By Anna Hammond
April 21, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 12 to 19.
Intigriti’s 0421 XSS challenge – by @terjanq
BSides Canberra videos are up! You know what this means? AssetNote’s presentation of KiteRunner and “Context Aware Content Discovery” is available to watch.
If you found the tool and blog post (featured in Bug Bytes 118) interesting but prefer video, you now have a great 50 min talk to catch up on.
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) (Facebook)
Allow arbitrary URLs, expect arbitrary code execution
The first writeup is about a Man-in-the-Disk vulnerability that CENSUS researchers found in WhatsApp messenger for Android. It is a pretty impressive bug chain involving Chrome SOP bypass to access files in /sdcard, stealing WhatsApp’s TLS secrets stored in /sdcard, and hijacking the download of a ZIP file to replace it with a malicious one and get RCE.
The second writeup is about 1-click code execution vulnerabilities @positive_sec found in Telegram, Nextcloud, VLC, Wireshark and other Desktop apps. It is interesting to see how different operating systems behave when insecure URLs (with different schemes) are opened, and how this can lead to so many RCE!
Live Recon and Automation on Shopify’s Bug Bounty Program with @TomNomNom
API Recon with Kiterunner – Hacker Toolbox
The only thing I enjoy more than a bug hunter’s interview is a hands-on hacking session! In this one (first video), we get a sneak peek at @TomNomNom‘s approach of recon, automation, and how he uses some of the tools he’s created that many of us use (waybackurls, httprobe, fg, meg, etc).
The second video by @InsiderPhD is an introduction to KiteRunner. If you’re curious to know what makes this tool special and how to quickly start using it, this is the perfect guide.
phpggc-generate-payloads.sh
AutoGraphQL & Video How-to guide
phpggc-generate-payloads.sh by @honoki is a Bash script that automatically generates RCE payloads for all gadget chains in PHPGGC. It’s a time saver when you’re testing PHP apps for insecure deserialization and want to quickly identify the RCE gadget chain that works.
AutoGraphQL is @ngalongc‘s online tool that helps speed up the process of GraphQL authorization testing. Given a schema URL and user credentials, it generates mutations and queries that you can quickly execute (using the different creds). This allows you to easily identify any authorization issues.
Hacking AWS: HackerOne & AWS CTF 2021 writeup
HackTheBox – Laboratory
The first writeup is about a realistic AWS/SSRF bug chain that @d0nutptr and @NahamSec encountered on a real target and recreated as a CTF. Whether you played the challenge or not, it’s a good read to maybe learn something new about AWS exploitation.
The second walkthrough is a fun mix of exploiting an old GitLab instance, digging into a bug bounty report, escalating LFI to RCE, and privilege escalation. Note that the box is retired so if you have a paid HackTheBox subscription, it’s better to attempt solving it before watching the walkthrough.
Fundamentals of Bug Bounty Recon & The Most Misunderstood Element: Recon
Hacking Facebook in 3 different ways for $54,800 – Bug Bounty Reports Explained
Lineage OS, Rooting & Custom ROMs – Hacking Android – Sniffing Android ’10’ HTTPs traffic- Part – 03
Security Conversations 63 – Shubs Shah on finding riches (and lessons) from bug bounty hacking
DAY[0] Episode 73 – Windows Bugs, Duo 2FA Bypass, and some Reverse Engineering
Homogeneity Attacks – Is FLoC All That Bad?, Humble Bundle For Programmers, Chrome 90
Exploiting weak configurations in Google Cloud Identity Platform
Rainbow Tables (probably) aren’t what you think — Part 1: Precomputed Hash Chains & Part 2: Probability, Efficiency, and Chain Collisions
SQL Injection – Lab #7 SQL injection attack, querying the database type and version on Oracle (video)
An IDOR that could have led to stealing money from a Fintech company
Doyensec Teleport Security Auditing Report 2020 #PentestReport
When a Denial of Service matters: fighting with risk assessment guys
Airstrike Attack – FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316) #Wifi #AD
This WhatsApp vulnerability is pretty stupid, but it can lock you out of your account indefinitely
xscreensaver can be used to run tcpdump without root on debian
(POC) Remove any Facebook’s live video ($14,000 bounty) (Facebook, $14,000)
Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) (Facebook)
Google Photos : Theft of Database & Arbitrary Files Android Vulnerability (Google, $1,337)
How I got 9000 USD by hacking into iCloud (Apple, $9,000)
RCE via unsafe inline Kramdown options when rendering certain Wiki pages (GitLab, $20,000)
Ability to DOS any organization’s SSO and open up the door to account takeovers (Grammarly, $10,500)
See more writeups on The list of bug bounty writeups.
HttpDoom: Validate large HTTP-based attack surfaces in a very fast way (inspired by Aquatone)
AWS Service Enumeration: AWS service enumeration and information gathering for compromised AWS account credentials
goop: Yet another tool to dump a git repository from a website
GodSpeed: Fast and intuitive manager for multiple reverse shells
Airstrike: Automatically grab and crack WPA-2 handshakes with distributed client-server architecture
Login with Google even though it’s restricted to a company’s domain
WAF SQL injection bypasses for when you can’t use commas (,)
No Sandbox: Apps that run Chromium without the sandbox
Windows & Active Directory Exploitation Cheat Sheet and Command Reference
busk3r/genericuniversity: @InsiderPhD’s Generic Universoty dockerized
Hiding Behind the Front Door #DomainFronting
Conferences:
Tools updates:
@vict0ni‘s secret to successful hacks and CVEs? Finding inner peace in nature while rocking our swag. Excellent advice! 👏🧘♂️
Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!