Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 05 to 12 of June.
Our favorite 5 hacking items
1. Conference & Videos of the week
NahamCon day 1, Day 2, Schedule & Slides
How To Do Recon: API Enumeration & Live API Hacking Demo
NahamCon is a bug hunter’s paradise. One place where you could hear from top bug hunters about amazing practical hacking techniques, new research, online and for free!
To give you a taste: @defparam dropped some pretty serious HTTP request smuggling stories. @securinti shared some of his mindblowing email hacking kung fu. @Jhaddix published his long awaited Bug Hunter’s Methodology v4. @tomnomnom demystified the art of creating custom wordlists. Plus a lot more hacking goodness!
@InsiderPhD’s video series on API recon is also a valuable resource. She does a great job of breaking it down into actionable steps, with lots of demos.
2. Writeups of the week
Multiple Information exposed due to misconfigured Service-now ITSM instances ($30,000)
This is yet another example of a bug that seems so simple… after you hear about it! The difficulty is knowing what to focus on. So, kuddos to @Th3G3nt3lman! He analyzed ServiceNow products and found that the Knowledge Management app has some endpoints that are accessible without authentication. He was able to access sensitive data of several companies.
This is a cool example of new research. It is similar to techniques previously seen like exposed Atlassian pages, but applied to different products.
3. Tool of the week
Infosec-Alfred & The Art of automation, creating your own Alfred
This tool is an awesome effort to solve a common problem: information overload, and information being scattered across so many different sites that don’t always have an RSS feed.
@0xsha uses Web scraping to monitor sites (e.g. Github Advisory, Exploit DB, Pentester Land, HackerOne Hacktivity) for new content. New links are added to an SQLite3 database. This kind of scraping and gathering news at the same place is such a time saver!
4. Tutorials of the week
Editing Files on your VPS with sublime on local machine.
Save and Search Your Web Traffic Forever with elasticArchive for Mitmproxy
I know, VIM, Burp and love are all you need… Why would anyone want to edit files on a VPS with a GUI editor? Or use a Web proxy in addition to Burp?
Using an editor like Sublime Text over your VPS is really convenient. It allows for running a headless distribution on the server, and still browsing remote files as if they were on your local system, without having to deal with the “How to exit VIM?” riddle.
The ElasticArchive setup is also handy, especially for bug hunters who want to be able to save and later analyze all traffic, all targets combined. It makes it easier to revisit historical data.
5. Non technical item of the week
How a Lazy Bitch like me learned to be Productive
This is a good read for anyone who feels like there is so much to do, not enough time, and everything is a priority. So, what ends up happening? Nothing! Trying to do everything at once generally doesn’t work long term.
This blog is about 3 rules that help deal with this feeling of overwhelm and improve productivity. The tone is fun and there is comfort in knowing other people are struggling with this too!
Other amazing things we stumbled upon this week
Webinars & Webcasts
Medium to advanced
Responsible(ish) disclosure writeups
Bug bounty writeups
- SSRF on project import via the remote_attachment_url on a Note (GitLab, $10,000)
- gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in
allowed_paths to be read (GitLab, $10,000)
- Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning (Semmle, $2,000)
- RCE as Admin defeats WordPress hardening and file permissions (WordPress, $800)
- This is fine 🐶 (Microsoft)
- DoS and BugBounties :A series of DoS attacks on HackerOne
- Local file read via XSS using PDF generate functionality
- From 3,99 to 1,650 USD (Part I) – Simple Vertical Privilege Escalation by Changing HTTP Response ($1,000)
- My First Bug Bounty – Gitter $1,000 one-click DoS (Video)
- Making further registrations difficult on Vanilla forum (Vanilla, $150)
See more writeups on The list of bug bounty writeups.
- URL Tracker: Change monitoring app that checks the content of web pages in different periods. It can be used to monitor S3, Azure, JS files…
- Penglab: Free hash cracking with hashcat on Google Collab
- Recox: Master script for web reconnaissance
- Ayfabtu & Intro: Scripts to extract files from SCM directories left on web servers
- TarlogicSecurity/kerbrute: An script to perform kerberos bruteforcing by using impacket
- ntlm_theft & Intro: A tool for generating multiple types of NTLMv2 hash theft files
- Shad0w & Introduction: A post exploitation framework designed to operate covertly on heavily monitored enviroments
- Linuxprivcheck: Python script for privilege escalation for Python
- Unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18
- Boko: Application Hijack Scanner for macOS
- Minimalistic TCP / UDP Port Scanner: Minimalistic TCP & UDP port scanners for avoiding EDR detection
- Chisel: A fast TCP tunnel over HTTP (basically SSH over websockets)
- Reg1c1de: Registry permission scanner written in C# for finding potential privesc avenues within registry
Misc. pentest & bug bounty resources
Bug bounty & Pentest news
Breaches & Attacks
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 06/05/2020 to 05/12/2020.