Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from January 24 to 31, 2022.
Our favorite 5 hacking items
1. Vulnerability of the week
PwnKit or CVE-2021-4034 is a Local Privilege Escalation in polkit’s pkexec that was discovered by Qualys researchers.
It is noteworthy because it affects all major Linux distributions by default and all pkexec versions since 2009. Actually, @ryiron blogged about the root cause behind it in 2013.
Also, the vulnerability is exploitable reliably even though it is a memory corruption bug.
To practice, there is a free TryHackMe room, and some exploits by the community:
2. Writeups of the week
Hacking Google Drive Integrations (Dropbox, $17,576)
How I could have read your confidential bug reports by simple mail? (Microsoft)
A story of leaking uninitialized memory from Fastly (Fastly)
These are three entirely different types of findings but all very impressive and worth reading: @rootxharsh found a full read SSRF on Google Drive integrations in Drobox, @Sudhakarmuthu04 found a way to read other bug hunters’ reports on the Microsoft research portal, and @emil_lerner discovered a memory leak in the QUIC (HTTP/3) implementation of the H2O webserver.
3. Conference of the week
Recordings from Black Hat Europe 2021 were just released! Need I say more?
Maybe only that slides and whitepapers can be found here, and @albinowax really recommends @_danielthatcher‘s talk “Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond”.
4. Video of the week
I’m really enjoying these daily bug bounty recaps by @PinkDraconian. They are crisp and easy to digest, a fun way to stay up-to-date or get clarifications on writeups you’re struggling to understand.
5. Tools of the week
CodExt is both a CLI tool and Python library for encoding/decoding anything. It extends the Python coded library with 120+ new codecs and has a “guess mode”.
I know there are many tools that do the same thing, but if you prefer the CLI and need support for both Bash and Python, this is a handy alternative.
Har Har Har Viewer is another useful tool. Like its name suggests it is a HAR viewer, worth bookmarking for the next time you need to handle HAR files.
Other amazing things we stumbled upon this week
- Fuzzing Java to Find Log4j Vulnerability – CVE-2021-45046
- Escalating Your Bugs With GDPR Impact
- Web App Pentesting – HTTP Headers & Methods & Web App Pentesting – Setting Up OWASP bWAPP With Docker
- Enumerating 100 targets at once! Meg – Hacker Tools & Blog post
- Kiosk Breakout & HOW TO Install Windows 11: VMware Workstation
Podcasts / Audio
- AppSec Triage: Finding Needles in the Application Haystack
- Fixing OSS Security Vulnerabilities at Scale!
- A Master Class on Offensive MSBuild
- HEK.SI 2022 – Bypassing UAC With UACMe
- Attacking Modern Environments Series: Attack Vectors on Terraform Environments
Slides & Workshop material
Medium to advanced
- Password spraying and MFA bypasses in the modern security landscape
- How To Extract Credentials from Azure Kubernetes Service (AKS)
- How to disable XXE processing? #BlueTeam
- RBCD WebClient attack
- Vulnerabilities that aren’t. Cross Site Tracing / XST
- A Tale of DOM-based XSS!
- How To Get Started Hacking Django Based Applications
- The shades of tunneling
- HackTheBox – Anubis
- Open Redirect Leading to OAuth Access Token Disclosure!
- Healthcare with S1REN!
- ATM/Kiosk Hacking
- My SQLi adventure or: why you should make sure your WAF is configured properly
- The Organization, Vendor & Application Security
- AD CS: weaponizing the ESC7 attack
Responsible(ish) disclosure writeups
- Paranoids’ Vulnerability Research: PrinterLogic Issues Security Alert #Printer
- Bypassing Little Snitch Firewall with Empty TCP Packets #MacOS
- Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters #CLI
- CVE-2022-23968: Xerox vulnerability allows unauthenticated users to remotely brick network printers (UPDATED) #Printer
Bug bounty writeups
- Moodle: Blind SQL Injection (CVE-2021-36393) and Broken Access Control (CVE-2021-36397) (Moodle)
- The Story of a RCE on a Java Web Application
- Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite (Lark Technologies)
- Microsoft OneDrive For Macos Local Privilege Escalation (Microsoft)
- CVE-2020-0696 – Microsoft Outlook Security Feature Bypass Vulnerability (Microsoft)
- WPA2-Enterprise/EAP Subject Matching Vulnerability (Google Chromium, $3000)
- CVE-2022-0185 – Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google’s KCTF Containers (Google, $31,337)
See more writeups on The list of bug bounty writeups.
- pty4all & Intro: Persistent multi reverse pty handler
- PurplePanda: Identify privilege escalation paths within and across different clouds
- LDAP Relay Scan: Check for LDAP protections regarding the relay of NTLM authentication
Tips & Tweets
- HTML injection in PDF generators
- Try random stuff, get random results
- A couple of “fun” GitHub behaviors
- Updates to PortSwigger’s XSS cheat sheet: 1, 2, 3 & 4
- Did you know that local files in Windows can be accessed with
Misc. pentest & bug bounty resources
- Awesome WebSockets Security & WebSockets Playground
- Trickest Log4j & Collaboration with @Six2dez1 to automate updating OneListForAll
- Frida HandBook (learnfrida.info)
- RTCSec newsletter – STIR/SHAKEN DoS, Cisco phone passwords, Zoom and Yealink
- Stratus Red team: Granular, Actionable Adversary Emulation for the Cloud (like “Atomic Red Team™” for the cloud)
- Recovering redacted information from pixelated videos
- .NET Remoting Revisited
- Unauthenticated Dumping of Usernames via Cisco Unified Call Manager (CUCM)
- ldd arbitrary code execution
- Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA
- Delegate to KRBTGT service
- A list for free Penetration Testing & Red Teaming Labs to build locally
- A free HTB machine added every month to the Starting Point Track
Bug bounty & Pentest news
- Bug bounty
- Upcoming events