From Zero to Hall of Fame: How Two Hackers Dominated a YesWeHack Program with 10 Valid Reports + Video

Listen to this Post

Featured Image

Introduction:

In the high-stakes arena of bug bounty hunting, achieving multiple accepted vulnerabilities in a single program is a feat that demands not only technical prowess but also a systematic methodology. The recent success of Bavly Z. and Zeyad Abdelrhman, who secured the 1 and 2 spots on a target’s YesWeHack Hall of Fame with two accepted vulnerabilities, underscores the power of collaboration and deep reconnaissance. This article dissects the strategies, tools, and step-by-step techniques that can help you replicate such success, moving from isolated finds to becoming an “Interstellar Specialist” with a double-digit report count on the same program.

Learning Objectives:

  • Understand the end-to-end bug bounty lifecycle, from reconnaissance to responsible disclosure.
  • Master practical reconnaissance and vulnerability discovery techniques using industry-standard tools.
  • Learn how to craft comprehensive, high-impact bug reports that get accepted and rewarded.

You Should Know:

  1. Phase 1: Deep Reconnaissance – Mapping the Attack Surface
    Before firing a single payload, elite hunters spend 60-70% of their time on reconnaissance. The goal is to discover every endpoint, parameter, and hidden asset of the target. Start with subdomain enumeration using tools like `subfinder` and amass, then probe for live hosts with httpx.

Step-by-step guide:

 Install tools (Linux)
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/OWASP/Amass/v3/...@master
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest

Enumerate subdomains
subfinder -d target.com -all -o subdomains.txt
amass enum -d target.com -o amass_subs.txt

Merge and sort unique subdomains
cat subdomains.txt amass_subs.txt | sort -u > all_subs.txt

Check for live hosts and web technologies
httpx -l all_subs.txt -title -tech-detect -status-code -o live_hosts.txt

This yields a curated list of live endpoints. Next, use `gau` (GetAllUrls) or `waybackurls` to fetch historical URLs, often revealing hidden parameters and endpoints.

gau --subs target.com | grep -E ".js$|.php$|api" | sort -u > potential_targets.txt

2. Phase 2: Automated and Manual Vulnerability Discovery

With a list of live endpoints and parameters, the next step is to identify low-hanging fruits and then dive deeper. Automation with tools like `nuclei` can quickly scan for known vulnerabilities, while manual testing uncovers logic flaws.

Step-by-step guide:

 Install nuclei
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

Run nuclei on live hosts with all templates
nuclei -l live_hosts.txt -t ~/nuclei-templates/ -severity critical,high,medium -o nuclei_results.txt

For manual testing, focus on parameters identified during reconnaissance. Use Burp Suite’s Proxy and Repeater to test for SQL injection, XSS, and IDOR. A classic SQLi test:

GET /api/user?id=1' OR '1'='1' -- -

If you see anomalies, escalate with `sqlmap` for confirmation:

sqlmap -u "https://target.com/api/user?id=1" --batch --level=2 --risk=2 --dbs
  1. Phase 3: API Security Testing – The Modern Goldmine
    Modern web applications rely heavily on APIs, which often introduce critical vulnerabilities like broken object level authorization (BOLA) and mass assignment. Tools like `kiterunner` and `ffuf` help discover hidden API endpoints.

Step-by-step guide:

 Install kiterunner
wget https://github.com/assetnote/kiterunner/releases/download/v1.0.2/kiterunner_1.0.2_linux_amd64.tar.gz
tar -xzf kiterunner_1.0.2_linux_amd64.tar.gz

Use a common API wordlist
./kr scan https://target.com -w /path/to/api_wordlist.txt -x 20 -o api_endpoints.txt

Fuzz for hidden parameters with ffuf
ffuf -u https://target.com/api/v1/user?FUZZ=1 -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -fc 404

Once an endpoint is found, test for IDOR by manipulating identifiers (e.g., `/api/user/123` → /api/user/124) and checking if you can access another user’s data.

  1. Phase 4: Exploitation and Proof of Concept (PoC)
    A vulnerability is only as good as its proof of concept. To get your report accepted, you need a clear, reproducible PoC. For an XSS vulnerability, provide the payload and a screenshot of the executed JavaScript.

Example for reflected XSS:

<script>alert(document.cookie)</script>

If the application filters input, try obfuscation:

<IMG SRC=jAVasCrIPt:alert('XSS')>

For command injection on a Linux target, test with:

; whoami
| id
|| ping -c 10 127.0.0.1 

Capture the output using Burp Collaborator or a netcat listener:

nc -lvnp 4444

5. Phase 5: Privilege Escalation and Chaining Vulnerabilities

To maximize impact, chain low-severity issues to achieve critical access. For example, combine a subdomain takeover with an XSS on the main domain. First, check for dangling DNS records using `dnsrecon` or nslookup.

Step-by-step guide:

 Check for CNAME pointing to a discontinued service
nslookup takeover.target.com
 If it points to a cloud service (e.g., AWS S3, GitHub Pages) that no longer exists, attempt to claim it.

On Windows targets, if you have initial access, use built-in commands to enumerate privileges:

whoami /priv
net user
systeminfo

For Linux, use:

sudo -l
find / -perm -4000 2>/dev/null
cat /etc/passwd

6. Phase 6: Writing the Perfect Bug Report

Your report is your deliverable. A well-structured report increases the likelihood of acceptance and a higher bounty. Include:
– Clear and concise (e.g., “IDOR allows unauthorized access to other users’ payment details”).
– Description: Explain the vulnerability, its location, and potential impact.
– Steps to Reproduce: Bulleted or numbered steps with HTTP requests and responses.
– Proof of Concept: Screenshots, videos, or code snippets.
– Impact: Describe what an attacker could achieve (e.g., data breach, account takeover).
– Remediation: Suggest a fix (e.g., “Implement proper access controls on the API endpoint”).

Sample report snippet:

Vulnerability: IDOR on /api/v1/order/{id}
Description: The endpoint does not verify if the authenticated user owns the requested order. By changing the `id` parameter, an attacker can view any order’s details, including customer PII.
Steps:
1. Log in as user A.
2. Intercept the request to /api/v1/order/1001.
3. Change the ID to 1002 and forward.
4. Observe that order details for user B are returned.
Impact: Exposure of sensitive customer data (addresses, payment methods).
Remediation: Implement ownership checks on the server side.

What Undercode Say:

  • Key Takeaway 1: Success in bug bounty is not about luck but about a repeatable methodology—reconnaissance, automation, and manual testing must work in tandem.
  • Key Takeaway 2: Collaboration amplifies results; working with a partner like Bavly and Zeyad did allows for coverage of more attack surfaces and cross-validation of findings.

The story of two hackers climbing to the top of a Hall of Fame with ten valid reports on a single program is a testament to the power of persistence and structured testing. In an era where bug bounty platforms are crowded, the winners are those who treat each target as a long-term engagement, not a one-off lottery. They invest time in understanding the application’s business logic, map its entire digital footprint, and meticulously document every anomaly. This approach not only yields more vulnerabilities but also builds a reputation that leads to private invites and higher rewards.

Prediction:

As bug bounty programs mature, we will see a shift toward specialization—hackers focusing on single programs or verticals (like fintech or healthcare) to achieve “Interstellar Specialist” status. AI-assisted reconnaissance and automated vulnerability chaining will become standard, but human creativity in identifying logic flaws will remain irreplaceable. The competition will intensify, making collaboration and methodological rigor the only sustainable paths to the top of the Hall of Fame.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Bavly Z – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky