Created
May 8, 2020 18:09
-
-
Save atikrahman1/199069097db4b7af0ddecdd865c29092 to your computer and use it in GitHub Desktop.
LIVE MENTOR SESSION: @tomnomnom . I have collected all of the the question and answer in comments section for my later read.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| INTIGRITI | |
| @intigriti | |
| Red circleLIVE MENTOR SESSION: | |
| @TomNomNom | |
| will answer your #BugBounty and tooling questions for the next 4 hours! Comment with your question! | |
| https://twitter.com/intigriti/status/1258729529859768320 | |
| Question from @amalmurali47 : | |
| "Among the tools that you've created, which one is your favorite?" | |
| ============ | |
| It's a toss-up between gron (https://github.com/tomnomnom/gron) and unfurl(https://github.com/tomnomnom/unfurl). | |
| Gron because it's become popular way beyond my expectations and I still use it regularly. Unfurl because I didn't realise just how much I needed it until I wrote it. | |
| ============ | |
| Question from | |
| @securinti | |
| : | |
| "What quick wins would you suggest to improve the Burp/Bug Bounty workflow for people like me that only have limited experience with programming or bash?" | |
| ============ | |
| For burp: | |
| * Learn to use intruder with the "Grep - extract" option to quickly check the response to lots of payloads | |
| * Use the proxy match and replace functionality to enable disabled client-side functionality (that's a tip from | |
| @Rhynorater | |
| :)) | |
| In general: | |
| Genuinely: learn enough of a programming language (python, bash, JavaScript, whatever) to be able to test your ideas quickly when tools don't support your use-case. It doesn't have to be pretty, it only has to work. | |
| ============ | |
| Question from | |
| @nil89822110 | |
| : | |
| "what advise do you give for finding interesting subdomains during recon?" | |
| ============ | |
| Use findomain or similar to actually find them, then either screenshot them or request them all with a tool like meg | |
| The interesting subdomains are often different from the others; e.g. different response headers, different web server, different IP range / hosting to the others | |
| ============ | |
| Question from | |
| @BugReplay | |
| : | |
| "What are your favorite bug bounty #tools, and why?" | |
| ============ | |
| (1/2) It might seem conceited, but the tools I wrote! I did write them to do exactly what I needed after all ;) | |
| In general I like small, focused tools that integrate well with other tools (and don't print big ASCII banners to stdout :-P). I think it gives me more flexibility. | |
| (2/2) Some of my other favourites though are: | |
| * Burp - ubiquitous and powerful | |
| * Recon-ng - I like its modularity and great included modules | |
| * findomain - very comprehensive | |
| ============ | |
| Question from | |
| @evadon14 | |
| : "Do you have any trick or method to find rce & xss automatically in burpsuite ?" | |
| ============ | |
| I don't! If there way an easy way to find them automatically then they'd probably all be gone by now ;) | |
| To help with XSS I do use the Burp reflected parameters plugin to find potential places for it. | |
| For RCE I'm usually looking for functionality that does processing on files | |
| ============ | |
| Question from | |
| @zeroxyele | |
| : | |
| "How to get started into the bug bounty? (!)" | |
| ============ | |
| Watch | |
| @InsiderPhD | |
| 's videos: https://youtube.com/channel/UCPiN9NPjIer8Do9gUFxKv7A | |
| Do Hacker101 https://hacker101.com | |
| Be prepared to fail a lot, then just start trying to find bugs and google the things you don't know. | |
| I also think it's helpful to learn to make things if you don't already know how | |
| ============ | |
| Question from | |
| @streaak | |
| : | |
| "What's your monitoring setup like?" | |
| ============ | |
| I don't really have one / it's completely manual :) | |
| If I was trying to make a living from Bug Bounty I'd have automated something, but I actually really enjoy "manual" recon. A stolen quote, but it fits: I'm trying to build Iron Man, not Ultron :) | |
| ============ | |
| how to use brup suit and other intruder like a pro? | |
| ============ | |
| If you want to be a real pro consider training from | |
| @agarri_fr | |
| , but otherwise: methodically figure out what every feature does and when you should use it. Use the Portswigger labs (https://portswigger.net/web-security) to practice. | |
| There are no shortcuts, I'm afraid! | |
| ============ | |
| Question from | |
| @securinti | |
| : | |
| "How do you quickly process : priotize giant amounts of recon when time is limited (for example: 2k hosts got added during a live event last year, with 3 hours left or so)" | |
| ============ | |
| I try to focus on the things that are different. | |
| I request "/" for every host and look at the response headers (especially Server, Set-Cookie, and any 'X-Something' headers) using meg. | |
| I also use waybackurls to try and spot domains that have more entries than others | |
| ...screenshots can be useful here too, but sometimes web pages that look the same are completely different underneath - and they take way longer to get than plain HTTP requests :) | |
| ============ | |
| Question from | |
| @KarimPwnz | |
| : | |
| "Do you think there should be more dynamic automation through browser extensions?" | |
| ============ | |
| Absolutely I do! Web apps are incredibly complicated these days and static analysis of JavaScript is incredibly difficult - especially when it's minified. | |
| I think a mixture of browser extensions and scanners using headless browsers will become more common in the near future. | |
| ============ | |
| Question from | |
| @evadon14 | |
| : "Any xss finding tool you have not released yet ? Would u like to release it now ?" | |
| ============ | |
| I don't have any unreleased tools! Everything I've ever written for the security space outside of work is on GitHub. | |
| I did write a tool to try and spot reflected XSS while I was on a plane though, you can find it here: https://github.com/tomnomnom/hacks/tree/master/kxss | |
| ============ | |
| Question from | |
| @migueljimeno96 | |
| : | |
| "How do you keep your param/subdomain/endpoint/header wordlists up to date and relatively small?" | |
| ============ | |
| I have some manually built lists that I add to when I see something interesting, they stay small purely through the nature of them being manually updated (copy and paste). | |
| Otherwise I try to stay target-specific. | |
| @NahamSec | |
| has a great video on that here https://www.youtube.com/watch?v=QGbTaxtEQlg | |
| ============ | |
| Question from | |
| @nil89822110 | |
| : | |
| "can you use bash to do the same thing burp does in order to become GUI less" | |
| ============ | |
| It's possible! I haven't got there yet though | |
| Burp does some things very well that are hard to do well in the terminal, like the collapsible tree views for target data, easily sortable lists etc. | |
| I also haven't found a recording proxy for the CLI that I like as much as Burp's | |
| ============ | |
| Question: | |
| What’s your recommended approach to create a specific wordlist for a target? | |
| ============ | |
| (1/2) For path and query brute-forcing I use a mixture of URLs from waybackurls (and gau! https://github.com/lc/gau), and my burp history and pipe them into unfurl (https://github.com/tomnomnom/unfurl) to extract the bits I want. | |
| (2/2) For more specific things like, for example, API methods I like to use the text from technical docs and JS files to generate them. I have a very simple tool in my hacks repo called tok (https://github.com/tomnomnom/hacks/tree/master/tok) to help extract just the words (or "tokens") from the text | |
| ============ | |
| Question: | |
| How can I create a wordlist of all the paths and directories using all the urls I got from waybackurls? | |
| ============ | |
| I use unfurl (https://github.com/tomnomnom/unfurl) to extract the paths :) | |
| If you want each individual part of the path (i.e. /one/two/three is one, two and three separately in the output) you can pipe the output to: | |
| sed -r 's#/#\n#g' | sort -u | |
| ============ | |
| Question from | |
| @Dark3rH4cK | |
| "Any efficient tool for s3 bucket discovery belongs to specific domain except Lazy3??? | |
| ============ | |
| Searching https://buckets.grayhatwarfare.com can be useful, as can dorking GitHub and Google for "companyname" along with "amazonaws" (try site:http://s3.amazonaws.com too). | |
| I also like to pull JavaScript files as well as webpages and grep for them! | |
| ============ | |
| Question from : | |
| I'm ok at CTF and on something like DVWA but go to start a real bounty program and stare at the screen. Advice? | |
| ============ | |
| Honestly? Be prepared to fail; a lot. Vulnerabilities aren't nearly as common as they are in CTFs or things like DVWA; 99% of the things you look at on a well-tested BBP will likely be secure. | |
| Keep going, and try to find that 1% | |
| ============ | |
| How do you go for unique findings or crits. Your approach? Do you hunt slow or once a target is online just rush, kinda slow and steady finds the crits.? | |
