Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from May 23 to 30.
Our favorite 5 hacking items
1. Article of the week
@PaulosYibelo discovered two scenarios in which CSP can be bypassed if WordPress is hosted on the target website.
In a gist: HTML injection on the main domain + WordPress endpoint on a subdomain = XSS with CSP bypass that can be escalated to RCE.
2. Writeups of the week
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web (Dropbox, Meta / Facebook (Instagram), LinkedIn, WordPress & Zoom)
From open redirect to RCE in one week (Mail.ru)
The first link is a research paper by @ajpaverd and @sudoavi. They explored the topic of account hijacking, focused on five types of account pre-hijacking attacks, and discovered that 35 out of 75 services tested (including Instagram, Zoom, LinkedIn and DropBox) were vulnerable to these attacks.
The second writeup is a fantastic tale of persistence by @ByQwert. It reads like a detective story that started with open redirect and ended with RCE, with LFI, SSRF and insecure deserialization in between.
3. Vulnerabilities of the week
VMware Authentication Bypass Vulnerability (CVE-2022-22972)
- Technical Deep Dive by @Horizon3Attack
- @assetnote’s code review to find the root cause
- Nuclei template
Microsoft Windows Support Diagnostic Tool RCE (CVE-2022-30190 / Follina)
- Analyses by Rapid7, Huntress & @GossiTheDog
- Videos by @_JohnHammond & SANS
- PoCs by @_johnhammond & @chvancooten
- Remediation Guidance by Microsoft
CVE-2022-22972 is an authentication bypass in some VMware products. Basically, they send authentication requests to the server specified in the Host header. Since this header can be controlled by the user, it is possible to point it to a server that always returns the 200 HTTP response code, validating all authentication requests (without having correct credentials).
The vulnerability is simple to exploit, but it is worth going through the analyses if you are interested in finding this type of bugs with code review and patch analysis.
Follina a.k.a. CVE-2022-30190 is an RCE vector that allows apps like Word to execute code (without macros) by calling MSDT using the URL protocol. It was noticed as a 0-day being exploited in the wild, but was first mentioned in 2020 in a rather interesting thesis on Electron security.
4. Videos of the week
@gregxsunday explains his coolest exploit, an SSRF chained with phishing. An unusual combination that escalated the SSRF’s impact and doubled his bounty.
@Yassineaboukir‘s interview is one of those where I took a lot of notes. So many good insights shared on recon, content discovery, learning, favorite tools, Burp plugins, etc.
5. Resources of the week
Did you know that Turbo Intruder could use Burp’s plugin API? That is what @defparam shows with this example script that listens while you’re browsing, and re-plays requests with different HTTP methods.
The second resource is @dee__see‘s cheatsheet for reverse engineering apps written in Scala, Clojure, Groovy and Kotllin.
Other amazing things we stumbled upon this week
- Bug Bounty 101: #19 – Android Mobile App Testing with Burpsuite
- SSRF in 100 seconds
- Wireshark for Cybersecurity w/ Chris Greer!
- 🎙️ HTB Stories #9: AmA with IppSec
- Manually Parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers
- Getting The Most Out Of The SANS Pivot Cheat Sheet
- What C2 do I need?
- Social Engineer Your Way Into Your First InfoSec Job with Volkis
- Getting Into Penetration Testing for Beginners
- [FR] Sthack 2022 : Tales from a successful bug bounty hunter – Daniel Le Gall
- Ben Sadeghipour – Would I even be here if it wasn’t for the Internet?
Medium to advanced
- Using a cloud Mac with a local iOS device
- Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022
- Capitalizing on BloodHound’s Data: Cypher, Object Ownerships and Trusts
- BloodHound Inner Workings & Limitations – Part 1: User Rights Enumeration Through SAMR & GPOLocalGroup, Part 2: Session Enumeration Through NetWkstaUserEnum & NetSessionEnum & Part 3: Session Enumeration Through Remote Registry & Summary
- Customized Hacker Shell Prompts
- Intro To Web App Security Testing: Burp Suite Tips & Tricks
- Social Media Take Over = Easy Money
- Sniffing TLS traffic on Android
- Testing Non-Proxy Aware Mobile Applications Through a VPN
- HackTheBox – AdmirerToo & Blog post
- Approaching CTF OSINT Challenges — Learn by Example (NahamCon CTF)
- Solving “Click Me” & “Secure Notes” (mobile) (NahamCon CTF)
- Heap BINARY EXPLOITATION w/ Matt E!
- Breaking out of Windows Kiosks using only Microsoft Edge
- Reversing an Android App to Code Execution on their Server
- DOMAIN ADMIN Compromise in 3 HOURS
Responsible(ish) disclosure writeups
- 2nd RCE and XSS in Apache Struts 2.5.0 – 2.5.29 #Web
- Android apps with millions of downloads exposed to high-severity vulnerabilities #Android
- Hijacking webcams with Screencastify #BrowserExtension #Web
- Mass Account Takeover In The Yunmai Smart Scale API
- CVE-2022-25237: Bonitasoft Authorization Bypass and RCE #Web #CodeReview
- Analysis of CVE-2022-22978 – Authorization Bypass in Spring Security RegexRequestMatcher
- A New Exploit Method for CVE-2021-3560 PolicyKit Linux Privilege Escalation
Bug bounty writeups
- Zoom: Remote Code Execution with XMPP Stanza Smuggling (Zoom)
- Stored XSS in Notes (with CSP bypass for gitlab.com) (GitLab, $13,950)
- CVE-2022-21404: Another Story Of Developers Fixing Vulnerabilities Unknowingly Because Of CodeQL (Oracle)
See more writeups on The list of bug bounty writeups.
- goodfaith: Stay within program scope
- IISRecon: IIS shortname scanner (uses ffuf, sns and arjun)
- PyHackTheBox: Unofficial Python library to interact with the Hack The Box API
- UPnProxyChain & Intro: A tool to create a SOCKS proxy server out of UPnProxy vulnerable device(s)
- Max: Maximizing BloodHound with a simple suite of tools
Tips & Tweets
- A fascinating file upload trick
- Bruteforcing directories and parameters at the same time
- Internal assets = sensitive
- @Melotover’s last P1 submission
- Using URL hash fragments for Reflected XSS without user interaction
- How to access photos, videos, and audio on mobile using HTML file inputs
- @tabaahi_’s life changing bug bounties
Misc. pentest & bug bounty resources
- Breaking Into Cloud Security
- Practical Web Application Security & Testing (New TCM Security Academy course, $29.99)
- zap-scripts: OWASP ZAP Scripts for finding CVEs and Secrets
- UNREDACTED Magazine – Issue 002
- Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms
- Customising Blacklist3r for OWIN OAuth Access Tokens
- Exploiting Leaked Handles for LPE & LHF – Leaked Handles Finder
- Spoofing Microsoft 365 Like It’s 1995
- Intigriti’s May XSS challenge By @PiyushThePal
- NorthSec CTF Mini-Challenge
- CyberHeroes (TryHackMe free room)
Bug bounty & Pentest news
- Tool updates