Find Your First Bug — #3 CVE’s

SAFARAS K A
3 min readNov 8, 2020

--

If you want your first bug to be a critical one, read this carefully. Finding a critical bug is one of my dream when I started learning and this is how I got it.

Hello hackers, if you haven’t read other posts on this series check those out here. When I started learning web hacking I heard the word CVE and I didn’t understood that very much, as usual I just leaved that and after some time I come across Insider PHD’s videos on cves

But that too didn’t took my attention to hunt for cve’s. After some long time ( on the October 2020) I started learning how to find bugs using cves.

How I Found my First Critical Bug

As usual I was hunting on one of my favorite responsible disclosure program and I come across to see that one of the subdomain is using Telerik UI actually I don’t know what it is. But I just googled Telerik UI cves and found a CVE that can achieve remote code exedution ( Oh wow )

First one took my attention

I read the first blog I didn’t understood it and read 2-3 times and got something. and I searched for the poc or exploit and I got it fasfly

Downloaded first one

and read some blogs related to that and at the end of the day I was able to exploit it (Took a lot of time since I was a beginner). Reported and got a small bounty(because it is a small company) but that’s the biggest bounty I got so far.

How We Can Find Bugs using CVE

1. Find the Technologies used by Target

— When we visit a website use wappalyzer extension to look for different technologies used by the website.

— Look carefully on the responses on burpsuite, they sometimes show the version of services used by the app

— use cve’s templates on nuclei

— Use technologies templates on nuclei

Search for it’s CVE’s and Exploits

— Google technology cves (eg:- jira cves) or technology exploits (eg:- jira exploits) and now we have the cve number ( eg: CVE-2020-1122)

— Search for the exploits ( CVE-2020–1122 exploit) on Google, twitter, exploit-db, Github, Youtube etc.

— Exploit it and report it! Enjoy $$

Find me on twitter iam_j0ker

--

--