| ============ | |
| I am *very* slow Face with tears of joy | |
| When it comes to finding critical sensitive info (e.g. creds) it's almost always after hours of following a recon trail | |
| For more technical stuff like RCEs I try to think about how I would build the more complicated or unusual bits of functionality in an app | |
| ============ | |
| Question: | |
| What shell/bash aliases you find the most useful in your process? | |
| ============ | |
| Mostly it's the small ones like Ctrl+n to do `cd ..` (https://github.com/tomnomnom/dotfiles/blob/0433a3b3ca681cf3c9f894a401ecd5406ac22752/.inputrc#L9-L10) that just speed up the unimportant stuff. | |
| Or `virev` to open up all files that changed in a git revision (https://github.com/tomnomnom/dotfiles/blob/0433a3b3ca681cf3c9f894a401ecd5406ac22752/.bashrc#L67-L86) | |
| Otherwise I usually type stuff out every time See-no-evil monkey | |
| ============ | |
| can you summarize a day | |
| ============ | |
| I work full time and have two kids so the vast majority of it isn't really relevant but: | |
| 08:00 - wake up and work | |
| 16:30 - finish work and cook for my family | |
| 20:00 - put kids to bed and collapse on the sofa | |
| ============ | |
| ============ | |
| Finding a way to obtain authenticated access in big scopes where most things are behind corp SSO or finding web apps with public registration, can expose attack surface. Any tips/tricks on how to find valid accounts? | |
| ============ | |
| I don't usually try to find valid accounts as many programs would consider making use of them to be pivoting. | |
| My tip would be to look for API endpoints, because API clients don't usually support SSO the endpoints are sometimes whitelisted and don't redirect to SSO | |
| ============ | |
| ============ | |
| Any effective way to keep track of things to look at while doing pentest? | |
| ============ | |
| Personally I use a text file to make notes on the most interesting stuff. For group hacking I've used Trello too. | |
| Also check out the Burp Scope Monitor from the amazing | |
| @Regala_ | |
| https://github.com/Regala/burp-scope-monitor :) | |
| You can either use xargs with -P set to something greater than one, e.g. | |
| ============ | |
| path_finder_1 | |
| @Mayur_Chavan | |
| ============ | |
| How can I send curl requests in parallel to create race condition? | |
| ============ | |
| cat urls.txt | xargs -n1 -P4 curl | |
| Or you can use concurl https://github.com/tomnomnom/concurl :) | |
| ============ | |
| Ahmed mohamed abdellah | |
| @AhmedElmalky00 | |
| what the nmap command that you use for port scanning ? | |
| ============ | |
| I don't use it often but I usually go for | |
| nmap -sT -Pn -p1-65532 --min-rate 10 hostname | |
| ============ | |
| Mohd Shibli | |
| @0xred_assassin | |
| What do you do when an organisation rejects your report but according to you it's actually a potential bug, how | |
| do you deal with such type of situation? | |
| ============ | |
| Honestly that doesn't happen to me very often because I try to only report things that have clear impact, but on the occasions that is has happened I've swallowed my pride and said "thank you for your time". | |
| Generally speaking they know their threat model better than me. | |
| ============ | |
| Adrián | |
| @Lukensio9 | |
| What does php sinks mean? I used gf after meg and it gave me 2 results for php sinks but i couldn't understand. | |
| ============ | |
| They are "execution sinks" (places that might lead to issues if passed user data) in PHP source code; so not really a pattern for meg results. | |
| I use that pattern along with the php-sources pattern when auditing PHP codebases :) | |
| ============ | |
| Rejected Hacker | |
| @rh21_a | |
| I’ve spent lots of time going through pentesterlabs and recently started properly hunting on live targets with no luck. What things are people too afraid to do or learn that has great potential for finding unique bugs? Irrespective of difficulty as long as one could learn it | |
| ============ | |
| Persistence is one of the key differentiator between those who find things and those who don't IMO. 99% of the things you look at (or even more) will not be vulnerable. | |
| CTFs and labs are great learning tools but they can give a false impression of common these issues really are | |
| ...having said that: the more complicated something is, the less likely it is that other hunters have looked at it. If a feature requires you to read complex documentation to use it properly then a decent amount of people probably didn't bother. | |
