Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from May 10 to 17.
Our favorite 5 hacking items
1. Resources of the week
@reyammer’s mobile security class material from MOBISEC 2020
The Missing Semester of Your CS Education
The first resource is a complete course on mobile hacking by @reyammer. It includes video recordings, slides, challenges and covers a lot of topics from basics to advanced notions.
The second course is about various tools used in Computer Science classes that are rarely introduced properly. This includes how to best use the command line, text editors, tools like tmux to access remote machines, Git, etc. These topics are actually relevant to all hackers, not only CS students.
So, hurray for two completely free, top-notch quality courses!
2. Writeups of the week
ExifTool CVE-2021-22204 – Arbitrary Code Execution (GitLab, $20,000)
CVE-2021-27651: Pega Infinity RCE
Remember CVE-2021-22204, the Exiftool RCE from a couple of weeks ago? There weren’t any public exploits for it at the time. @wcbowling just shared how he exploited it to get RCE on GitLab for $20k.
This prompted other hackers to share articles about recreating exploits for the same bug. Here are the links if you want to do a deep dive into it: CVE-2021-22204 – Recreating a critical bug in ExifTool, no Perl smarts required. & An Image Speaks a Thousand RCEs: The Tale of Reversing an ExifTool CVE.
The second writeup is about an RCE in Pega infinity that @samwcyo‘s team discovered while hacking on Apple. It is interesting to see the technical details of a bug in open source software that was used for bug bounties on big targets like Apple.
The third writeup if for all of you Wi-Fi hackers. @vanhoefm found several vulnerabilities in all modern security protocols of Wi-Fi (goind back to 1997 and including WPA3!). What’s most impressive is that some of them are implementation flaws but three are design flaws in the Wi-Fi standard itself.
3. Tools of the week
Whey CeWLer is a Burp extension by @LaNMaSteR53 that parses your already crawled SiteMap and creates a wordlist. This is a convenient method for creating target-based custom wordlists that can be used for Web fuzzing and directory bruteforce.
Copy as FFUF is also a handy Burp extension. If you often find yourself copying requests from Burp to fuzz with FFUF, this will make the process much quicker.
4. Tips of the week
#BurpHacksForBounties – @sec_r0’s 30 days of Burp tips
@sec_r0 is sharing a Burp hack each day for 30 days, and they are good! If you want to level up your Burp skills make sure to follow him and apply these tips.
5. Conference of the week
Black Hat Asia 2020, BH Asia 2020 Slides & BH Asia 2021 Slides
40 videos from Black Hat Asia 2020 were just made public. There’s variety of topics so each talk’s description and slides will help quickly decide if you want to watch the whole talk.
If you’re also curious about the Black Hat Asia 2021, the recordings aren’t available yet but slides are. Some of these presentations on Web and mobile hacking are pretty interesting!
Other amazing things we stumbled upon this week
- Wanna hack zseano website and get paid? – Bounty Thursdays #28
- bsidesahmedabad AMA with Shubs
- Stealing all your passwords from LastPass due to URL parsing vulnerability – $1,000 bounty
- Q&A session with NahamSec
- Hack The Box Hacking Battlegrounds Streamed Tournament #1 – Commentated by IppSec and John Hammond
- Creating Custom Nuclei Templates and Workflows
- Free Automated Recon Using Github Actions | Ft. Project Discovery
- DAY Episode 77 – Cross-Browser Tracking, Frag Attacks, and Malicious Rust Macros
- The WiFi Frag Attacks – DarkSide Follow-Up, DarkTracer, Patch Tuesday, The Frontiers Saga
- OWASP May Lightning: Hacking APIs for Beginners (with Katie Paxton-Fear)
- The Tangled Web and Its Same Origin Policy (OWASP Bay Area Meetup – May 2021)
Medium to advanced
- Overcoming Issues Using Custom Python Scripts with Burp Suite Professional
- Deploying a Hash Cracker in Azure
- AMSI Bypass Methods
- Hacker tools: Arjun – The parameter discovery tool
- The Shell..
- Privilege Escalation Attack : Attacking AWS IAM Permission Misconfigurations
- Wi-Fi Penetration Testing – Part 1
- Simple Data Exfiltration Through XSS
- SSRF in Open Distro for Elasticsearch
- Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
Responsible(ish) disclosure writeups
- Aurelia Framework Insecure Default Allows XSS #Web
- Terminal escape injection in AWS CloudShell #RCE #Cloud
- Exploiting custom protocol handlers for cross-browser tracking in Tor, Safari, Chrome and Firefox #Browser
- CVE‑2021‑1079 – NVIDIA GeForce Experience Command Execution #LPE #Windows
- From theory to practice: analysis and PoC development for CVE-2020-28018 (Use-After-Free in Exim) #MemoryCorruption
- CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability #RCE
- Exploit Development: CVE-2021-21551 – Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup & Exploit to SYSTEM #Kernel
Bug bounty writeups
- One-click reflected XSS in www.instagram.com due to unfiltered URI schemes leads to account takeover (Facebook, $9,600)
- Auth Bypass in https://nearbydevices-pa.googleapis.com (Google, $5,000)
- Just Gopher It: Escalating a Blind SSRF to RCE for $15k ($15,000)
- CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data (Microsoft)
- Mass Assignment exploitation in the wild – Escalating privileges in style
- Counter-Strike Global Offsets: reliable remote code execution (Valve)
See more writeups on The list of bug bounty writeups.
- ugly-duckling & Intro: Lighweight Web scanner
- Nozaki: HTTP fuzzer engine security oriented
- VPS-web-hacking-tools: Automatically install some web hacking/bug bounty tools
- Domain Enumeration Tool (DET) & Intro: Perform Windows domain enumeration via LDAP
Misc. pentest & bug bounty resources
- Send My: Arbitrary data transmission via Apple’s Find My network
- Semgrep: scanning unusuals extensions
- Dumping Plaintext RDP credentials from svchost.exe
- Giving Azure a REST – Expanding REST API Capabilities
- bad_actor_poc: Exfiltrating secrets with Rust macros
- The Need to Protect Public AWS SSM Documents – What the Research Shows
- Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness & Why Cloudflare’s CAPTCHA replacement with FIDO2/WebAuthn is a really bad idea
Bug bounty & Pentest news
- @nostarch Foundation Grants
- Upcoming events
- Tools updates
- Meet the hacker: 0xkasper, CTF player, Student, and hunter.
- Think outside the box with Satyam Gothi
- Determining Risk Less Badly
Community pick of the week
What a bug it must’ve been… Bravo, @xv4yne1!
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!