Wiz Bug Bounty
Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.
Open Deepseek Database
You've been given a target URL. Rumor has it there's an exposed database somewhere on this server - left wide open without authentication.
Based on a real critical finding from January 2025 that exposed sensitive AI company data to the internet.
Your mission, should you choose to accept it: scan the target, find the database, and extract the flag.
Challenge URL: deepleak.bugbountymasterclass.com
naabu -host deepleak.bugbountymasterclass.com -p 1-10000
__
___ ___ ___ _/ / __ __
/ _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/ v2.0.5
projectdiscovery.io
Use with caution. You are responsible for your actions
Developers assume no liability and are not responsible for any misuse or damage.
[INF] Running SYN scan with root privileges
[INF] Found 6 ports on host deepleak.bugbountymasterclass.com (172.105.91.123)
deepleak.bugbountymasterclass.com:9090
deepleak.bugbountymasterclass.com:22
deepleak.bugbountymasterclass.com:8123
deepleak.bugbountymasterclass.com:443
deepleak.bugbountymasterclass.com:80
deepleak.bugbountymasterclass.com:9000
flag
WIZFLAG-congrats_on_hacking_a_databaseMajor Airline Data Dump
You've been given access to a major airline's booking system. Word on the street is that the developers left something exposed that reveals more than it shouldβand once you find it, the doors to sensitive passenger data might just swing wide open.
Based on a real critical finding that exposed thousands of passengers' personal information, booking details, and flight itineraries.
Your mission, should you choose to accept it: explore the target, find what the developers forgot to hide, and extract the flag.
Charllegen URL: airline.bugbountymasterclass.com
feroxbuster -u https://airlines.bugbountymasterclass.com/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.12.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://airlines.bugbountymasterclass.com/
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.12.0
π Extract Links β true
π HTTP methods β [GET]
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 10l 15w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 245l 555w 6928c https://airlines.bugbountymasterclass.com/
301 GET 10l 15w 154c https://airlines.bugbountymasterclass.com/docs => https://airlines.bugbountymasterclass.com/docs/
200 GET 81l 289w 3106c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 1l 1w 51c https://airlines.bugbountymasterclass.com/health
301 GET 10l 15w 154c https://airlines.bugbountymasterclass.com/Docs => https://airlines.bugbountymasterclass.com/Docs/
200 GET 1l 1w 51c https://airlines.bugbountymasterclass.com/Health
200 GET 202l 1581w 11358c https://airlines.bugbountymasterclass.com/docs/LICENSE
200 GET 202l 1581w 11358c https://airlines.bugbountymasterclass.com/Docs/LICENSE
301 GET 10l 15w 154c https://airlines.bugbountymasterclass.com/DOCS => https://airlines.bugbountymasterclass.com/DOCS/
flag
WIZFLAG-exposed-passenger-data-leakDomain Registrar Data Exposure
You've landed on a domain registrar's website. Sometimes the simplest things get overlookedβa forgotten folder, a directory left accessible, files that were never meant to see the light of day.
Based on a real critical finding at a major domain registrar that exposed sensitive customer data and internal business documents.
Your mission, should you choose to accept it: dig around, find what's hiding in plain sight, and extract the flag.
Challenge URL: http://shark.bugbountymasterclass.com/
feroxbuster -u https://shark.bugbountymasterclass.com/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.12.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://shark.bugbountymasterclass.com/
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.12.0
π Extract Links β true
π HTTP methods β [GET]
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 7l 11w 153c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 132l 274w 3587c https://shark.bugbountymasterclass.com/
301 GET 7l 12w 178c https://shark.bugbountymasterclass.com/uploads => https://shark.bugbountymasterclass.com/uploads/
200 GET 177l 942w 70472c https://shark.bugbountymasterclass.com/uploads/jira-stats-158528484.txt
200 GET 78l 558w 46539c https://shark.bugbountymasterclass.com/uploads/jira-stats-158515697.txt
200 GET 68l 383w 27799c https://shark.bugbountymasterclass.com/uploads/jira-stats-158505427.txt
200 GET 142l 864w 66850c https://shark.bugbountymasterclass.com/uploads/jira-stats-158526543.txt
200 GET 115l 734w 55655c https://shark.bugbountymasterclass.com/uploads/jira-stats-158520029.txt
200 GET 137l 887w 68481c https://shark.bugbountymasterclass.com/uploads/jira-stats-158527927.txt
200 GET 46l 265w 20516c https://shark.bugbountymasterclass.com/uploads/jira-stats-158501142.txt
200 GET 152l 908w 72543c https://shark.bugbountymasterclass.com/uploads/jira-stats-158529125.txt
200 GET 5l 51w 3248c https://shark.bugbountymasterclass.com/uploads/shark-db.z
unzip shark-db.zip -d shark-db
Archive: shark-db.zip
inflating: shark-db/shark-db.sql cd shark-dbcat shark-db.sql
flag
WIZFLAG-directory_brute_force_exposed_massive_pii_leakLogistics Company Admin Panel Compromise
A major logistics company handles shipping for thousands of businesses worldwide.
