Bug Bytes #119 – AutoGraphQL, WhatsApp MitD & Desktop apps mishandling bad URIs

By Anna Hammond

April 21, 2021

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from April 12 to 19.

Intigriti News

Intigriti’s 0421 XSS challenge – by @terjanq

Our favorite 5 hacking items

1. Conference of the week

BSides Canberra 2021

BSides Canberra videos are up! You know what this means? AssetNote’s presentation of KiteRunner and “Context Aware Content Discovery” is available to watch.

If you found the tool and blog post (featured in Bug Bytes 118) interesting but prefer video, you now have a great 50 min talk to catch up on.

2. Writeups of the week

Remote exploitation of a man-in-the-disk vulnerability in WhatsApp (CVE-2021-24027) (Facebook)
Allow arbitrary URLs, expect arbitrary code execution

The first writeup is about a Man-in-the-Disk vulnerability that CENSUS researchers found in WhatsApp messenger for Android. It is a pretty impressive bug chain involving Chrome SOP bypass to access files in /sdcard, stealing WhatsApp’s TLS secrets stored in /sdcard, and hijacking the download of a ZIP file to replace it with a malicious one and get RCE.

The second writeup is about 1-click code execution vulnerabilities @positive_sec found in Telegram, Nextcloud, VLC, Wireshark and other Desktop apps. It is interesting to see how different operating systems behave when insecure URLs (with different schemes) are opened, and how this can lead to so many RCE!

3. Videos of the week

Live Recon and Automation on Shopify’s Bug Bounty Program with @TomNomNom
API Recon with Kiterunner – Hacker Toolbox

The only thing I enjoy more than a bug hunter’s interview is a hands-on hacking session! In this one (first video), we get a sneak peek at @TomNomNom‘s approach of recon, automation, and how he uses some of the tools he’s created that many of us use (waybackurls, httprobe, fg, meg, etc).

The second video by @InsiderPhD is an introduction to KiteRunner. If you’re curious to know what makes this tool special and how to quickly start using it, this is the perfect guide.

4. Tools of the week

phpggc-generate-payloads.sh
AutoGraphQL & Video How-to guide

phpggc-generate-payloads.sh by @honoki is a Bash script that automatically generates RCE payloads for all gadget chains in PHPGGC. It’s a time saver when you’re testing PHP apps for insecure deserialization and want to quickly identify the RCE gadget chain that works.

AutoGraphQL is @ngalongc‘s online tool that helps speed up the process of GraphQL authorization testing. Given a schema URL and user credentials, it generates mutations and queries that you can quickly execute (using the different creds). This allows you to easily identify any authorization issues.

5. Challenge walkthroughs of the week

Hacking AWS: HackerOne & AWS CTF 2021 writeup
HackTheBox – Laboratory

The first writeup is about a realistic AWS/SSRF bug chain that @d0nutptr and @NahamSec encountered on a real target and recreated as a CTF. Whether you played the challenge or not, it’s a good read to maybe learn something new about AWS exploitation.

The second walkthrough is a fun mix of exploiting an old GitLab instance, digging into a bug bounty report, escalating LFI to RCE, and privilege escalation. Note that the box is retired so if you have a paid HackTheBox subscription, it’s better to attempt solving it before watching the walkthrough.

Other amazing things we stumbled upon this week

Videos

Podcasts

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • HttpDoom: Validate large HTTP-based attack surfaces in a very fast way (inspired by Aquatone)

  • AWS Service Enumeration: AWS service enumeration and information gathering for compromised AWS account credentials

  • goop: Yet another tool to dump a git repository from a website

  • GodSpeed: Fast and intuitive manager for multiple reverse shells

  • Airstrike: Automatically grab and crack WPA-2 handshakes with distributed client-server architecture

Tips & Tweets

Misc. pentest & bug bounty resources

Challenges

Articles

Bug bounty & Pentest news

Non technical

Community pick of the week

@vict0ni‘s secret to successful hacks and CVEs? Finding inner peace in nature while rocking our swag. Excellent advice! 👏🧘‍♂️

Do you also have bug bounty wins, swag and joys to share with other Bug Bytes readers? Tag us on social media, we love to hear from you!

You may also like