By Anna Hammond
December 8, 2021
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from November 29 to December 6.
Intel chooses Intigriti as its bug bounty vulnerability management platform
Orange Tsai’s HITCON CTF 2021 Challenges
@orange_8361 published the code for some HITCON CTF 2021 challenges. I found Metamon-Verse really interesting, but I won’t say more to avoid spoiling it.
If you’re stuck, here is a writeup for Metamon-Verse and a hint for W3rmup-PHP.
SSRF vulnerability in AppSheet – Google VRP (Google, $6,267.4)
AWS SageMaker Jupyter Notebook Instance Takeover (Amazon)
@david_nechuta shared a cool SSRF on Google AppSheet, with an interesting bypass involving HTTP headers.
The other noteworthy writeup is about self-XSS that can be chained with CSRF to completely take over AWS SageMaker Jupyter Notebook instances. The technique is similar to @S1r1u5_‘s Cookie Tossing to RCE on Google Cloud JupyterLab .
10 Unknown Security Pitfalls for Python
This article is about ten lesser known bad coding practices that SonarSource researchers encounter when doing Python code review assessments.
Before diving into the article, make sure to try solving this code review challenge that is related.
csg (“Credential Storage with Go”) & Intro
Proxy Agent & Intro
csg is a Go tool that helps organize and store credentials. Think of it like a password manager in command line, for credentials that you only need temporarily for the duration of a CTF for instance.
Another handy tool is Proxy Agent. If you find yourself often needing to set up Burp on your rooted Android device, it will help speed up the process.
Learning Containers From The Bottom Up: Efficient Learning Path to Grasp Containers Fundamentals
webapp-wordlists & @podalirius_’s Cyber Advent 2021
After years spent studying containers, @iximiuz created a learning path to walk us through this complex topic. Whether you want to hack containers or just use them in your day-to-day life, check out the first resource. It is amazing, both informative and dealing with advanced topics yet beginner friendly.
@podalirius_ has been posting one new article or tool everyday, and will continue doing so until Christmas.
One of them is webapp-wordlists, a repository of path and directory wordlists for many CMSs. Having this collection of endpoints is valuable for fingerprinting CMSs when testing Web apps.
The Python scripts used to generate the wordlists are also included, so you can tweak them to generate wordlists for any missing CMS.
Bypassing MFA, WebCache Poisoning, and AWS SageMaker [Bounty Hunting Podcast]
Hack’n Speak 0x14 – Podalirius | Retour sur LDAPMonitor, pydsinternals et le rebuild d’un AS400 (in French)
The Infinite Game of Vulnerability Research (and other No Hat 2021 talks)
Black Hat USA 2021 – Many new videos added, including:
Diving in to Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer
MFA-ing the Un-MFA-ble: Protecting Auth Systems’ Core Secrets
Certified Pre-Owned: Abusing Active Directory Certificate Services
ALPACA: Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication
ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!
Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery, and Webshells & Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation
Grafana path traversal (CVE-2021-43798), PoC by @jas502n, Nuclei template & The vulnerable function
Arbitrary package tampering in Deno registry + Code Injection in encoding/yaml #CodeReview
F-Secure discovers vulnerabilities affecting over 150 HP printer models #Printer
How PwC found a zero-day vulnerability during a penetration test for a client (CVE-2021-21234) & CVE-2021-21234 Spring Boot Actuator Logview Directory Traversal
CVE-2021-21980: Unauthenticated AMF deserialization in VMware vCenter Server
Notes and PoC for ManageEngine ADManager Plus CVE-2021-37928
NodeBB 1.18.4 – Remote Code Execution With One Shot (NodeBB, $1,536)
Write Up – XSS Stored In files.slack.com Via XML/SVG File (iOS) – $1,000 USD (Slack, $1,000)
Easy SQLi in Amazon subsidiary using Sqlmap (Amazon, $1,500)
Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion (Evernote, $5,000)
Windows 10 RCE: The exploit is in the link (Microsoft, $5,000)
This shouldn’t have happened: A vulnerability postmortem (Mozilla)
See more writeups on The list of bug bounty writeups.
Eval Villain & Intro: ZAP / Firefox add-on to inspect arguments to arbitrary native JavaScript functions (similar use cases to DOM Invader in Burp but with more configuration options)
pip-audit & Intro: A tool for scanning Python environments for known vulnerabilities
Cracken: A fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in Rust
ipsourcebypass: Python script that checks for IP source restrictions bypass using HTTP headers
Something to try when you find an external SSRF and can’t hit internal URLs
Script to fingerprint Script Gadgets to use to exploit Prototype Pollution
How @GodfatherOrwa finds 90% of their SQL injection vulnerabilities
Subdomain Enumeration Guide 2021 (new update)
A First Introduction to System Exploitation (With Georgia Tech’s “pwnable” challenges)
Can you create the shortest XSS vector that triggers in all contexts?
XMGoat & Intro: Terraform templates that build insecure Azure environments
Azure Privilege Escalation via Azure API Permissions Abuse, Recording of the talk & Slides
Lateral Movement With Managed Identities Of Azure Virtual Machines
Bug bounty
Upcoming events
2021 SANS Holiday Hack Challenge & KringleCon (December 10)
Introduction to Azure Penetration Testing (December 18)
BountyConEDU 2022 (Spain) (deadline to apply is December 31)
Tool updates