Bug hunting through sleep, subdomains, and surprises
Read for Free..👈
Hey folks!
After spending a few hours hunting and reporting a .git exposure via CloudFront, I got back to my primary target to continue digging. If you missed that earlier write-up, you can check it out here:
How I found an exposed .git/config on a CloudFront-backed subdomain by staying persistent through dead ends.
I began with a basic recon routine — checking which subdomains were alive:
subfinder -d target.com --all --recursive | httpxOne subdomain stood out. I opened it in the browser and saw a plain message:
Cannot GET /A boring 404 to most people — but to me, that’s a signal to dig deeper. I launched dirsearch to check for any hidden files or directories:
dirsearch -u https://sub.target.com -f -F -x 403 -t 3