Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 05 to 12 of July.
Our favorite 5 hacking items
1. Tips of the week
– All you need to know to exit VIM without unplugging your laptop
– 10 tips that are helpful if you are not finding vulns/bugs
– Why http://126.96.36.199 is the same as http://1.1
– How to use Tmux/Screen AFTER you’ve started Nmap
These tweets are so good that I had to mention all four. They’re about:
- How to exit VIM, and more importantly how to make `:!Q` (which isn’t currently an option) quit it too
- Awesome advice to improve your environment and methodology, and start finding vulns/bugs
- Why some SSRF payloads include IP addresses like 1.1.1, and how routers know that it means 188.8.131.52 and not 184.108.40.206. I’ve been wondering about that and the answer was… RTFM!
- What to do when you’re hours into an Nmap scan and you forgot to start it in a Tmux/Screen session (Genius!)
2. Writeup of the week
Privilege escalation via mass assignment on New Relic
3. Webinar of the week
Securing Your Cloud Infrastructure | Security and Research Company (SECARMY)
After last week’s intro to cloud for pentesters and bug hunters, SECARMY returns with a sequel on common cloud security misconfigurations and their mitigations.
More specifically, this one is about SSRF and LFI on AWS, why they occur, how to detect them, how to leak AWS credentials and what companies can do to prevent it.
4. Tool of the week
A few weeks ago, @EdOverflow published the article “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter. He did the research with a few other hackers, and they developed a tool to automate fetching Travis CI build logs.
It allowed them to quickly look for sensitive information in CI logs and earn many bounties. It was awesome to read about that but they didn’t release it because they didn’t want to cause service disruptions to CI platforms.
I guess they’ve changed their minds because they’ve just released Secretz!
It minimizes the large attack surface of Travis CI by automatically fetching repos, builds, and logs for any given organization. So it’s a really neat tool to add to your arsenal.
5. Non technical item of the week
How to better organize your notes while hunting for bugs
Who doesn’t like peeking at how other hackers organize their notes?
@GouveaHeitor shares here how he uses SwiftnessX to defines payloads, report templates and libraries / checklists. It’s worth looking at his screenshots if you feel like your pentest/bug bounty notes could be better organized.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- ScreenToGif: Allows you to record a selected area of your screen, edit and save it as a gif or video!. Useful for recording PoCs
- Qsreplace: A Go script to replace or append to query string values in URLs. Can be used in combination with waybackurls to generate URLs for fuzzing with a particular payload
- JWTrek: JWT Token C# Bruteforcer (HS256) (pure bruteforce, no wordlist yet)
- Android-App-Testing: Python3 scripts to help automate the installation of Burp Suite certificates on Android devices
- Venemy: OSINT tool for Venmo. It grabs profile information, friends lists & transactions
- BADministration & Introduction: Tool to leverage SolarWinds Orion servers from an offensive standpoint
- RedTeamCSharpScripts: C# Scripts for Red teaming
- Kali Linux Tools Interface: A graphical interface to use tools in Kali by the browser
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/05/2019 to 07/12/2019
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.