By intigriti
April 2, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 22 to 29 of March.
This paste presents a set of recon steps to expand your bug bounty scope. All of them are well known and documented in most articles on recon, except one which I haven’t seen anywhere before:
Once you have a first list of subdomains (using scraping or bruteforce), split them up to build a new list of subdomains to test for.
For example, let’s say you first found:
test.dev.xyz123123ccc.com
cc.prod.xyz123123ccc.com
The new subdomains to try are:
dev.xyz123123ccc.com
prod.xyz123123ccc.com
It’s a simple idea but might allow you to find new “hidden” subdomains. It is very similar to what Altdns does, but I’m not sure splitting up subdomains like this is included in this tool.
IDOR on Yahoo ($5,000)
Wow, $5,000 for such a simple bug! But the difficulty was thinking about this test…
@JohnH4X00R saw a GET request to /ws/v3/users/fziy4wzxr41k4qwsgumu2v2qymynzat6kclqpwmc/items.
The part in bold was obviously encrypted and he had the feeling that it was his username. So, get this, he replaced it with his unencrypted username (/ws/v3/users/yahoo-username/items) and got a successful response containing his own notes.
Then, he replayed the same request and replaced his plain username with another account’s username, and also got a successful response with the other account’s notes.
This is a classic IDOR, but the genius of this bug was in completely bypassing encryption by replacing the encrypted string with its plain value.
Finally a Windows-based distribution for pentesters! This is the equivalent of Kali Linux for Windows users. It includes many tools (more than 140) for all kinds of tests.
This will be handy if you prefer Windows or if, for some reason, you have to use Windows for a pentest. It happened to me on one or two missions: we had to use a Windows VPN client to remotely access the client’s internal network. And I didn’t have the time to install all tools and prepare a proper Windows attacking environment. This VM would have been really helpful!
How to win big – Several Interesting Examples of Exploiting Financial & Gambling Apps
I would love to see the recording of this OWASP talk! But the slides by themselves are self-explanatory and provide some ideas for testing financial apps and games.
These are examples of how to abuse an app’s logic flow and play with parameters to bypass or manipulate payment, always win against a slot machine, etc.
This is an excellent tutorial if you want to learn about exploiting CORS.
Four pratical examples are given to understand what to do when access is granted to: any domain, the subdomain, the scheme, or when the “null” origin is used.
Also included are: external references, steps for exploiting each scenario, an exploitation payload, and how to set up a MiTM environment to exploit an unvalidated origin scheme.
The Many Hats Club Ep. 36, Scared already? You ain’t heard nothing yet (with Thugcrowd)
The Many Hats Club Ep. 37, Snow in Summer and being a Social Engineer (with Snow)
Ep. #18, Collaborative Security with HackerOne’s Marten Mickos
Application Security Podcast: Georgia Weidman — Mobile, IoT, and Pen Testing
Smashing Security 121: Hijacked motel rooms, ASUS PCs, and leaky apps
Sophos Podcast Ep. 025 – Business Email Compromise and IoT surprises
44con 2018 new videos:
Black Hat Asia 2019 presentation materials, especially:
A Post-Exploitation_tale in real life / Fud WMI for lateral movement (PoC)
Medium to advanced
Metasploit Basics for Hackers, Part 24: The New Evasion Modules in Metasploit 5
Setting malicious Outlook configurations through EWS & EWSToolkit
Beginners corner
Challenge writeups
Automating Discovery and Exploiting DOM (Client) XSS Vulnerabilities using Sboxr — Part 1, Part 2 & Part 3
$50 million CTF writeups
Responsible disclosure writeups
Cisco RV320 Command Injection: RCE in Cisco routers patched by blocking requests with the *curl* user-agent… because the company that disclosed it gave a PoC using curl!
