From First Bounty to Pro: The 25+ Commands That Unlocked My HackerOne Success

Listen to this Post

Featured Image

Introduction:

Bug bounty hunting has evolved from a niche hobby into a legitimate cybersecurity career path, with platforms like HackerOne facilitating millions in rewards. This guide deconstructs the technical foundation required to transition from beginner to a hunter who secures that first, crucial bounty, providing the verified commands and methodologies that uncover critical vulnerabilities.

Learning Objectives:

  • Master the core reconnaissance and subdomain enumeration techniques used by professional bug bounty hunters.
  • Develop proficiency in automated vulnerability scanning and manual exploitation for common web application flaws.
  • Learn to validate findings and structure professional reports that lead to successful bounty awards.

You Should Know:

1. Passive Subdomain Enumeration

The first step in any bug bounty program is discovering the target’s attack surface. Passive enumeration gathers information without directly interacting with the target’s servers.

 Using Amass for passive subdomain enumeration
amass enum -passive -d target.com -o subdomains_passive.txt

Using Subfinder
subfinder -d target.com -o subdomains_subfinder.txt

Using Assetfinder
assetfinder --subs-only target.com > subdomains_assetfinder.txt

Step-by-step guide: Start by using a tool like Amass in passive mode. This leverages numerous public data sources to build a list of known subdomains. Combine results from multiple tools (Subfinder, Assetfinder) into a single list, then sort for unique entries using sort -u subdomains_.txt > final_subdomains.txt. This consolidated list forms your initial target scope.

2. Active Subdomain Bruteforcing

After passive enumeration, active techniques discover hidden or non-public subdomains by testing a wordlist against the target’s DNS servers.

 Using MassDNS with a wordlist
massdns -r resolvers.txt -t A -w massdns_output.txt -s 100 subdomains_wordlist.txt

Using GoBuster for DNS bruteforcing
gobuster dns -d target.com -w ~/wordlists/subdomains-top1million-5000.txt -o gobuster_output.txt -t 50

Step-by-step guide: Prepare a high-quality subdomain wordlist. Use MassDNS with a list of public resolvers (resolvers.txt) to perform high-speed DNS queries. Parse the output to filter valid responses. This often reveals development (dev., staging.), internal (internal., admin.), and other critical subdomains missed by passive reconnaissance.

3. Probing for Live Hosts and HTTP Services

Not all discovered subdomains will host active web services. Probing identifies which targets are alive and worthy of deeper inspection.

 Using HTTPX to probe for live hosts and extract technologies
httpx -l final_subdomains.txt -title -status-code -tech-detect -o live_hosts.txt

Using a simple for-loop with cURL to check status
for sub in $(cat final_subdomains.txt); do echo -n "$sub: "; curl -s -I "https://$sub" | head -n 1 | cut -d' ' -f2; done

Step-by-step guide: Feed your final subdomain list into HTTPX. The `-tech-detect` flag is crucial as it identifies the underlying technology stack (e.g., PHP, Node.js, Nginx), allowing you to tailor your attacks. Focus initial efforts on hosts returning 200, 301, 302, 401, and `403` status codes.

4. Port Scanning Critical Assets

Identifying open ports on key infrastructure can reveal administrative panels, API endpoints, and vulnerable services.

 Using Nmap for a comprehensive TCP scan
nmap -sS -sV -sC -T4 -p- --min-rate 5000 -oA full_tcp_scan target_ip

Using Masscan for extremely fast internet-wide scanning
masscan -p1-65535 target_ip --rate=10000 -oL masscan_output.txt

Step-by-step guide: For in-scope IP addresses or critical targets, initiate a TCP SYN scan (-sS) with version detection (-sV). Use Nmap’s default script engine (-sC) to run safe scripts that can often identify default credentials or common vulnerabilities. Always ensure you have explicit permission to scan the target.

5. Automated Vulnerability Scanning

Leverage automated scanners to quickly identify low-hanging fruit, but never rely on them exclusively.

 Running Nuclei with all community templates
nuclei -l live_hosts.txt -t ~/nuclei-templates/ -o nuclei_results.txt

Using Nikto for a quick web server assessment
nikto -h https://target.com -o nikto_scan.html -Format htm

Step-by-step guide: Update your Nuclei templates daily (nuclei -update-templates). Run it against your list of live hosts. The true skill lies in triaging the results; filter out false positives and focus on critical findings like SQLi, XSS, and RCE. Manual verification of every finding is non-negotiable.

6. Manual SQL Injection Testing

Automated tools miss complex SQL injection flaws. Manual testing is where high-value bounties are often found.

 Using SQLmap to test a specific parameter
sqlmap -u "https://target.com/page.php?id=1" --batch --level=3 --risk=3 --dbs

Manual testing with curl for error-based SQLi
curl -s "https://target.com/page.php?id=1'" | grep -i "error|sql|mysql"

Step-by-step guide: Identify all user-input vectors (GET/POST parameters, headers). Test each with single quotes ('), double quotes ("), and parentheses to trigger SQL errors. Use SQLmap for confirmed parameters to automate data exfiltration, but always within the program’s scope and rules of engagement.

7. Cross-Site Scripting (XSS) Payload Crafting

XSS remains a prevalent vulnerability. Testing requires a variety of payloads to bypass filters.

 Simple reflected XSS test with cURL
curl -s -G --data-urlencode "search=<script>alert(1)</script>" "https://target.com/search" | grep -q "<script>alert(1)</script>" && echo "Potential XSS"

Using a polyglot XSS payload for advanced testing
curl -s -G --data-urlencode "q=jaVasCript:/-/<code>/\</code>/'/\"//(/ /oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" "https://target.com"

Step-by-step guide: Don’t just test with basic `