| ============ | |
| Paul Seekamp | |
| @nullenc0de | |
| Are you planning to add to the kxss arsenal? Perhaps a similar style tool that hints at possible vulnerable endpoints for other classes of bugs? | |
| ============ | |
| I don't have any plans, but that doesn't mean I won't ever do it. Reflected XSS is probably the easiest of issues to make that kind of tool for, although a tool for open redirects would probably be of similar complexity. | |
| I'm always interested to hear new ideas though :) | |
| ============ | |
| Clodo | |
| @0x033e | |
| 1-What languages of programming are necesary to web & mobile? | |
| 2- Why this languages and why not others,what differences between languages? | |
| 3-How can we understand the responses of requests to a server. | |
| 4-how can we understand csp behavior, how does it work | |
| B. Regards! | |
| ============ | |
| 1 - JavaScript is the only one that's really *necessary* because all web apps use it. For mobile (iOS) it's Swift and Objective C, for Android it's Java and other JVM languages. | |
| 2 - All of the above are mandated by their environments. IMO most of the differences don't matter :-P | |
| 3 - Learn how HTTP works (I wrote a simple web server to help me learn, but googling each part and reading about them works too). I recommend MDN. | |
| 4 - MDN is a great resource here too: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP - also Google's CSP evaluator is a great way https://csp-evaluator.withgoogle.com | |
| ============ | |
| Syed Anas | |
| @s3cN00b1 | |
| Hi | |
| @TomNomNom, | |
| When you decide to give up on a target, like when you think I had enough of it, let's move to something new now? | |
| ============ | |
| Usually it's just a gut feeling, but the key things I look for is that I'm not even finding any "leads" so to speak (i.e. interesting bits of functionality), or I've just generally exhausted all of my ideas. | |
| Taking a break and coming back to things later is very helpful | |
| ============ | |
| Prasoon Gupta | |
| @0xdekster | |
| Can you suggest any way to make a bash automation script runs multithreaded like if i wants to optimize it for faster results, so any solution for it ? | |
| ============ | |
| There are some things you can do with xargs :) I talk about it here in my VirSecCon talk: https://youtu.be/s9w0KutMorE?t=2825 | |
| GNU Parallel is great too https://gnu.org/software/parallel/ | |
| ============ | |
| Simone Bovi | |
| @simone_bovi | |
| How do you choose a program to hack on? What are the main things you look at when making this choice? Thanks! | |
| ============ | |
| I like to hack on programs where I use the product/service because it saves me a lot of time in understanding what the app is supposed to do. | |
| Otherwise I mostly look for a big scope and technology that I'm already familiar with. | |
| ============ | |
| Archsolar | |
| @Archsolar1 | |
| Which bounties should a beginner look for/learn about these days? | |
| ============ | |
| Keeping an eye on disclosed reports on each of the bug bounty platforms is a good way to see what other people are looking for. | |
| Personally I think business logic issues are a good way to get started because often they don't even require the use of tools, only a browser. | |
| ============ | |
| PRAMOD KUMAR YADAV | |
| @pk_12397 | |
| How to learn new bug type and it's exploit. Where to learn ? How to learn new methods. What do you think before start hunting new target. How many website i have to hunt in a month. How much time do you spend at a target and how much time you spend for bug bounty in a week | |
| ============ | |
| To learn new bugs I usually find that Portswigger have a lab for it (https://portswigger.net/web-security) or I look for disclosed reports on the various bug bounty platforms. Then - and this bit is important - I practice exploiting them! Just reading about stuff rarely teaches me well enough | |
| ...At the moment I'm not spending much time bug bounty hunting, because I do it for fun and not to make a living and life can be hard. | |
| I think the very most important thing is that you're enjoying yourself; and you spend only as much time as you want to on things. | |
| ============ | |
| Quikke | |
| @quintenvi | |
| You are well known with lots of scripting language. If you had to choose one? Which would it be and why? | |
| ============ | |
| I think probably Bash because it lets me easily build things iteratively and interactively as pipelines, but still has enough features to do more complex stuff with loops and conditionals if I need to :) | |
| ============ | |
