By Anna Hammond
March 2, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from February 21 to 28.
🚩 CTF SIGN UP 🚩🗣 Virtual Conference 🗣
With a little less than 10 days to go, Intigriti proudly presents the 1337UP LIVE CTF and virtual bug bounty conference!
On March 11th, we will kick off with the 24-hour long CTF with challenges from web all the way to binary exploitation. Sign up right now at ctf.intigriti.io.
On March 12th, once the CTF ends, we will directly jump into the live bug bounty conference with astonishing talks by amazing speakers. Check out the line-up over here at www.intigriti.com/1337uplive!
We’re inviting you to share your opinions!
As a community-driven platform, your feedback is extremely valuable to us. To get to know you better, we would like to ask you to fill out our five-minute survey. At the end of the survey, you will be able to participate in our raffle to win a €50 Intigriti swag voucher (there are 20 available). Looking forward to hearing from you!
Exploiting Java Tomcat With a Crazy JSP Web Shell – Real World CTF 2022 & Alternative writeup + Docker environment
@LiveOverflow demonstrates how his team solved Desperate Cat, a hard Java web hacking challenge from the Real World CTF.
You can run the Dockerfile locally and try to solve the challenge first, but make sure to watch the incredibly informative video walkthrough.
Pwning a Server using Markdown
Catching bugs in VMware: Carbon Black Cloud Workload Appliance and vRealize Operations Manager (VMware)
Next time you see markdown that references a file, in a HTTP request, remember to test for LFI. @zombie007o and @nullvoiddeath had the idea because of explicit errors saying that the file requested wasn’t found, then they exploited the LFI to grab SSH keys from the server and get a shell.
The second writeup is about several bugs found by @elk0kc in a VMware product. It is interesting to see how a normalization issue caused authentication bypass, and how a ?
symbol was used to bypass an SSRF filter.
Bypass Java URL protocol validation with “url:”
Using “procedure analyse” to increase the impact of a limited SQL injection
Two cool tricks to have in any Web app hacking arsenal: Java URL validation can be bypassed with the “url:” scheme (e.g. url://http://120.0.0.1:8080), and “procedure analyse” can be the only way to exploit a very limited MariaDB SQL injection.
Jack Cable Talks About His Background, Bug Bounty Methodology, and Hacking the US Government
@InsecureNature Talks About Hacking, Certificate Transparency, TruffleHog, and more!
Did you miss @NahamSec‘s Live Recon interviews? The good news is that seven of them weren’t published (after the live stream) and @NahamSec started releasing them on Youtube.
The bad news is that @NahamSec got super burnt out and sadly had to stop these streams. So, enjoy the last ones!
This Burp extension helps generate Nuclei templates from HTTP requests/responses, with only a few clicks. Writing custom templates has never been so easy, amazing work by @forgedhallpass!
Scanning at lightning-fast speeds! Turbo Intruder – Hacker Tools & Blog post
🎙️ HTB Stories #7: Meet the one behind LinPEAS – ./carlospolop & HTB Stories #6: Hacking OS 101 with Palinuro
Application Security How-To: Ken’s Secure-Code Review of an application codebase. & Repo
macOS Security Features Bypasses by Example | Jonathan Bar Or (JBO)
The most underrated tool in bug bounty. (and the filthiest one liner possible)
Fantastic Infrastructure as Code security attacks and how to find them & Repo
Thick Client Penetration Testing — TCP traffic interception using mitm_relay and Burp.
Logic Flaw Leading to RCE in Dynamicweb 9.5.0 – 9.12.7 #Web #CodeReview
Remote Code Execution in pfSense <= 2.5.2 #Web #CodeReview
Stealing a few more GitHub Actions secrets (GitHub, $7,500)
OAuth and PostMessage – Chaining misconfigurations for your access token.
Write Up – Android Application Screen Lock Bypass Via ADB Brute Forcing
Hackerone open redirect security alert bypass via view report as PDF (HackerOne, $500)
How I bypassed PHP functions to read sensitive files on server
See more writeups on The list of bug bounty writeups.
HTTPCustomHouse: HTTP request smuggling attack helper/CLI tools to manipulate HTTP packets
BurpGraphQLViewer: Burp extension that provides a central location for viewing all GraphQL requests/responses
Ostorlab & Intro: A security scanning platform that enables running complex security scanning tasks involving multiple tools in an easy, scalable and distributed way
wpgarlic: A proof-of-concept WordPress plugin fuzzer used in this research
FindUncommonShares: A Python equivalent of PowerView’s Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Domains
How I use environment variable injection to execute arbitrary commands (in Chinese) & CentOS 7 exploit
Samesite: Hax – Exploiting CSRF With The Default Samesite Policy
Bug bounty
Pre-registrations open for pathmapper (It does automated recon and test for path normalization bugs at scale)
Upcoming events
Joe Grand’s Open Lab: YouTube Live AMA (March 12)
Free webinars on Securzy (Prototype pollution on March 11, Amazon Cognito Misc-configurations on March 12, etc)
Web app hacking streams by @GarrGhar (Every Monday)
Tool updates