Bug Bytes #161 – Java Tomcat challenge, LFI via Markdown & Nuclei + Burp = Love

By Anna Hammond

March 2, 2022

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

CLICK HERE TO SUBSCRIBE

This issue covers the week from February 21 to 28.

Intigriti news

1337UP LIVE

🚩 CTF SIGN UP 🚩🗣 Virtual Conference 🗣

With a little less than 10 days to go, Intigriti proudly presents the 1337UP LIVE CTF and virtual bug bounty conference!

On March 11th, we will kick off with the 24-hour long CTF with challenges from web all the way to binary exploitation. Sign up right now at ctf.intigriti.io.

On March 12th, once the CTF ends, we will directly jump into the live bug bounty conference with astonishing talks by amazing speakers. Check out the line-up over here at www.intigriti.com/1337uplive!

Win some swag!

We’re inviting you to share your opinions!

As a community-driven platform, your feedback is extremely valuable to us. To get to know you better, we would like to ask you to fill out our five-minute survey. At the end of the survey, you will be able to participate in our raffle to win a €50 Intigriti swag voucher (there are 20 available). Looking forward to hearing from you!

Take the survey

Our favorite 5 hacking items

1. Challenge of the week

Exploiting Java Tomcat With a Crazy JSP Web Shell – Real World CTF 2022 & Alternative writeup + Docker environment

@LiveOverflow demonstrates how his team solved Desperate Cat, a hard Java web hacking challenge from the Real World CTF.
You can run the Dockerfile locally and try to solve the challenge first, but make sure to watch the incredibly informative video walkthrough.

2. Writeups of the week

Pwning a Server using Markdown
Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager (VMware)

Next time you see markdown that references a file, in a HTTP request, remember to test for LFI. @zombie007o and @nullvoiddeath had the idea because of explicit errors saying that the file requested wasn’t found, then they exploited the LFI to grab SSH keys from the server and get a shell.

The second writeup is about several bugs found by @elk0kc in a VMware product. It is interesting to see how a normalization issue caused authentication bypass, and how a ? symbol was used to bypass an SSRF filter.

3. Tips of the week

Bypass Java URL protocol validation with “url:”
Using “procedure analyse” to increase the impact of a limited SQL injection

Two cool tricks to have in any Web app hacking arsenal: Java URL validation can be bypassed with the “url:” scheme (e.g. url://http://120.0.0.1:8080), and “procedure analyse” can be the only way to exploit a very limited MariaDB SQL injection.

4. Videos of the week

Jack Cable Talks About His Background, Bug Bounty Methodology, and Hacking the US Government
@InsecureNature Talks About Hacking, Certificate Transparency, TruffleHog, and more!

Did you miss @NahamSec‘s Live Recon interviews? The good news is that seven of them weren’t published (after the live stream) and @NahamSec started releasing them on Youtube.
The bad news is that @NahamSec got super burnt out and sadly had to stop these streams. So, enjoy the last ones!

5. Tool of the week

nuclei-burp-plugin

This Burp extension helps generate Nuclei templates from HTTP requests/responses, with only a few clicks. Writing custom templates has never been so easy, amazing work by @forgedhallpass!

SHARE ON TWITTER

Other amazing things we stumbled upon this week

Videos

Podcasts & Audio

Webinars

Tutorials

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • HTTPCustomHouse: HTTP request smuggling attack helper/CLI tools to manipulate HTTP packets

  • BurpGraphQLViewer: Burp extension that provides a central location for viewing all GraphQL requests/responses

  • Ostorlab & Intro: A security scanning platform that enables running complex security scanning tasks involving multiple tools in an easy, scalable and distributed way

  • wpgarlic: A proof-of-concept WordPress plugin fuzzer used in this research

  • FindUncommonShares: A Python equivalent of PowerView’s Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Domains

Tips & Tweets

Misc. pentest & bug bounty resources

Articles

Challenges

Bug bounty & Pentest news

Non technical

You may also like