| p@ger\x41\x41\x69 | |
| @AvishekNayal | |
| ============ | |
| How you test for takeovers and oauth bypass | |
| ============ | |
| For takeovers I use meg (https://github.com/tomnomnom/meg) to request pages, and gf with some common strings (https://github.com/tomnomnom/gf/blob/master/examples/takeovers.json). I also have a simple shell script to look for dangling cnames (https://github.com/tomnomnom/dotfiles/blob/master/scripts/check-cname). | |
| I don't know much about oauth bypasses though sorry! | |
| ============ | |
| niyaax | |
| @Diniox10 | |
| If you get a program with only main app as the target, whats your method of approach and what type of bugs will you be looking to find? | |
| ============ | |
| Other than the usual suspects (XSS, SSRF, ORs etc) I try to look for IDORs, between unrelated accounts, and between accounts in the same org (if the app has a concept of such a thing). | |
| I try to find functionality that's unique to that app, figure out how it works, read the docs | |
| 2 more replies | |
| Rejected Hacker | |
| @rh21_a | |
| ============ | |
| Rejcted Hacker | |
| @rh21_a | |
| Not sure anyone has asked, how are you? Grinning face | |
| ============ | |
| Thank you! | |
| I am quite tired, but mostly OK. Lockdown is hard! | |
| ============ | |
| Sayon Dutta | |
| @SayonDutta_ | |
| Which type of bug do you think is more common in websites now . I know Path Traversal , Bussiness logic , CSRF , and some knowledge of XSS . | |
| Should I look for these or I should try another ? | |
| Thank you . | |
| ============ | |
| I think XSS is probably still the most common issue to find. | |
| As for if you should try another: Yes! The more you know the more likely you are to find something, and the more obscure it is the less likely it is to be a dupe ;) | |
| 1 more reply | |
| ============ | |
| Sayon Dutta | |
| @SayonDutta_ | |
| After selecting a target how to approach it . Means firstly we should create account surf like normal user or what should we do , could you tell in brief ? | |
| Thank you ... | |
| ============ | |
| That's a good first step! I have it running through burp while I do that. I also try to make two or more accounts to check for IDORs. | |
| I try to act like an inquisitive user who wants to know what every feature does; trying to think like a software tester helps too! | |
| ============ | |
| 𝕭𝖑𝖆𝖈𝖐 𝕯𝖗𝖆𝖌𝖔𝖓 | |
| @blckdr4gon | |
| Offtopic Question But Still Wanna Ask.. | |
| What are the top 10 bugs that he hunts on the web apps? | |
| ============ | |
| I'm not sure I even have a top 10! Rolling on the floor laughing | |
| I always look for XSS because it's easy to check for while browsing an app to learn more about it. Ditto Open Redirects (and they are often useful in chains) | |
| I'm very fond of looking for sensitive information exposure issues too. | |
| 2 more replies | |
| ============ | |
| Morad adnan | |
| @Mourad_Adn | |
| Hi tom. When u have a lot of info . Started from recon.( Active . Passive . Finding the hide endpoint. JsFile.sensitive data. info.... ) how do u planning ur job. From the beginning to write a repot. | |
| ============ | |
| (1/2) I don't do a great deal of planning, but when I have a lot of info I try to look for the bits that stand out / are different. | |
| Honestly I look for things I find interesting and then dig into them in a pretty unstructured way. | |
| (2/2) I use tools like gf (https://github.com/tomnomnom/gf), html-tool (https://github.com/tomnomnom/hacks/tree/master/html-tool), and urinteresting (https://github.com/tomnomnom/hacks/tree/master/urinteresting) to try and spot interesting things to look in to. | |
| Every target is different, and if I had a plan I'd find it hard to stick to it See-no-evil monkey | |
| ============ | |
| Rejected Hacker | |
| @rh21_a | |
| Will bug bounty hunting be more fruitful as you get invited to private programs from lack of competition or do you always find lots on old programs? | |
| ============ | |
| I think so! The more stuff there is to look at the more likely it is you can find something. | |
| It is easy to get overwhelmed and not know what to look at though. When that happens I try to pick programs for services I already know and use, or those that use tech I know well | |
| ============ | |
| Luis Lopez | |
| @Luisk2 | |
| Hello all, any tips to approach a soap web service, what kind of bugs do you tried on this? :) thanks! | |
| ============ | |
| IMO the important thing to remember is that SOAP is just a transport, it's still just an app accepting parameters from a user - whether those parameters come from a query string, JSON, XML... It doesn't matter :) | |
