By Anna Hammond
April 13, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 4 to 11.
How to Get Better at Hacking | Louis Nyffenegger
This isn’t one of @snyff‘s usual technical talks, but I found it is hilarious and eye-opening. He points out many mistakes that (aspiring) hackers make in their learning journey.
If you are struggling with a plateau or just want to grow your hacking skills from good to amazing, there is probably something mentioned in this talk that will help you out.
AWS RDS Vulnerability Leads to AWS Internal Service Credentials (Amazon)
@LightspinTech‘s director of security research, @gafnitav discovered a Local File Read on AWS RDS. It involves an interesting mix of path traversal and PostgreSQL injection.
A great writeup that details the whole thought process including what did not work.
In addition to the previous writeup, @LightspinTech also released recon.cloud, a free search engine for AWS cloud assets.
It references 220,866 assets, and can be a good addition to your recon.
If you are interested in cloud hacking or Kubernetes security, I also recommend following @LightspinTech’s Twitter account and blog. They have been releasing many cool tools, articles and tips on these areas of security.
Bypassing a WAF by Finding the Origin IP & CF-Bypass
@0xLupin released a new tool and video on bypassing WAFs (specifically Cloudflare) by finding the Origin IP using Security Trails’s historical data.
What I like about CF-Bypass is that it does not just look for the Origin IP but also tries to validate it and reduce false positives. So, even if you already have your own WAF bypass tool or do not want to use Security Trails, reading the code of this tool might give you some cool ideas to add to your own tooling.
Burp Intruder’s predefined lists have placeholders that must be replaced with your custom settings
Are you using Burp Intruder’s predefined payload lists without additional configuration?
If you do, you may have missed vulnerabilities because these lists have placeholders that must be replaced with your own domain, email, nameserver, etc.
A small tweak that may easily cause you to miss out-of-band vulnerabilities!
Bug Bounty Redacted #2: Third Party Subdomain Takeover & Exposed Admin Interfaces
Hacking Linux // Linux Privilege escalation // Featuring HackerSploit
Executing Linux Binaries Without Touching Disk – Living Off The Land with DDExec and Dirty Pipe Demo
Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
Cloud-native security (container security Cheat Sheet) – Part 1
VMware Workspace ONE Access – Freemarker SSTI (CVE-2022-22954) PoC & Nuclei template
Securing Easy Appointments and earning CVE-2022-0482 #Web #CodeReview
CVE-2021-4119: [Bookstack] Email harvesting via SQL “LIKE” clause exploitation #Web #PHP #CodeReview
MacOS SUHelper Root Privilege Escalation Vulnerability: A Deep Dive Into CVE-2022-22639 & PoC #MacOS #LPE
Integer overflow in table extension (GitHub, $40,000)
How a YouTube Video lead to pwning a web application via SQL Injection worth $4324 bounty ($4,324)
Meta’s SparkAR RCE Via ZIP Path Traversal (Meta / Facebook, $2,500)
See more writeups on The list of bug bounty writeups.
ipcdn: Check which CDN providers an IP list belongs to
checkip: Get quick info on an IP address
Jeeves: Go tool that looks for time-based blind SQL injection through recon
spring4shell-scan: A fully automated, reliable, and accurate scanner for finding Spring4Shell and Spring Cloud RCE vulnerabilities
bore: A simple CLI tool for making tunnels to localhost
Story of how 19-year-old @hacker_ gained ADMIN access to a Trans-Atlantic cable & Accessing 302 Military FTP servers
Something to try if you find URL shortened links in pentests
Two free IPinfo tools to quickly look at your target domain’s IP space
Jhaddix’s threads on Stealing checks worth millions & pwning a bank, Inspecting out-of-scope mobile apps & Finding SQL injection on a blog
See more tips on this week’s Twitter collection.
Insiders: Archive of Potential Insider Threats
Round Two: An Updated Universal Deserialisation Gadget for Ruby 2.x-3.x
Performing And Preventing Attacks On Azure Cloud Environments Through Azure Devops
Abusing Azure Hybrid Workers for Privilege Escalation – Part 1
NahamCon CTF 2022 (April 28 – 30)
cicd-goat: Deliberately vulnerable CI/CD environment
Cybersecurity
Upcoming events
Bounty Thursdays – Live (Thursday 14/4 16:00 CET)
Tool updates