OP 21 February, 2024 - 10:43 PM
Yo, I am a bit new on this forum, not having really much activity, and I was thinking that this community have at least something good.
But, for my surprise not, even the staff of the forum allowing to scam.
I want to post this thread, and get more opinions about the other members, since the staff doesnt help.
I will put you on context, I am offerring a web app penetration service, to find vulnerabilitys and report it. I work as a free lancer at the moment, until a get a serious job, horever, I have good knowledge on it, being certified from OSWE (from Offensive Secuirty) and BSCP(from PortSwigger). Since this, I decided to get some traffic from this forum, to see if I make some money(I work on other platforums like upwork).
And, what I discovered, is that this forum the staff allows people to scam.
Story:
A guy contacted me on my discord, being interested on my service, my main service was penetration testing, you pay me, to do a penetration test, report the bugs on a pdf and thats it. I have 3 plans, one using automated tools(15$) (manual(50$) and advanced that includes also phishing attacks(90$). BUT, he contacted me with this offer, you find on my website vulnerabilitys, and I pay you, 100$.
![[Image: scammer1.jpg]](https://i.ibb.co/M9FLG3L/scammer1.jpg)
![[Image: scammer2.jpg]](https://i.ibb.co/LNrQZB7/scammer2.jpg)
So, as you can see, he is offering me 100$ min for any vulnerability.
Keep in mind, that he didnt had any policy, or out of scope vulnerabilitys, like other website has. So, all vulnerabilitys are valid.
A example:
![[Image: Screenshot-2024-02-21-20-35-11.png]](https://i.ibb.co/cgZvXvL/Screenshot-2024-02-21-20-35-11.png)
So, it was good money for me, I can find any vulnerability that I want, and be paid. Instead of just 50 eur. Keep this things in mind, since is important along the story.
So, basically I found 2 in like 10 minutes, and I wanted to cashout them. I only tryed some basic ones, host header inyections, csrf, clickjacking, CORS, etc, and I found a clickjacking and a CSRF(on the logout). So, it was good, lets cashout them a continue to find more vulnerabilitys.
This 2 vulnerabilitys are low risk at the moment. You can do a CSRF to a logout, and you can make a clickjacking inyecting iframes. I I didnt tested the website the 100%, to try to find more criticals ones(like rance conditions, bussines logics, since this takes more time to do the attack).
So, the story continues, we use Liars as middleman, he sends the 200$ to Liars, Liars gets the money, and I sent him the explanation with the PoC of the html exploit.
The explanation was really easy, your website is vulnerable to CSRF, since your logout path, allows any token/data requests outside of the website. And the clickjacking basically allows you to inyect iframes.
Here is the problem, MR Kevin Mitnick, the most hacker wanted on the world, sayed me that "since the vulnerability doesnt have a directly impact on the website, is not a vulnerability"![[Image: wack.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.io%2Fimages%2Fsmilies%2Fwack.png)
And I was like![[Image: who.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.io%2Fimages%2Fsmilies%2Fwho.png)
Yeah, the vulnerabilitys has low impact, but still being a vulnerability, and that was my job, to get paid to find vulnerabilitys regardless of its impact, since the min was 100$ as you can see on the screenshoots.
So, Kevin Mitnick sayed, thats is not a vulnerability, since doesnt have any critical/harmfull against the website.
![[Image: exposed.jpg]](https://i.ibb.co/CMx2srG/exposed.jpg)
And here comes MR ROBOT (aka @Liars) the most misterous hacker on the world, try to argument, why I dont gonna be paid, and he completly refused to send me the money:
![[Image: scammer3.jpg]](https://i.ibb.co/880Vqj2/scammer3.jpg)
Now, if you know the context, you see that this is a completly nosense, first of all clickjacking is a vulnerability, because the website allows iframes inyection: https://www.google.com/url?sa=t&rct=j&q=...i=89978449
And second, even if there is no impact, CSRF still being a vulnerability, and I have to be paid for that.
Again, after explaining to mr robot, (because mr robot have more knowledge than a ethical hacker certified like me), we didn't get to any point.
So, I contacted KSZ, now, I dont know how to describe him, his reading comprehension is 0, like my vulnerabilitys(his opinion)![[Image: kek.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fstatic.cracked.io%2Fimages%2Fsmilies%2Fkek.png)
So, I explained all the context, look, I contacted this guy, liars did x, we agree to do x, the guy have to pay me x bla bla. And he completly ingored it, requested me 20 times the PoCs, I uploaded them on youtube, he requested me then to explain it, where I already explained it how it works, and doing the same shit 20 times. SPOILER: t was useless, Liars at the end refunded the guy.
You are arguing for no reason, first, you claimed that liars work for Mia so he decided in his favor, now that a neutral person has checked it, you should accept the decision. Multiple experts have confirmed that the reported vuln doesnt have an impact on his business, all the vuln can do is log out a user on a suspicious link u would create, how does that affect his business, he can just log back in (provided a user first clicks your link). We have confirmed he didn't patch this vuln as we were able to reproduce it. Wrote by KSZ
These was the final words fro KSZ. if you read carefully, you can see: "that the reported vuln doesnt" as you can see, I was right, it was a vulnerability. not like Kevin Mitnick sayed, since is not directly to the website impact askdjsakda, is not a vulnerability. And this was all, this was the story on how I got scammed 200$ and the staff completly ingored it.
