Hunter's, DarkShadow here!
One liner for finding files
#bugbountytips
One liner for finding files
subfinder -d domain.com -silent | \
while read host; do \
for path in /config.js /config.json /app/config.js /settings.json /database.json /firebase.json /.env /.env.production /api_keys.json /credentials.json /secrets.json /google-services.json /package.json /package-lock.json /composer.json /pom.xml /docker-compose.yml /manifest.json /service-worker.js; do \
echo "$host$path"; \
done; \
done | httpx -mc 200#bugbountytips
❤29👨💻3🗿3🔥2
Hunter's, the vulnerability was SSRF loading AWS cloud access.
and effects:
IITE – Institute of Information Technology & Education: Access to confidential student information, assessment data, and internal records.
MUHS – Maharashtra University of Health Sciences: Exposure of examination content, student records, and academic documents.
GSEB – Gujarat Secondary & Higher Secondary Education Board: Exposure of sensitive student records, exam papers, hall tickets, and related educational data.
RGUHS – Rajiv Gandhi University of Health Sciences: Access to examination papers, student records, and other confidential academic information.
And don't forget to follow me 👉🏼 x.com/darkshadow2bd
#ssrf
and effects:
IITE – Institute of Information Technology & Education: Access to confidential student information, assessment data, and internal records.
MUHS – Maharashtra University of Health Sciences: Exposure of examination content, student records, and academic documents.
GSEB – Gujarat Secondary & Higher Secondary Education Board: Exposure of sensitive student records, exam papers, hall tickets, and related educational data.
RGUHS – Rajiv Gandhi University of Health Sciences: Access to examination papers, student records, and other confidential academic information.
i have a video POC wanna see how i was able exploit this bug!?
And don't forget to follow me 👉🏼 x.com/darkshadow2bd
#ssrf
👏10👍3🫡2🔥1
✨List of Awesome Red Team / Red Teaming Resources. This list is for anyone wishing to learn about Red Teaming but do not have a starting point.
https://github.com/0xMrNiko/Awesome-Red-Teaming
https://github.com/0xMrNiko/Awesome-Red-Teaming
GitHub
GitHub - 0xMrNiko/Awesome-Red-Teaming: List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn…
List of Awesome Red Team / Red Teaming Resources This list is for anyone wishing to learn about Red Teaming but do not have a starting point. - 0xMrNiko/Awesome-Red-Teaming
❤8🤝1
Hey Hunter's,
DarkShadow here back again, just look at this one crazy boolean SQLi.
Sometimes .json files load SQLi. So, it's not necessary that only php file parameters we hunt.
#sqli #bugbountytips
DarkShadow here back again, just look at this one crazy boolean SQLi.
Tip: never forget to test boolean SQLi even it is a .json file parameter
Sometimes .json files load SQLi. So, it's not necessary that only php file parameters we hunt.
#sqli #bugbountytips
🔥12❤6👍3🗿3🤝2🐳1👨💻1
❤4
⚡Google Dorks - Cloud Storage: site:s3.amazonaws.com "target[.]com" site:blob.core.windows.net "target[.]com" site:googleapis.com "target[.]com" site:drive.google.com "target[.]com"
👉Find buckets and sensitive data.
Combine:
site:s3.amazonaws.com | site:blob.core.windows.net | site:googleapis.com | site:drive.google.com "target[.]com"
Add something to narrow the results: "confidential” “privileged" “not for public release”
✅Credit- Mike Takahashi
#recon #bugbountytips #infosec #seo #dork
👉Find buckets and sensitive data.
Combine:
site:s3.amazonaws.com | site:blob.core.windows.net | site:googleapis.com | site:drive.google.com "target[.]com"
Add something to narrow the results: "confidential” “privileged" “not for public release”
✅Credit- Mike Takahashi
#recon #bugbountytips #infosec #seo #dork
🔥16❤9🗿4👍3
Bug Bounty Tips - Asset Discovery
1. Expand Your Scope: Hunt Beyond the Obvious
Check if the target has acquired any other brands or services. Tools like Crunchbase, Google, or even Wikipedia can reveal mergers or new wings that broaden your attack surface. Don’t just assume static assets—verify recent acquisitions are still valid.
2. Map the Network with ASN Enumeration
Find the Autonomous System numbers tied to an organization—they reveal IP ranges and network structure. Start manually with Hurricane Electric’s BGP Toolkit or regional registries like APNIC, ARIN, RIPE, etc. Then use OWASP Amass’s
3. Dig with Reverse WHOIS
Reverse WHOIS tools let you find other domains owned by the same entity using organization trademarks or contact info. Try services like Whoxy, ReverseWhois.io, DomainEye, or domainIQ. For automation, use DomLink or Whoxy API scripts to recursively map domains.
