Bug Bytes #75 – NahamCon, ServiceNow misconfigurations & Creating your own Alfred

bugbytes-75

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

button

This issue covers the week from 05 to 12 of June.

Our favorite 5 hacking items

1. Conference & Videos of the week

NahamCon day 1, Day 2, Schedule & Slides

How To Do Recon: API Enumeration & Live API Hacking Demo

NahamCon is a bug hunter’s paradise. One place where you could hear from top bug hunters about amazing practical hacking techniques, new research, online and for free!

To give you a taste: @defparam dropped some pretty serious HTTP request smuggling stories. @securinti shared some of his mindblowing email hacking kung fu. @Jhaddix published his long awaited Bug Hunter’s Methodology v4. @tomnomnom demystified the art of creating custom wordlists. Plus a lot more hacking goodness!

@InsiderPhD’s video series on API recon is also a valuable resource. She does a great job of breaking it down into actionable steps, with lots of demos.

2. Writeups of the week

Multiple Information exposed due to misconfigured Service-now ITSM instances  ($30,000)

This is yet another example of a bug that seems so simple… after you hear about it! The difficulty is knowing what to focus on. So, kuddos to @Th3G3nt3lman! He analyzed ServiceNow products and found that the Knowledge Management app has some endpoints that are accessible without authentication. He was able to access sensitive data of several companies.

This is a cool example of new research. It is similar to techniques previously seen like exposed Atlassian pages, but applied to different products.

3. Tool of the week

Infosec-Alfred & The Art of automation, creating your own Alfred

This tool is an awesome effort to solve a common problem: information overload, and information being scattered across so many different sites that don’t always have an RSS feed.

@0xsha uses Web scraping to monitor sites (e.g. Github Advisory, Exploit DB, Pentester Land, HackerOne Hacktivity) for new content. New links are added to an SQLite3 database. This kind of scraping and gathering news at the same place is such a time saver!

4. Tutorials of the week

Editing Files on your VPS with sublime on local machine.

Save and Search Your Web Traffic Forever with elasticArchive for Mitmproxy

I know, VIM, Burp and love are all you need… Why would anyone want to edit files on a VPS with a GUI editor? Or use a Web proxy in addition to Burp?

Using an editor like Sublime Text over your VPS is really convenient. It allows for running a headless distribution on the server, and still browsing remote files as if they were on your local system, without having to deal with the “How to exit VIM?” riddle.

The ElasticArchive setup is also handy, especially for bug hunters who want to be able to save and later analyze all traffic, all targets combined. It makes it easier to revisit historical data.

5. Non technical item of the week

How a Lazy Bitch like me learned to be Productive

This is a good read for anyone who feels like there is so much to do, not enough time, and everything is a priority. So, what ends up happening? Nothing! Trying to do everything at once generally doesn’t work long term.

This blog is about 3 rules that help deal with this feeling of overwhelm and improve productivity. The tone is fun and there is comfort in knowing other people are struggling with this too!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • URL Tracker: Change monitoring app that checks the content of web pages in different periods. It can be used to monitor S3, Azure, JS files…
  • Penglab: Free hash cracking with hashcat on Google Collab
  • SecretFinder: A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files
  • Recox: Master script for web reconnaissance
  • Ayfabtu & Intro: Scripts to extract files from SCM directories left on web servers
  • TarlogicSecurity/kerbrute: An script to perform kerberos bruteforcing by using impacket
  • ntlm_theft & Intro: A tool for generating multiple types of NTLMv2 hash theft files
  • Shad0w & Introduction: A post exploitation framework designed to operate covertly on heavily monitored enviroments
  • Linuxprivcheck: Python script for privilege escalation for Python
  • Unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18
  • Boko: Application Hijack Scanner for macOS
  • Minimalistic TCP / UDP Port Scanner: Minimalistic TCP & UDP port scanners for avoiding EDR detection
  • NTLMRawUnhide.py
  • Chisel: A fast TCP tunnel over HTTP (basically SSH over websockets)
  • Reg1c1de: Registry permission scanner written in C# for finding potential privesc avenues within registry

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/05/2020 to 05/12/2020.