Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from September 13 to 20.
Our favorite 5 hacking items
1. Conferences of the week
HacktivityCon2021 – Red Team Village
Shubham Shah – Hacking on Bug Bounties for Five Years (part of CrikeyCon 7 (2021))
H@cktivitycon was this weekend and featured a lot of amazing talks as expected. The main stage videos haven’t made it to Youtube yet but there is enough to keep anyone busy for a while with the Red Team Village talks.
One talk that I find particularly interesting is a hands-on CodeQL workshop by @pwntester. Given how often he finds and publishes RCEs and critical bugs, it is a good opportunity to learn about code review and CodeQL from him.
Another excellent talk is @infosec_au sharing his five-year bug bounty journey. It is full of insights, bug examples and lessons for new bug hunters.
2. Writeups of the week
NSA Meeting Proposal for ProxyShell
PowerShell script, Unicode quotes and ウィンドウズ – a story of uncommon command injection
@irsdl explored combining the recent Exchange vulnerabilities named NSA Meeting and ProxyShell for maximum impact. Though he didn’t publish the fully working exploit, the writeup includes a lot of juicy details on debugging Exchange, WAF bypass and bypassing limitations related to the ‘Content-Type’ header.
Another really good writeup is about an unusual RCE in ManageEngine ADSelfService Plus found by Krzysztof Andrusiak and Marcin Ogorzelski. It involves PowerShell script injection caused by Unicode characters not being properly sanitized.
3. Tutorials of the week
Beginners Guide to 0day/CVE AppSec Research
Vulnerability Digging With CodeQL
These are great guides to learn about source code review. One is @0xBoku‘s methodology for choosing a target app and discovering 0-days/CVEs. The other shows how @mtimo44 got his first CodeQL bounty by creating a query for CVE-2016-3427 (a Java JMX deserialization).
4. Vulnerability of the week
OMIGOD: Critical Vulnerabilities in OMI Affecting Countless Azure Customers
Wiz researchers discovered four bugs in OMI, a software agent used by many Azure services. Three are privilege escalations and one is an unauthenticated RCE where you get root just by removing the Authentication header. So critical yet so easy to exploit!
If you want to practice this, there is a free BugHuntrIO lab, or you can play with OMI locally like IppSec did.
In terms of public exploits, you can use a Nuclei template or this Python PoC.
Lastly if you need to advise defenders, Microsoft published this additional guidance and OMIcheck, a tool to detect vulnerable OMI installations.
5. Tools of the week
Trufflehog Chrome Extension & Intro
Other amazing things we stumbled upon this week
Slides & Workshop material
Medium to advanced
Responsible(ish) disclosure writeups
0-day & N-day vulnerabilities
Bug bounty writeups
See more writeups on The list of bug bounty writeups.
- rpckiller: xmlrpc.php pingback checker
- cswsh-scanner & Usage tip: Scanner for Cross-Site WebSocket Hijacking
- FAV/E: Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters
- CVESearch: Query various sources for CVE proof-of-concepts
Misc. pentest & bug bounty resources
Bug bounty & Pentest news