4. Track Shared IDs & Marketing Tags
Companies often sprinkle identical tracking codes across platforms—think Google Analytics or AdSense. Tools like BuiltWith, PublicWWW, or SpyOnWeb can help you trace those tags to uncover linked apps or unpublished properties.
5. Go Old-School with Google Dorking
Sometimes the simplest queries yield gems. Scan for snippets of copyright texts, legal boilerplates, or policy language spread across subdomains. Example:
You can adapt this with operators for Bing or DuckDuckGo, too.
6. Hunt Devices with Shodan
Shodan isn’t just for IoT—it’ll show you all internet-exposed assets related to the target’s org or domain. Try filters like:
You might find forgotten services, management dashboards, or exposed endpoints that go under the radar.
1. Expand Your Scope: Hunt Beyond the Obvious
Check if the target has acquired any other brands or services. Tools like Crunchbase, Google, or even Wikipedia can reveal mergers or new wings that broaden your attack surface. Don’t just assume static assets—verify recent acquisitions are still valid.
2. Map the Network with ASN Enumeration
Find the Autonomous System numbers tied to an organization—they reveal IP ranges and network structure. Start manually with Hurricane Electric’s BGP Toolkit or regional registries like APNIC, ARIN, RIPE, etc. Then use OWASP Amass’s
intel module to automate discovery of domains related to those ASNs or the organization itself:amass intel -org <org-name>
amass intel -asn <asn>3. Dig with Reverse WHOIS
Reverse WHOIS tools let you find other domains owned by the same entity using organization trademarks or contact info. Try services like Whoxy, ReverseWhois.io, DomainEye, or domainIQ. For automation, use DomLink or Whoxy API scripts to recursively map domains.
4. Track Shared IDs & Marketing Tags
Companies often sprinkle identical tracking codes across platforms—think Google Analytics or AdSense. Tools like BuiltWith, PublicWWW, or SpyOnWeb can help you trace those tags to uncover linked apps or unpublished properties.
5. Go Old-School with Google Dorking
Sometimes the simplest queries yield gems. Scan for snippets of copyright texts, legal boilerplates, or policy language spread across subdomains. Example:
"© 2025 YourCompanyName" -site:*.example.com inurl:privacy
You can adapt this with operators for Bing or DuckDuckGo, too.
6. Hunt Devices with Shodan
Shodan isn’t just for IoT—it’ll show you all internet-exposed assets related to the target’s org or domain. Try filters like:
org:<organization-name>
hostname:<domain>You might find forgotten services, management dashboards, or exposed endpoints that go under the radar.
2❤19👍6🔥5🙏1
🔥 Brut Practical Web Pentesting with concepts of Bug Bounty 🔥
Learn to Hack. Defend. Earn.
✔️ Deep Dive into Advanced Vulnerabilities
✔️ Real-World Bug Bounty Methodologies
✔️ Hands-on Labs & Practical Scenarios
✔️ Recon to Exploitation & Post-Exploitation
✔️ Reporting & Professional Pentest Approach
📅 New Batch Starts Soon
💻 Online Live Classes
👨🏫 Trainer: Saumadip (Brut Security)
✨ DM: @wtf_brut
📱 Whatsapp: +918945971332
📧 [email protected]
🌐 brutsec.com
#bugbounty #pentesting #ethicalhacking #cybersecurity
Learn to Hack. Defend. Earn.
✔️ Deep Dive into Advanced Vulnerabilities
✔️ Real-World Bug Bounty Methodologies
✔️ Hands-on Labs & Practical Scenarios
✔️ Recon to Exploitation & Post-Exploitation
✔️ Reporting & Professional Pentest Approach
📅 New Batch Starts Soon
💻 Online Live Classes
👨🏫 Trainer: Saumadip (Brut Security)
✨ DM: @wtf_brut
📱 Whatsapp: +918945971332
📧 [email protected]
🌐 brutsec.com
#bugbounty #pentesting #ethicalhacking #cybersecurity
❤10🔥3🗿1
🔸An automated recon tool for asset discovery and vulnerability scanning using open-source tools. Supports XSS, SQLi, LFI, RCE, IIS, Open Redirect, Swagger UI, .git exposures and more.
✅https://github.com/rix4uni/GarudRecon
✅https://github.com/rix4uni/GarudRecon
❤14🤝5👍1
Hey Hunter's,
If wanna edit your terminal shell, then use fish shell!
