads, tried many payloads and this one worked and we fetched flag with this.

/app/betA/?file=....//flag.txt

Now last flag was left and it was hidden perfectly in one of the SSRF vulnerable endpoint. We tried our best but we didn't find anything where we can look for that flag. After 7 days, we were in the top 16 teams and qualified for the next round. BTW last flag was inside that SSRF vulnerable endpoint where we have to fuzz inside that

/app/soccer-transfer-center/transferList?host=internal.backend.localhost/trades/10708/cancel?security_hash=191070832%23

2nd Round - Haryana h1 Club VS Buenos Aires h1 Club

From this round, we have to Hack on any public program on HackerOne which is managed by HackerOne, pays Bounty and each round will last for 3 days. Yes, it was difficult because there is more chance of duplicates and we were few. Each reports will have points based on severity and only Triaged and Pending program review status reports will be considered in these rounds. This was reports points structure:-

So our first competitor was Buenos Aires Club. This was our status:-

@DrSniper - 2 Medium, 2 Low

@xploiterr - 2 Medium, 2 Low

@AkashHamal0x01 - 1 Medium, 1 Low

@ashish_r_padelkar - 2 Low + [3 new, 1 Program Review]


We were getting above 20 points in this round and we won this.


3rd Round - Haryana h1 Club VS Gujarat h1 Club

In this round, our competitor was Gujarat Club. In this round, I also submitted 1 Medium vulnerability. These are the points of all teams of this round:-

4th Round - Haryana h1 Club VS Tel Aviv h1 Club

In this round, our competitor was Tel aviv h1 Club whose team leader is Nagli. Our previous round points were not that good so we created a target because we were already a few active members and if we all can submit 4 medium reports, then we could achieve more than 100 points. So the main problem was duplicates, we all reported many bugs and we got many duplicates but we didn't give up. We were able to achieve above 60 points in this round by Hacking on all Programs on HackerOne Directory. This round was really frustrated and we were feeling so exhausted. Yes, we won this round against Tel Aviv club


5th Round - Haryana h1 Club VS Bordeaux h1 Club

This round was against Bordeaux h1 Club whose team leader is Lupin. This round started quickly after the previous round's announcement and we were already exhausted. So we tried our best and submitted many reports in three days. We were able to achieve this:-


So we were able to achieve 2nd position in this World Cup. We pushed beyond our limits in each round and we didn't give up in any round.

#TogetherWeHitHarder


Haryana h1 Club members to follow:-

Dr. Sniper

Ashish Padelkar

Aman Mahendra

xploiterr

Aditya Singh

BattleAngel

𝙹𝚘𝚑𝚗 𝙷𝟺𝚡𝟶𝚛

Krence

Akash Hamal

Dhiyaneshwaran






484 views0 comments

Recent Posts

See All