Disclosure of Origin IP of The Exploits Trading Platform 0day.today
Remote command injection through an endpoint security product
R7-2018-43: Username Enumeration in Okta SSO Del Auth through Response Timing
Bug bounty writeups
DoS on Paypal ($3,200)
DoS on Twitter ($1,120)
Privacy violation on Semmle ($100)
See more writeups on The list of bug bounty writeups.
If you don’t have time
HTTP Request Translator: Translate curl commands or HTTP/Json requests to Python Requests code or JSON
Find Security Bugs: The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Groovy and Scala projects
SSRFTest: Tool by @daeken to greatly simplify exploitation of SSRF bugs, including automatic AWS credential pulling where possible + Some open issues if you want to contribute to this open source project
Shodan Monitor: Setup network alerts for specific networks or IPs & get a notification when something new shows up
More tools, if you have time
Black Hat Asia 2019 – Arsenal, including:
Mallet: A framework for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic
Real time scrapper (RTS): A tool developed to scrap all pasties,github,reddit..etc in real time to identify occurrence of search terms configured & send email notifications
MQTT-PWN: Framework for IoT pentesting (specifically attacking/exploiting the MQTT protocol
Nmp-scan: An extensible, heuristic-based vulnerability scanning tool for installed npm packages (to detect malicious code
Shodan client: Node.js/JavaScript Library for accessing the new Shodan API
Shodmon: Monitor shodan listed servers based on the filter you provided & get email notifications when something new pops up. Useful if you want to monitor more resources than what Shodan Monitor (mentioned above) allows
Instantbox: Get a clean, ready-to-go Linux box in seconds
Gofuzz: Aims to reproduce wfuzz’s functionality and versatility. Based on gobuster
Linux Exploit Suggester 2: Next-Generation Linux Kernel Exploit Suggester
Dnssecchef: A DNS/DNSSEC interception proxy for penetration testers and security researchers (based on DNSChef
Knary: A simple HTTP(S) and DNS Canary bot with Slack/Discord/MS Teams & Pushover support
Automated-pentest: Minimal docker container of Parrot OS for running an automated scan & pentest report
Get-AdDecodedPassword.psm1: a basic PowerShell script for decoding common passwords stored in Active Directory properties. It’s based on information found on Domain Goodness – How I Learned to LOVE AD Explorer
BloodHound-Tools: Miscellaneous tools for BloodHound
APIsecurity.io Issue 24: Unprotected APIs in implants, storing API secrets
Bounty Hunters Discord server by Friendly @Skeletorkeys
Pwnd Discord server by r3dx00
Vulncode-DB: A database for security vulnerabilities & corresponding source code
GSoC2019 Ideas: Ideas for students interested in improving open source OWASP (security-related) projects, as part of the Google Summer of Code 2019
So you wanna be a pentester? Penetration testing resource guide
Mobisec challs: CTF-like challenges related to mobile security
FliteCTF: Source code of Hacker0x01 $50M CTF
Vulnerabilities
Zero-Day TP-Link SR20 Router Vulnerability Disclosed by Google Dev: TP-Link SR20 router 0-day allows attackers to execute commands as root, no auth required
Hundreds of millions of UC Browser users for Android are threatened: UC Browser, downloaded by over 500,000,000 Google Play users, is vulnerable to RCE via MiTM. Apps can download auxiliary software modules, bypassing Google Play servers
Toyota announces second security breach in the last five weeks
A family tracking app was leaking real-time location data: This one is Family Locator, not to confuse with last week’s spying app also leaking data which was Mobiispy
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers: Supply-chain attack dubbed “Operation ShadowHammer”. Only 600 MAC addresses were targetted. Also Check if your device was targetted
Don’t change your birth year to 2007 to Twitter or you’ll be locked out
Firefox brings Lockbox password manager to Android’s autofill
Spyware vendor defends hacking journalists, continues to embolden abusive governments
Nmap used to discover IP camera in AirBnB rental – The Atlantic
Preinstalled Android apps are harvesting and sharing your data
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 03/22/2019 to 03/29/2019.
Curated by Pentester Land & Sponsored by Intigriti