Install fish shell👉🏼 apt install fish
Edit the config file for customization👇🏼
~/.config/fish/config.fish
And edit this code according to your requirements and add it:
~DarkShadow
If wanna edit your terminal shell, then use fish shell!
Install fish shell👉🏼 apt install fish
Edit the config file for customization👇🏼
~/.config/fish/config.fish
And edit this code according to your requirements and add it:
#shell
functions -e fish_right_prompt
function fish_prompt
set_color $fish_color_cwd
echo -n (path basename $PWD)
set_color normal
echo -n ' ⚡🌒☩Dakr❯ '
end
~DarkShadow
❤8👨💻4🔥2
🚀 Looking for Professional Cybersecurity Support?
At Brut Security, we specialize in penetration testing, vulnerability assessment, and cybersecurity training. With years of experience working with both government and private organizations, we help businesses secure their digital assets and train teams to stay ahead of evolving threats.
🔐 Our Services:
• VAPT (Web, Mobile, Network, Cloud): Identify and fix vulnerabilities before attackers exploit them.
• Bug Bounty Style Pentesting: Real-world attack simulation with detailed reporting and remediation support.
• Cybersecurity Training: Hands-on programs in Ethical Hacking, Web Pentesting, Forensics, and OSINT—customized for individuals, corporates, and academic institutions.
💡 Why Choose Us?
• Tested and trusted by 2000+ students and multiple organizations.
• Practical, results-driven approach with clear documentation.
• Flexible engagement—short-term projects, long-term partnerships, or tailored workshops.
📩 Let’s Collaborate
If you need your systems tested or want your team trained by industry experts, reach out to us today.
🌐 brutsec.com
📱 https://wa.link/brutsecurity
📧 [email protected]
At Brut Security, we specialize in penetration testing, vulnerability assessment, and cybersecurity training. With years of experience working with both government and private organizations, we help businesses secure their digital assets and train teams to stay ahead of evolving threats.
🔐 Our Services:
• VAPT (Web, Mobile, Network, Cloud): Identify and fix vulnerabilities before attackers exploit them.
• Bug Bounty Style Pentesting: Real-world attack simulation with detailed reporting and remediation support.
• Cybersecurity Training: Hands-on programs in Ethical Hacking, Web Pentesting, Forensics, and OSINT—customized for individuals, corporates, and academic institutions.
💡 Why Choose Us?
• Tested and trusted by 2000+ students and multiple organizations.
• Practical, results-driven approach with clear documentation.
• Flexible engagement—short-term projects, long-term partnerships, or tailored workshops.
📩 Let’s Collaborate
If you need your systems tested or want your team trained by industry experts, reach out to us today.
🌐 brutsec.com
📱 https://wa.link/brutsecurity
📧 [email protected]
WhatsApp.com
Brut Security
Business Account
1❤7🔥2🗿1
Brut Security pinned «🚀 Looking for Professional Cybersecurity Support? At Brut Security, we specialize in penetration testing, vulnerability assessment, and cybersecurity training. With years of experience working with both government and private organizations, we help businesses…»
Hey Hunter's,
DarkShadow here back again!
Tip:
This are files gold mine to find vulnerabilities like:
1. Authentication bypass
2. Sensitive info leaks
3. Hardcoded credentials
4. Config/env file disclosure
5. Hidden login portals
6. JWT secrets & API keys
7. Outdated services loed CVE to exploit
8. Dependency confusion
9. File upload endpoints
10. RFI → RCE
11. Open redirection
12. DOM-based XSS
13. WebSocket endpoints
14. Hidden parameters
15. IDOR
So guys show your love and stay with us and follow x.com/darkshadow2bd
DarkShadow here back again!
Tip:
1. open target in your burp and browse as normal user.
2. Go proxy history and filter only js files.
3. Search these are keywords in:
🔍 main, app, runtime,bundle,
polyfills, auth, config,
settings, local, dev, data, api,
session, user,core, client,
server, utils,base
This are files gold mine to find vulnerabilities like:
1. Authentication bypass
2. Sensitive info leaks
3. Hardcoded credentials
4. Config/env file disclosure
5. Hidden login portals
6. JWT secrets & API keys
7. Outdated services loed CVE to exploit
8. Dependency confusion
9. File upload endpoints
10. RFI → RCE
11. Open redirection
12. DOM-based XSS
13. WebSocket endpoints
14. Hidden parameters
15. IDOR
So guys show your love and stay with us and follow x.com/darkshadow2bd
1❤23👍4👏3🗿2🫡1