| 2 more replies | |
| ============ | |
| Victor Catalan | |
| @vimicasa | |
| What business/entrepreneurship opportunities do you see in 5-10 years today in this field? | |
| ============ | |
| Honestly, that's not something I think about much, or know a great deal about; sorry! | |
| ============ | |
| Robin Lunde | |
| @pwn_panda | |
| How do you do parameter discovery and testing? Do you brute force all parameters, do you harvest them from source using a tool? Or maybe a combination? | |
| ============ | |
| I harvest them from the output of waybackurls, my burp history, and google dorks and then use unfurl (https://github.com/tomnomnom/unfurl) to extract them. I use param miner (https://github.com/PortSwigger/param-miner) on endpoints, but mostly when I don't have much info about a particular endpoint | |
| PortSwigger/param-miner | |
| Contribute to PortSwigger/param-miner development by creating an account on GitHub. | |
| github.com | |
| ============ | |
| dark_warlord14 | |
| @dark_warlord14 | |
| Consider I have 1000 https urls and I only want to filter those whose index.php has changed since the last time I saw it. | |
| How can I do this with meg? | |
| ============ | |
| (1/2) The bit that makes this tricky is that meg uses a sha1 hash of the page content as a filename so if the response changes even slightly (e.g. the server time in a header) then it will get a new filename. | |
| It should be possible to script it though... | |
| ...if you restore the old and new responses in two different dirs (e.g. called old and new) you could do something like | |
| find old/ -maxdepth 1 -mindepth 1 -type d -exec basename {} \; | while read dir; do echo $dir; diff old/$dir/* new/$dir/*; done | |
| ..this assumes there's only one file in each dir (i.e. only the results for a meg run against /index.php are in each dir) | |
| ============ | |
| noob_charlie | |
| @paranoidd34 | |
| how to use bugbounty achivements like good rank in any bugbounty platform to get job in company . | |
| ============ | |
| Writing about the things you learn on your bug bounty adventures is a great way to improve your understanding, help the community, and gain exposure at the same time. | |
| Prospective employers can read about your skills and see how good your communication skills are at the same time | |
| ============ | |
| PRAMOD KUMAR YADAV | |
| @pk_12397 | |
| Hi, | |
| How can i automate fuzzing like i am getting endpoint urls from ParamSpider and i have wfuzz can i feed all urls together from stored output txt files?. As i am able to feed it one by one. Please suggest me | |
| ============ | |
| It sounds like using a loop in bash might be a good way to do it. My VirSecCon talk covered doing that sort of thing: https://youtube.com/watch?v=s9w0KutMorE :) | |
| ============ | |
| Thiezn | |
| @SoulManThiezn | |
| Any tips for Server-side template injection? | |
| ============ | |
| The portswigger labs provide a fantastic place to practice them (https://portswigger.net/web-security/server-side-template-injection), but I learnt SSTI mostly from them so I don't have a great deal to add to their explanations! | |
| ============ | |
| Thiezn | |
| @SoulManThiezn | |
| Any tips for keeping track of recon data on programs your working? How do you detect and keep track of changes or findings of a program. Do you perhaps keep a database per target that your various tools can plug into? | |
| ============ | |
| I like the way recon-ng organises things when it comes to domains, ports, users etc. I often have a recon-ng database/workspace per target. | |
| For other stuff I usually use flat text files stored in a directory tree and leverage tools like find, grep, and xargs to process them :) | |
| ============ | |
| sw33tLie | |
| @sw33tLie | |
| nmap is fast, masscan is not very accurate at acceptable rates...any idea to improve the accuracy when dealing with a large amount of hosts without waiting for ages? | |
| ming I want to check for all the 65535 ports and not just the most common ones | |
| ============ | |
| You can do a decent job with nmap if you tweak the scan type and --min-rate options; nmap has a lot of options so they're worth playing with | |
| Consider using a well-connected VM from DigitalOcean or similar; your connection will usually be a bottle neck that sofware can't overcome | |
| ============ | |
| Roel Philippeth | |
| @RPhilippeth | |
| Do you have planned webinars in the nearby future? | |
| ============ | |
| Yes I'm doing it right now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment