Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 19 to 26 of July.
Our favorite 5 hacking items
1. Tutorial of the week
Markdown For Penetration testers & Bug-bounty hunters
This is an excellent tutorial on how to organize your pentest and bug bounty notes using a static website created with Mardown and Mkdocs.
I know… SwiftnessX and many other options already exist for taking notes. Why this one too?
Well, it’s worth trying if you’re looking for a self-hosted solution, want to use or learn markdown, want to share your notes with the world or make your site private, want a lightweight web-based tool to access your notes from any device…
2. Writeup of the week
Pwning child company to get access to ParentCompany’s Slack Team
Going out of scope while pentesting or bug hunting is a big no-no. You could end up with legal issues or upsetting your client/target. But it is sometimes tolerated in bug bounty, when the bug is critical or when it impacts an in-scope target.
That’s what happened here: @Parth_Malhotra saw that he could sign up to his target’s Slack URL either with a @parentcompany.com or @childcompany.com email address.
He looked at childcompany.com and found a cPanel on it. So if he could find an RCE on this server, he would use cPanel to edit the server’s MX records and hijack emails sent to @childcompany.com.
Receiving these emails would allow him to access parentcompany.com’s Slack (the in-scope target).
This scenario is exactly what ended up happening. I love how @Parth_Malhotra went backwards from a desired goal (Slack), to a needed vunerability (RCE). This is way more impactful than if he was just looking for a technical bug without thinking about business risk.
3. Webinar of the week
A BEAST and a POODLE celebrating SWEET32 (Free registration needed)
SSL/TLS vulnerabilities can be a headache when you’re writing a pentest report.
There’s a lot of them like: POODLE, BEAST, BREACH, CRIME, DROWN, FREAK, SWEET32, etc. Some of them are really critical, but others are complicated to exploit in real life. So which ones are real threats? Should you report them as low/high findings, or not report them at all…?
If you’re familiar with these questions, this webinar will help you have a better understanding of each vulnerability.
4. Video of the week
Live Bug Bounty Recon Session on Yahoo (Part 1 – 7/14/2019)
@nahamsec is now doing a live on Twitch every sunday. They’re usually great for bug hunters or anyone interested in Web app security testing.
This one shows Ben live hacking on Yahoo (with their permission). It’s a unique opportunity to see a bug hunter in action and learn things like: how he uses a VPS for recon automation, how he does recon in a structured way on a target that has thousands of subdomains, how he uses crt.sh and certspotter.com, etc.
Weird confession: I (really) hate Twitch! So I wait for the streams to become available on Youtube. But you don’t have to, here is Ben’s Twitch account.
5. Non technical item of the week
Why Does the Penetration Testing Team Hate Me?
Relationships between pentesters and developers can be tense for so many reasons: pentesters with a superior know-it-all attitude, developers who aren’t briefed on the purpose of the pentest and their role in it, developers who aren’t aware of security issues, or fear for their job…
If you’ve ever been in an opening/closing pentest meeting and felt such tensions, this article could help you understand the mindset of some developers. You’ll also have ideas on how to deal with each situation or objection you are facing.
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- CCrawlDNS: Retrieves unique subdomains for a given domain name from the CommonCrawl data
- Check_for_root_detection.py: Python3 script to help with bypassing root detection in Android apps. It recursively searches smali files for common strings that are use to check if the device is rooted and prints the filename, method, and root detection string found
- SubEnum: Small Python script used to bruteforce subdomain names of a specified domain
- Pdlist: A passive subdomain finder
- GetGithubRepoCloneUrls.py: This code snippet takes a Github organization name as input, crawls for all its public repositories and returns a list of all the “Git clone URLs” for those repos
- XSSwagger: A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
- Fluxion & Introduction: A remake of linset. It attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack
- SUDO_KILLER: A tool to identify and exploit sudo rules’ misconfigurations and vulnerabilities within sudo
- IPv6teal: Stealthy data exfiltration via IPv6 covert channel
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/19/2019 to 07/26/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.