Their platform allows customers to track packages, submit support requests, and manage shipments.
During a bug bounty engagement, I noticed something interesting about how customer-submitted data was being processed. The data wasn't just stored - it was being viewed somewhere else.
The company has a support system where customers can submit inquiries. Somewhere on the backend, staff members review these submissions.
Your mission, should you choose to accept it: gain access to the admin panel and capture the flag.
Challenge URL: https://logistics.bugbountymasterclass.com/
flag
WIZFLAG-blind-xss-vulnerability-exploitedRoot Domain Takeover on Fintech Company
You're investigating a fintech company's infrastructure. Their DNS records are pointing somewhere - but is anyone still home? When companies migrate services or shut down resources, sometimes the DNS sticks around longer than it should.
Based on a real critical finding where an expired domain record allowed complete takeover of a fintech company's domain.
Your mission, should you choose to accept it: investigate the DNS, find the unclaimed resource, and claim your flag.
Challenge URL: https://www.fintech.bugbountymasterclass.com/
flag
WIZFLAG-subdomain-takeover-s3-bucket-misconfiguration SSRF Vulnerability on Major Gaming Company
You've found a gaming company's content service that fetches resources from URLs you provide. But what happens when you point it somewhere the developers never intended - like the server's own internal network?
Based on a real critical finding that allowed access to internal cloud infrastructure and sensitive credentials at a major gaming company.
Your mission, should you choose to accept it: trick the server into making requests it shouldn't, reach what's hidden inside, and extract the flag.
Challenge URL: https://content-service.bugbountymasterclass.com/
feroxbuster -u https://content-service.bugbountymasterclass.com
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher π€ ver: 2.12.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β https://content-service.bugbountymasterclass.com
π Threads β 50
π Wordlist β /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.12.0
π Extract Links β true
π HTTP methods β [GET]
π Recursion Depth β 4
π New Version Available β https://github.com/epi052/feroxbuster/releases/latest
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
404 GET 5l 31w 207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 385l 895w 13066c https://content-service.bugbountymasterclass.com/
200 GET 1l 1w 126c https://content-service.bugbountymasterclass.com/sheriff
-
scan with burp as well
-
it pulls file so we directed to localhost and will give away the flag
flag
WIZFLAG-ssrf-vulnerability-exploitedGithub Authentication Bypass on Major CRM
You're investigating a major CRM company. Developers often reference their work domains in code, configs, and scripts - and sometimes those files end up in personal GitHub repositories with more than just the domain name.
Search for "bugbountymasterclass.com" on GitHub and see what you can find.
Based on a real critical finding where exposed credentials in an employee's public repository led to unauthorized access to a major CRM's internal systems.
Your mission, should you choose to accept it: find what an employee accidentally committed, and extract the flag.
Challenge URL: https://github.enterprise.bugbountymasterclass.com/
- search in github
bugbountymasterclass.com
flag
WIZ-FLAG-secrets_are_funBreaking into a Major Bank
You're testing a major bank's web application. Modern applications often expose debugging and monitoring endpoints that developers forget to lock down in production. These endpoints can leak far more than performance metrics - sometimes they dump the entire application's memory.
Based on a real critical finding at a major financial institution where exposed debugging endpoints leaked credentials and internal secrets.
Your mission, should you choose to accept it: find the exposed endpoint, dig through what it reveals, and extract the flag.
