Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 18 to 25 of October.
Our favorite 5 hacking items
1. Tools of the week
Github-subdomains.py is one of many Github scripts shared lately by @gwendallecoguic for Github recon. It takes a domain as input and returns its subdomains found on Github.
Sometimes, this is just what you need for recon or OSINT!
Erlenc also does one thing: It is a command line tool for URL-encoding and URL-decoding data streams. It can be useful for scripting, or if you find yourself playing with URL encoding all the time during tests.
2. Writeup of the week
Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …
Exploiting an XXE during a pentest unexpectedly triggered two DNS interactions instead of one. This led the authors to investigate, and discover that opening the XXE payload in their text editor was triggering the second interaction.
What could have been neglected by others became the subject of very interesting research. From weaponizing the XXE to get RCE, to testing other products that share the same underlying vulnerable library… There are many lessons in this writeup, both technical and about mindset and tenacity.
3. Conference of the week
Kawaiicon 2019 – Liar, Liar: a first-timer “red-teaming” under unusual restrictions
This is the story of an unusual red teaming mission. I don’t want to spoil it by saying to much. So, let’s just that it is captivating, witty, and perfect for those times when you want to relax while still doing something hacking-related.
4. Resource of the week
Cloud Security Wiki
This is a collection of links for cloud security (from both offensive and defensive aspects). They are organized by topic: AWS/Google/Azure Cloud, vulnerable apps, Kubernetes and Docker.
It is nice to have all these resources at the same place. It should help if you’re interested in Cloud security and don’t know where to start.
I am also realizing there are some tools and presentations listed that I haven’t checked out yet.
5. Article of the week
Attempting EC2 Subdomain Takeover
Subdomain takeover get harder to find on bug bounty programs. This article breaks down a more subtle form of the attack which affects some subdomains pointing to EC2 instances.
Who knows, it might help you get some of those juicy bounties!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
If you don’t have time
- Stepper: A Burp extension designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps
- GitHunter: A tool for searching a Git repository for interesting content
- Domain-finder: Quick script to find domains who belong to a company through http://whoxy.com (key required but free)
- Apk-mitm: A CLI application that prepares Android APK files for HTTPS inspection
- Ntlmscan: Scan for NTLM directories
- Dirstalk: Modern alternative to dirbuster/dirb
- RAS-Fuzzer: RAndom Subdomain Fuzzer
- SUID3NUM: Python script to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin’s repository & auto-exploit those
- BabooSSH: Python script that allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.
- Lava: Microsoft Azure exploitation framework
- HomePWN: Swiss Army Knife for Pentesting of IoT Devices
- OneLogicalMyth_Shell: A HTA shell to assist with breakout assessments
- PHuiP-FPizdaM: Exploit for a bug in php-fpm (CVE-2019-11043)
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/18/2019 to 10/25/2019.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.