Bug Bounty & Agile Pentesting Platform

Bug Bytes #120 – MacOS pwned, Homebrew RCE & The world’s shortest backdoor

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 19 to 26 of April.

Our favorite 5 hacking items

1. Videos of the week

Why you should Close Your Files | Binary Exploitation 0x02
How SUDO on Linux was HACKED! // CVE-2021-3156

I’m more into Web/API/mobile hacking, but sometimes other types of InfoSec resources are so good it makes me want to change fields! It’s the case with these two videos.

The first one is part of a new binary exploitation series by PwnFunction. It provides a beginner friendly introduction to file descriptors, what they are and how they can be abused.

The second video is a walkthrough of CVE-2021-3156 (Baron Samedit), why it wasn’t obsvious to detect with fuzzing and was hiding in plain sight for almost a decade. These are interesting but complex topics that only @LiveOverflow could make so fun!

2. Writeups of the week

All Your Macs Are Belong To Us & macOS Gatekeeper Bypass (2021 Edition) (Apple)
Remote code execution in Homebrew by compromising the official Cask repository (Homebrew)

@cedowens found a pretty bad bug that allowed malicious apps to basically bypass MacOS’s security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements). It’s already exploited in the wild. @patrickwardle confirmed the findings and published a detailed analysis on the root cause of the bug. Make sure to update your OS before diving into this!

@ryotkak disclosed a Remote Code Execution in Homebrew (a popular macOS package manager). A bug in the git_diff library made it possible to trick a repo’s maintainers into approving malicious pull requests. Users who installed the infected package would have had their system compromised.

3. Tools of the week

HTTP Methods Discloser
gsocket.io

HTTP Methods Discloser is a Burp extension to easily check which HTTP methods are available. It replays each request with the OPTIONS verb and adds all methods available in the request’s “Comment” column (in the Proxy History). It’s a handy tool to be aware of available HTTP verbs for all requests.

gsocket (or Global Socket) is a tookit that allows workstations behind NAT/Firewall to establish a TCP connection with each other “like there is no firewall”. It has different applications. One of them is deploying a reverse login shell with a single command, without a server. The shell is accessible remotely through NAT/firewalls. It’s powerful, and pretty useful for CTF and pentest!

4. Challenge of the week

Intigriti’s 0421 XSS challenge winners and writeups, Source code & Walkthrough by @terjanq (who created the challenge)

This is a hard XSS challenge by XSS and XS-Leaks master @terjanq. The cool thing is that the source code is available to play with even though the challenge has ended. There is also a bunch of writeups and different solutions to guide you.
It’s a nice opportunity to learn techniques that @terjanq used for a real WAF bypass.

5. Resource of the week

Offensive Security Guide to SSH Tunnels and Proxies

This is a one-page guide on SSH tunnels and SOCKS proxies. It’s a good reference for those engagements where you’re short on time and need to quickly remember which tunnel/proxy to use and how to do it.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars

Conferences

Slides & Workshop material

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

0-day & N-day vulnerabilities

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • h1stats: h1 Program Stats Scraper
  • EDD & Intro: Domain enumeration tool in .NET
  • Marauders Map & Intro: The internal attacker toolkit heavily inspired by SharpPack
  • Traitor: Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

Impressive, @pudsec, well done!

Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!

%d bloggers like this:
-->