By Anna Hammond
April 20, 2022
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from April 11 to 18.
Intigriti’s April XSS challenge By @aszx87410
Live Recon | @IppSec Talks About Hacking, His Favorite Tools, HackTheBox and More!
FFUF by @joohoi (Behind The Tool #1)
@NahamSec‘s Lire Recon show is baaaack! It has a new format and two new co-hosts, @Jhaddix and @stokfredrik.
This first episode is must watch if you enjoy hacking or want to hear @ippsec talk about programming, recon, CTF, etc.
Another new show is Intigriti’s Behind The Tool, hosted by @hacksplained.
The first episode is so-o-o good! @joohoi shares a lot about ffuf, how to pronounce it, the context behind its creation, his favorite functionalities, and more.
NotGitBleed (GitHub)
Just when I start thinking that it may be getting harder to find leaked secrets on GitHub… MDSec‘s Aaron Devaney shows that not only there are still GitHub leaks to be found, there are so many that he collected them at scale with automation.
Wister is a wordlist generation tool. It takes a list of words as input, and can output variants with different encodings, casings, homographs, etc.
Another handy tool is NMAP-Formatter, a Go tool that can convert NMAP’s XML output to HTML, CSV, JSON and markdown.
There are many other tools to convert Nmap output, but I’m personally starting to use this one because it supports many formats including JSON, so it makes it easy to chain Nmap with jq and other recon tools.
CVE-2022-26809 MS-RPC RCE:
CVE-2022-26809 is an integer overflow in MSRPC. It does not have a public exploit but is worrisome for its 9.8 CVSS score, and its wormable potential as an unauthenticated zero-click RCE.
Teaching Burp a new HTTP Transport Encoding
If you encounter a HTTP client/server that use custom Transport Encoding or encryption, this tutorial could save you a lot of headache.
@pentagridsec demonstrates how to solve the problem by writing a Burp extension.
Q: HOW do you find hidden stuff on websites? (this episode is all about CONTENT DISCOVERY!)
How I became a leading Red Teamer {and Cyber Security Expert} | @byt3bl33d3r Marcello Salvati
Learn with @j3ssiejjj – Automating Recon at scale using Osmedeus!! & Repo
They just didn’t check the balance before making a transfer. $3,4 mln bounty in Polygon blockchain
Exploiting esoteric android vulnerability by Sharan & Sanjay
THCon 2022 – day 1, Day 2 & Programhttps://thcon.party/program/, especially:
Active Directory – Introduction, Offensive PowerShell, Local Privilege Escalation, Lateral Movement, Domain Persistence & Domain Privilege Escalation
HackTheBox – Toby, Blog post & Troubleshooting Python Socket Timing
CORS – Lab #2 CORS vulnerability with trusted null origin, Lab #3 CORS vulnerability with trusted insecure protocols & Lab #4 CORS vulnerability with internal network pivot attack
Markdown Menace: Discovering an LFI Vulnerability on a Blogging Platform
CVE-2022-29072 – Privilege escalation and RCE in 7-Zip for Windows #Windows #LPE #MemoryCorruption
CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed) #Windows #LPE
CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client #Windows #LPE
An attacker can archive and unarchive any structured scope object on HackerOne (HackerOne, $12,500)
CVE-2022-26133 – Bitbucket Data Center – Java Deserialization Vulnerability (Atlassian)
Bypass Apple Corp SSO on Apple Admin Panel (Apple, $6,000)
How we spoofed ENS domains for $15k (ENS, $15,000)
Palisade identifies Wormable Cross-Site Scripting Vulnerability affecting Rarible’s NFT Marketplace (Rarible, $5,000)
Multiple Vulnerabilities in Cisco Expressway & STUNNER: A tool to test and exploit STUN, TURN and TURN over TCP servers
See more writeups on The list of bug bounty writeups.
SecretScanner: Find secrets and passwords in container images and file systems
KnockKnock: A simple reverse whois lookup tool which returns a list of domains owned by people or companies
linWinPwn: Bash script that automates Active Directory enumeration and vulnerability checks
Hacker stories by @Jhaddix, @hacker_ & @ArmanSameer95
See more tips on this week’s Twitter collection.
asnlookup.com & Intro: ASNLookup.com refactored and relaunched with a new API
Compromising CI/CD Pipelines & Proxy server simplified (Security Zines flyers)
IVNA: Intentionally Vulnerable Nodejs Application & APIs
Cybersecurity
Critical Apache Struts RCE vulnerability wasn’t fully fixed, patch now
Tarrask malware uses scheduled tasks for defense evasion (ScheduleRunner was updated to include this new technique)
Upcoming events
NahamCon 2022 (April 30 – 09:00 AM PDT) & NahamCon CTF (April 28 – 30)
Cyber Apocalypse CTF 2022 (May 14 – 20) & Live Hacking Workshops
Tool updates