Things to keep in mind too:
1. I offered to the guy, the option to do a pentest and find all the vulnerabilitys that I can for the 200$, since I didnt want more money anymore, he completly ignored it:
2. After I repoted the vulnerabilitys, HE PATCHED THE VULNERABILITYS, so I did my job for free? Or what, you sayed that have low impact, but then you say that u patched it?
![[Image: deleted-conver.jpg]](https://i.ibb.co/fF8cTct/deleted-conver.jpg)
3.He removed me from the group + deleted all the conversation to hide his shit:
![[Image: deleted4.jpg]](https://i.ibb.co/7zCRxL6/deleted4.jpg)
So, what you think? I am living on the matrix or not?
But, for my surprise not, even the staff of the forum allowing to scam.
I want to post this thread, and get more opinions about the other members, since the staff doesnt help.
I will put you on context, I am offerring a web app penetration service, to find vulnerabilitys and report it. I work as a free lancer at the moment, until a get a serious job, horever, I have good knowledge on it, being certified from OSWE (from Offensive Secuirty) and BSCP(from PortSwigger). Since this, I decided to get some traffic from this forum, to see if I make some money(I work on other platforums like upwork).
And, what I discovered, is that this forum the staff allows people to scam.
Story:
A guy contacted me on my discord, being interested on my service, my main service was penetration testing, you pay me, to do a penetration test, report the bugs on a pdf and thats it. I have 3 plans, one using automated tools(15$) (manual(50$) and advanced that includes also phishing attacks(90$). BUT, he contacted me with this offer, you find on my website vulnerabilitys, and I pay you, 100$.
So, as you can see, he is offering me 100$ min for any vulnerability.
Keep in mind, that he didnt had any policy, or out of scope vulnerabilitys, like other website has. So, all vulnerabilitys are valid.
A example:
So, it was good money for me, I can find any vulnerability that I want, and be paid. Instead of just 50 eur. Keep this things in mind, since is important along the story.
So, basically I found 2 in like 10 minutes, and I wanted to cashout them. I only tryed some basic ones, host header inyections, csrf, clickjacking, CORS, etc, and I found a clickjacking and a CSRF(on the logout). So, it was good, lets cashout them a continue to find more vulnerabilitys.
This 2 vulnerabilitys are low risk at the moment. You can do a CSRF to a logout, and you can make a clickjacking inyecting iframes. I I didnt tested the website the 100%, to try to find more criticals ones(like rance conditions, bussines logics, since this takes more time to do the attack).
So, the story continues, we use Liars as middleman, he sends the 200$ to Liars, Liars gets the money, and I sent him the explanation with the PoC of the html exploit.
The explanation was really easy, your website is vulnerable to CSRF, since your logout path, allows any token/data requests outside of the website. And the clickjacking basically allows you to inyect iframes.
Here is the problem, MR Kevin Mitnick, the most hacker wanted on the world, sayed me that "since the vulnerability doesnt have a directly impact on the website, is not a vulnerability"
And I was like
Yeah, the vulnerabilitys has low impact, but still being a vulnerability, and that was my job, to get paid to find vulnerabilitys regardless of its impact, since the min was 100$ as you can see on the screenshoots.
So, Kevin Mitnick sayed, thats is not a vulnerability, since doesnt have any critical/harmfull against the website.
And here comes MR ROBOT (aka @Liars) the most misterous hacker on the world, try to argument, why I dont gonna be paid, and he completly refused to send me the money:
Now, if you know the context, you see that this is a completly nosense, first of all clickjacking is a vulnerability, because the website allows iframes inyection: https://www.google.com/url?sa=t&rct=j&q=...i=89978449
And second, even if there is no impact, CSRF still being a vulnerability, and I have to be paid for that.
Again, after explaining to mr robot, (because mr robot have more knowledge than a ethical hacker certified like me), we didn't get to any point.
So, I contacted KSZ, now, I dont know how to describe him, his reading comprehension is 0, like my vulnerabilitys(his opinion)
So, I explained all the context, look, I contacted this guy, liars did x, we agree to do x, the guy have to pay me x bla bla. And he completly ingored it, requested me 20 times the PoCs, I uploaded them on youtube, he requested me then to explain it, where I already explained it how it works, and doing the same shit 20 times. SPOILER: t was useless, Liars at the end refunded the guy.
You are arguing for no reason, first, you claimed that liars work for Mia so he decided in his favor, now that a neutral person has checked it, you should accept the decision. Multiple experts have confirmed that the reported vuln doesnt have an impact on his business, all the vuln can do is log out a user on a suspicious link u would create, how does that affect his business, he can just log back in (provided a user first clicks your link). We have confirmed he didn't patch this vuln as we were able to reproduce it. Wrote by KSZ
These was the final words fro KSZ. if you read carefully, you can see: "that the reported vuln doesnt" as you can see, I was right, it was a vulnerability. not like Kevin Mitnick sayed, since is not directly to the website impact askdjsakda, is not a vulnerability. And this was all, this was the story on how I got scammed 200$ and the staff completly ingored it.
Things to keep in mind too:
1. I offered to the guy, the option to do a pentest and find all the vulnerabilitys that I can for the 200$, since I didnt want more money anymore, he completly ignored it:
2. After I repoted the vulnerabilitys, HE PATCHED THE VULNERABILITYS, so I did my job for free? Or what, you sayed that have low impact, but then you say that u patched it?
3.He removed me from the group + deleted all the conversation to hide his shit:
So, what you think? I am living on the matrix or not?
![[Image: I4kF791.gif]](https://imgur.com/I4kF791.gif)