Can You Hack Starbucks China? LIVE Bug Bounty Hunt and Recon Process

Introduction

This tutorial provides a step-by-step guide on conducting a bug bounty hunt, specifically focusing on the methods demonstrated in the video "Can You Hack Starbucks China? LIVE Bug Bounty Hunt and Recon Process" by Jackson Mittag. It covers essential techniques like subdomain enumeration, certificate transparency lookups, HTTP probing, and introduces key tools used in the process. This guide is designed for those starting in bug bounty hunting or looking to enhance their skills.

Step 1: Set Up Your Environment

Before you begin, ensure your environment is prepared for bug hunting.

• Install Go: Many tools require Go programming language. Download and install it from the Go official website.
• Clone or Install Tools: Follow the installation commands provided for each tool in the subsequent steps.

Step 2: Subdomain Enumeration

Subdomain enumeration helps identify hidden subdomains that may be vulnerable.

1. Using Subzy:

   • Clone the repository:

     git clone https://github.com/LukaSikic/subzy.git
     cd subzy
     go build
     

   • Run the tool:

     ./subzy -h
     

2. Using Subfinder:

   • Install Subfinder:

     go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
     

   • Use it to find subdomains:

     subfinder -d example.com
     

3. Using Assetfinder:

   • Install Assetfinder:

     go install github.com/tomnomnom/assetfinder@latest
     

   • Run Assetfinder:

     assetfinder --subs-only example.com
     

Step 3: Certificate Transparency Lookups

Certificate transparency can reveal subdomains and their SSL certificates.

• Visit crt.sh.
• Search for the domain you are investigating (e.g., example.com) to find related certificates.

Step 4: HTTP Probing

HTTP probing helps verify the live status of the discovered domains.

1. Using httpx:
   • Install httpx:

     go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
     

   • Probe the domains you discovered:

     httpx -l domains.txt
     

Step 5: Conducting Recon Workflow

Develop a systematic approach to your reconnaissance.

• Identify targets: Use the tools from Steps 2 and 3 to gather potential targets.
• Document findings: Keep track of discovered subdomains and their statuses.
• Analyze results: Determine which subdomains warrant further investigation.

Step 6: Vulnerability Scanning

Begin your vulnerability scanning with a focus on specific attack vectors.

• Start with a basic scan to identify potential vulnerabilities.
• Explore the race condition, also known as TOCTOU (Time of Check to Time of Use) attack, which is highlighted during the demo.

Practical Tips

• Always adhere to responsible disclosure practices. Obtain permission before testing any target.
• Maintain a log of your actions and findings for future reference and to avoid redundancy.
• Familiarize yourself with the ethical guidelines of bug bounty programs.

Conclusion

In this tutorial, we covered the essential steps for conducting a bug bounty hunt, including setting up your environment, subdomain enumeration, and HTTP probing. By utilizing tools like Subzy, Subfinder, Assetfinder, and httpx, you can effectively gather information about your targets. Always remember to follow ethical guidelines and act responsibly in your bug hunting endeavors. Happy hunting!