Challenge URL: https://bank.bugbountymasterclass.com/
nuclei -u https://bank.bugbountymasterclass.com/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.14
projectdiscovery.io
[WRN] Found 2222 templates with syntax error (use -validate flag for further examination)
[WRN] Found 1 templates with runtime error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.14 (outdated)
[INF] Current nuclei-templates version: v10.3.7 (latest)
[INF] New templates added in latest release: 102
[INF] Templates loaded for current scan: 9623
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1945 (Reduced 1800 Requests)
[nginx-version] [http] [info] https://bank.bugbountymasterclass.com/ [nginx/1.24.0]
[xss-deprecated-header] [http] [info] https://bank.bugbountymasterclass.com/ [1; mode=block]
[tech-detect:nginx] [http] [info] https://bank.bugbountymasterclass.com/
[ssl-dns-names] [ssl] [info] bank.bugbountymasterclass.com:443 [bank.bugbountymasterclass.com]
[ssl-issuer] [ssl] [info] bank.bugbountymasterclass.com:443 [Let's Encrypt]
[INF] Using Interactsh Server: oast.me
[springboot-env] [http] [low] https://bank.bugbountymasterclass.com/actuator/env
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:content-security-policy] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:permissions-policy] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:referrer-policy] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:clear-site-data] [http] [info] https://bank.bugbountymasterclass.com/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] https://bank.bugbountymasterclass.com/
[springboot-loggers] [http] [low] https://bank.bugbountymasterclass.com/actuator/loggers
[springboot-caches] [http] [low] https://bank.bugbountymasterclass.com/actuator/caches
[caa-fingerprint] [dns] [info] bank.bugbountymasterclass.com
[springboot-threaddump] [http] [low] https://bank.bugbountymasterclass.com/actuator/threaddump
[springboot-scheduledtasks] [http] [info] https://bank.bugbountymasterclass.com/actuator/scheduledtasks
[springboot-conditions] [http] [low] https://bank.bugbountymasterclass.com/actuator/conditions
[spring-detect] [http] [info] https://bank.bugbountymasterclass.com/error
[springboot-actuator:available-endpoints] [http] [info] https://bank.bugbountymasterclass.com/actuator [configprops,configprops-prefix,env,metrics-requiredMetricName,env-toMatch,health-path,heapdump,mappings,scheduledtasks,threaddump,caches-cache,health,info,metrics,self,beans,caches,conditions,loggers,loggers-name]
[springboot-beans] [http] [low] https://bank.bugbountymasterclass.com/actuator/beans
[springboot-heapdump] [http] [critical] https://bank.bugbountymasterclass.com/actuator/heapdump
[springboot-mappings] [http] [low] https://bank.bugbountymasterclass.com/actuator/mappings
[springboot-configprops] [http] [low] https://bank.bugbountymasterclass.com/actuator/configprops
[springboot-metrics] [http] [low] https://bank.bugbountymasterclass.com/actuator/metrics
[tls-version] [ssl] [info] bank.bugbountymasterclass.com:443 [tls12]
[tls-version] [ssl] [info] bank.bugbountymasterclass.com:443 [tls13]
[waf-detect:nginxgeneric] [http] [info] https://bank.bugbountymasterclass.com/
[options-method] [http] [info] https://bank.bugbountymasterclass.com/ [GET,HEAD,OPTIONS]- download the heapdump
https://bank.bugbountymasterclass.com/actuator/heapdump
strings heapdump | grep "WIZ"
WIZFLAG-secrets-in-the-heap
WIZFLAG-secrets-in-the-heap!
pattern=WIZFLAGflag
WIZFLAG-secrets-in-the-heap0 Click Account Takeover via Cookie Switching
You've discovered a router reseller company running both staging and production environments. But are they really separate?
Based on a real critical finding where improper session management across environments led to complete account takeover without any user interaction.
Your mission, should you choose to accept it: explore both environments, understand how sessions are handled and break into production - use what you learn to extract the flag.
Challenge URL https://stage.router-resellers.bugbountymasterclass.com
https://prod.router-resellers.bugbountymasterclass.com
-
head over the staging
-
modify the host to
prod
flag
WIZFLAG-session-confusion-ato