Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 21 to 28.
Intigriti news
1337UP LIVE
With a little less than 10 days to go, Intigriti proudly presents the 1337UP LIVE CTF and virtual bug bounty conference!
On March 11th, we will kick off with the 24-hour long CTF with challenges from web all the way to binary exploitation. Sign up right now at ctf.intigriti.io.
On March 12th, once the CTF ends, we will directly jump into the live bug bounty conference with astonishing talks by amazing speakers. Check out the line-up over here at www.intigriti.com/1337uplive!
Win some swag!
We’re inviting you to share your opinions!
As a community-driven platform, your feedback is extremely valuable to us. To get to know you better, we would like to ask you to fill out our five-minute survey. At the end of the survey, you will be able to participate in our raffle to win a β¬50 Intigriti swag voucher (there are 20 available). Looking forward to hearing from you!
Our favorite 5 hacking items
1. Challenge of the week
Exploiting Java Tomcat With a Crazy JSP Web Shell – Real World CTF 2022 & Alternative writeup + Docker environment
@LiveOverflow demonstrates how his team solved Desperate Cat, a hard Java web hacking challenge from the Real World CTF.
You can run the Dockerfile locally and try to solve the challenge first, but make sure to watch the incredibly informative video walkthrough.
2. Writeups of the week
Pwning a Server using Markdown
Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager (VMware)
Next time you see markdown that references a file, in a HTTP request, remember to test for LFI. @zombie007o and @nullvoiddeath had the idea because of explicit errors saying that the file requested wasn’t found, then they exploited the LFI to grab SSH keys from the server and get a shell.
The second writeup is about several bugs found by @elk0kc in a VMware product. It is interesting to see how a normalization issue caused authentication bypass, and how a ?
symbol was used to bypass an SSRF filter.
3. Tips of the week
Bypass Java URL protocol validation with “url:”
Using “procedure analyse” to increase the impact of a limited SQL injection
Two cool tricks to have in any Web app hacking arsenal: Java URL validation can be bypassed with the “url:” scheme (e.g. url://http://120.0.0.1:8080), and “procedure analyse” can be the only way to exploit a very limited MariaDB SQL injection.
4. Videos of the week
Jack Cable Talks About His Background, Bug Bounty Methodology, and Hacking the US Government
@InsecureNature Talks About Hacking, Certificate Transparency, TruffleHog, and more!
Did you miss @NahamSec‘s Live Recon interviews? The good news is that seven of them weren’t published (after the live stream) and @NahamSec started releasing them on Youtube.
The bad news is that @NahamSec got super burnt out and sadly had to stop these streams. So, enjoy the last ones!
5. Tool of the week
This Burp extension helps generate Nuclei templates from HTTP requests/responses, with only a few clicks. Writing custom templates has never been so easy, amazing work by @forgedhallpass!
Other amazing things we stumbled upon this week
Videos
- Scanning at lightning-fast speeds! Turbo Intruder – Hacker Tools & Blog post
- Preparing for the OSCP Exam with AD
- ποΈ HTB Stories #7: Meet the one behind LinPEAS – ./carlospolop & HTB Stories #6: Hacking OS 101 with Palinuro
- Ghidra – Pwn Zero To Hero 0x02
- How To Crack ZIP & RAR Files With Hashcat
Podcasts & Audio
Webinars
- Application Security How-To: Kenβs Secure-Code Review of an application codebase. & Repo
- Rise of captain hindsight: Finding Log4Shell with CodeQL
- macOS Security Features Bypasses by Example | Jonathan Bar Or (JBO)
Tutorials
- The most underrated tool in bug bounty. (and the filthiest one liner possible)
- How to Create a Custom SpiderFoot Module
- Fantastic Infrastructure as Code security attacks and how to find them & Repo
- Penetrate the Protected Component in Android Part -2
- Thick Client Penetration Testing β TCP traffic interception using mitm_relay and Burp.
- Exploiting Jenkins build authorization
Writeups
Challenge writeups
- XSS for beginners – Google XSS Game Levels 1 & 2
- List Database Content For Further Exploitation!
- HackTheBox – Driver
- KeepMe Polyhx 24h CTF Writeup
- Writeups of TSJ CTF 2022 web challenges
Pentest writeups
- Give me a browser, Iβll give you a Shell
- SQLi: Next Level
- Bash Tricks for Command Execution and Data Extraction over HTTP/S
Responsible(ish) disclosure writeups
- Logic Flaw Leading to RCE in Dynamicweb 9.5.0 – 9.12.7 #Web #CodeReview
- Remote Code Execution in pfSense <= 2.5.2 #Web #CodeReview
- Extensis Portfolio Vulnerability Disclosure #Web
Bug bounty writeups
- Stealing a few more GitHub Actions secrets (GitHub, $7,500)
- OAuth and PostMessage – Chaining misconfigurations for your access token.
- Write Up β Android Application Screen Lock Bypass Via ADB Brute Forcing
- Hackerone open redirect security alert bypass via view report as PDF (HackerOne, $500)
- How I bypassed PHP functions to read sensitive files on server
See more writeups on The list of bug bounty writeups.
Tools
- HTTPCustomHouse: HTTP request smuggling attack helper/CLI tools to manipulate HTTP packets
- BurpGraphQLViewer: Burp extension that provides a central location for viewing all GraphQL requests/responses
- Ostorlab & Intro: A security scanning platform that enables running complex security scanning tasks involving multiple tools in an easy, scalable and distributed way
- wpgarlic: A proof-of-concept WordPress plugin fuzzer used in this research
- FindUncommonShares: A Python equivalent of PowerView’s Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Domains
Tips & Tweets
- One of @NahamSec’s favorite and highest bounties
- Recon to SQL injection
- There has never been a better time than right now to get involved with Azure security research
Misc. pentest & bug bounty resources
- API Security Empire
- Awesome Tunneling
- Awesome Cloud Security
- GitHub Advisory Database & Intro
- GitLab community security advisory database & Intro
Articles
- How I use environment variable injection to execute arbitrary commands (in Chinese) & CentOS 7 exploit
- Automating bug bounties & HTTP Proxy
- Samesite: Hax β Exploiting CSRF With The Default Samesite Policy
- Introducing the Golden GMSA Attack
- Rogue RDP β Revisiting Initial Access Methods
- Find You: Building a stealth AirTag clone
Challenges
Bug bounty & Pentest news
- Bug bounty
- Pre-registrations open for pathmapper (It does automated recon and test for path normalization bugs at scale)
- Upcoming events
- Joe Grand’s Open Lab: YouTube Live AMA (March 12)
- Free webinars on Securzy (Prototype pollution on March 11, Amazon Cognito Misc-configurations on March 12, etc)
- Web app hacking streams by @GarrGhar (Every Monday)
- Tool updates