Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 281

Sad story behind my skills

by Bad_King - 21 February, 2024 - 10:43 PM
This post is by a banned member (Bad_King) - Unhide
Bad_King  
Infinity
214
Posts
38
Threads
1 Year of service
#1
Yo, I am a bit new on this forum, not having really much activity, and I was thinking that this community have at least something good.
But, for my surprise not, even the staff of the forum allowing to scam.
I want to post this thread, and get more opinions about the other members, since the staff doesnt help.
I will put you on context, I am offerring a web app penetration service, to find vulnerabilitys and report it. I work as a free lancer at the moment, until a get a serious job, horever, I have good knowledge on it, being certified from OSWE (from Offensive Secuirty) and BSCP(from PortSwigger). Since this, I decided to get some traffic from this forum, to see if I make some money(I work on other platforums like upwork).
And, what I discovered, is that this forum the staff allows people to scam.

Story:
A guy contacted me on my discord, being interested on my service, my main service was penetration testing, you pay me, to do a penetration test, report the bugs on a pdf and thats it. I have 3 plans, one using automated tools(15$) (manual(50$) and advanced that includes also phishing attacks(90$). BUT, he contacted me with this offer, you find on my website vulnerabilitys, and I pay you, 100$.
[Image: scammer1.jpg]
[Image: scammer2.jpg]
So, as you can see, he is offering me 100$ min for any vulnerability.
Keep in mind, that he didnt had any policy, or out of scope vulnerabilitys, like other website has. So, all vulnerabilitys are valid.
A example:
[Image: Screenshot-2024-02-21-20-35-11.png]
So, it was good money for me, I can find any vulnerability that I want, and be paid. Instead of just 50 eur. Keep this things in mind, since is important along the story.
So, basically I found 2 in like 10 minutes, and I wanted to cashout them. I only tryed some basic ones, host header inyections, csrf, clickjacking, CORS, etc, and I found a clickjacking and a CSRF(on the logout). So, it was good, lets cashout them a continue to find more vulnerabilitys.
This 2 vulnerabilitys are low risk at the moment. You can do a CSRF to a logout, and you can make a clickjacking inyecting iframes. I I didnt tested the website the 100%, to try to find more criticals ones(like rance conditions, bussines logics, since this takes more time to do the attack).
So, the story continues, we use Liars as middleman, he sends the 200$ to Liars, Liars gets the money, and I sent him the explanation with the PoC of the html exploit.
The explanation was really easy, your website is vulnerable to CSRF, since your logout path, allows any token/data requests outside of the website. And the clickjacking basically allows you to inyect iframes.
Here is the problem, MR Kevin Mitnick, the most hacker wanted on the world, sayed me that "since the vulnerability doesnt have a directly impact on the website, is not a vulnerability" [Image: wack.png]
And I was like [Image: who.png]
Yeah, the vulnerabilitys has low impact, but still being a vulnerability, and that was my job, to get paid to find vulnerabilitys regardless of its impact, since the min was 100$ as you can see on the screenshoots.
So, Kevin Mitnick sayed, thats is not a vulnerability, since doesnt have any critical/harmfull against the website. [Image: wack.png]
[Image: exposed.jpg]

And here comes MR ROBOT (aka @Liars) the most misterous hacker on the world, try to argument, why I dont gonna be paid, and he completly refused to send me the money:
[Image: scammer3.jpg]
Now, if you know the context, you see that this is a completly nosense, first of all clickjacking is a vulnerability, because the website allows iframes inyection: https://www.google.com/url?sa=t&rct=j&q=...i=89978449
And second, even if there is no impact, CSRF still being a vulnerability, and I have to be paid for that.
Again, after explaining to mr robot, (because mr robot have more knowledge than a ethical hacker certified like me), we didn't get to any point.
So, I contacted KSZ, now, I dont know how to describe him, his reading comprehension is 0, like my vulnerabilitys(his opinion) [Image: kek.png]
So, I explained all the context, look, I contacted this guy, liars did x, we agree to do x, the guy have to pay me x bla bla. And he completly ingored it, requested me 20 times the PoCs, I uploaded them on youtube, he requested me then to explain it, where I already explained it how it works, and doing the same shit 20 times. SPOILER: t was useless, Liars at the end refunded the guy.
You are arguing for no reason, first, you claimed that liars work for Mia so he decided in his favor, now that a neutral person has checked it, you should accept the decision. Multiple experts have confirmed that the reported vuln doesnt have an impact on his business, all the vuln can do is log out a user on a suspicious link u would create, how does that affect his business, he can just log back in (provided a user first clicks your link). We have confirmed he didn't patch this vuln as we were able to reproduce it. Wrote by KSZ
These was the final words fro KSZ. if you read carefully, you can see: "that the reported vuln doesnt" as you can see, I was right, it was a vulnerability. not like Kevin Mitnick sayed, since is not directly to the website impact askdjsakda, is not a vulnerability. And this was all, this was the story on how I got scammed 200$ and the staff completly ingored it.

Things to keep in mind too:
1. I offered to the guy, the option to do a pentest and find all the vulnerabilitys that I can for the 200$, since I didnt want more money anymore, he completly ignored it:
2. After I repoted the vulnerabilitys, HE PATCHED THE VULNERABILITYS, so I did my job for free? Or what, you sayed that have low impact, but then you say that u patched it?
[Image: deleted-conver.jpg]
3.He removed me from the group + deleted all the conversation to hide his shit:
[Image: deleted4.jpg]



So, what you think? I am living on the matrix or not?
This post is by a banned member (KSZ) - Unhide
KSZ  
Administrators
4.774
Posts
54
Threads
Staff Team
6 Years of service
#2
I don't have to respond here because your reputation points speak for themselves on how good of a "certified" pentester you are.

The deal was 100$ min, depending on how severe a vulnerability is, in this case, the deal was vague so the interpretation of "severe" was up to the mediator, in this case, the middleman. Let's come to vulns reported:

1. The first vuln you reported was where the attacker could create a self-hosted link and if their user clicks it, he will be logged out of the website, now this isn't an eligible report for the bounty because we can't see how this causes a loss to the website owner or why their customer would even click your link. Even the other website you referenced in this thread would not have paid you for it, as per their terms: https://i.imgur.com/b7UcbKd.png
You further claimed that the user had patched the vuln on your report, but we verified that he didn't patch it by trying to reproduce the report (however you are failing to reproduce it which is a skill issue but that doesn't mean he patched it).

2. You reported a vuln that you didn't have a POC for or was just your imagination.

Hence, in the end, I decided that no payment was due, you are trying to exploit the "100$ minimum" phrase without taking into account the word "severe", if the severity is zero for the website owner, the minimum amount isn't due. (2nd payment was denied based on non-availability of a valid poc).

Since this was an extensive thread, no further replies are needed from you, so this thread will now be closed as the decision won't be changed and I hope all your customers read this thread before using your service.
For account recoveries and 2fa issues, contact @Liars or @Darkness
For any upgrade-related issues, please private message me on-site.


Alert: Replies may take up to 48 hours.

[Image: I4kF791.gif]

Important note: Do not private message me for IntenseProxy support, instead send an email to [email protected]
 

 

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)