Bug Bytes #27 – Secretz, Privilege Escalation on New Relic & How To Keep Your Bugs Organised

By Intigriti

July 15, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 05 to 12 of July.

Our favorite 5 hacking items

1. Tips of the week

All you need to know to exit VIM without unplugging your laptop
10 tips that are helpful if you are not finding vulns/bugs
Why http://1.0.0.1 is the same as http://1.1
How to use Tmux/Screen AFTER you’ve started Nmap

These tweets are so good that I had to mention all four. They’re about:

  • How to exit VIM, and more importantly how to make `:!Q` (which isn’t currently an option) quit it too

  • Awesome advice to improve your environment and methodology, and start finding vulns/bugs

  • Why some SSRF payloads include IP addresses like 1.1.1, and how routers know that it means 1.1.0.1 and not 1.1.1.0. I’ve been wondering about that and the answer was… RTFM!

  • What to do when you’re hours into an Nmap scan and you forgot to start it in a Tmux/Screen session (Genius!)

2. Writeup of the week

Privilege escalation via mass assignment on New Relic

If testing for mass assignment isn’t currently part of your methodology, this is an excellent opportunity to learn about it and start testing for it.
@albinowax was bug hunting on New Relic. He found that free accounts didn’t have access to the API. But this restriction could be bypassed by intercepting a POST request to change your name and adding this parameter: account[allow_api_access]=true.
He also tells us how he guessed the parameter’s name:

If you find a request updating/editing an object, be sure to run Param Miner on it – it might just find you a mass assignment vulnerability

3. Webinar of the week

Securing Your Cloud Infrastructure | Security and Research Company (SECARMY)

After last week’s intro to cloud for pentesters and bug hunters, SECARMY returns with a sequel on common cloud security misconfigurations and their mitigations.
More specifically, this one is about SSRF and LFI on AWS, why they occur, how to detect them, how to leak AWS credentials and what companies can do to prevent it.

4. Tool of the week

Secretz

A few weeks ago, @EdOverflow published the article “CI Knew There Would Be Bugs Here” — Exploring Continuous Integration Services as a Bug Bounty Hunter. He did the research with a few other hackers, and they developed a tool to automate fetching Travis CI build logs.
It allowed them to quickly look for sensitive information in CI logs and earn many bounties. It was awesome to read about that but they didn’t release it because they didn’t want to cause service disruptions to CI platforms.
I guess they’ve changed their minds because they’ve just released Secretz!
It minimizes the large attack surface of Travis CI by automatically fetching repos, builds, and logs for any given organization. So it’s a really neat tool to add to your arsenal.

5. Non technical item of the week

How to better organize your notes while hunting for bugs

Who doesn’t like peeking at how other hackers organize their notes?
@GouveaHeitor shares here how he uses SwiftnessX to defines payloads, report templates and libraries / checklists. It’s worth looking at his screenshots if you feel like your pentest/bug bounty notes could be better organized.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • ScreenToGif: Allows you to record a selected area of your screen, edit and save it as a gif or video!. Useful for recording PoCs

  • Qsreplace: A Go script to replace or append to query string values in URLs. Can be used in combination with waybackurls to generate URLs for fuzzing with a particular payload

  • JWTrek: JWT Token C# Bruteforcer (HS256) (pure bruteforce, no wordlist yet)

  • Android-App-Testing: Python3 scripts to help automate the installation of Burp Suite certificates on Android devices

  • Venemy: OSINT tool for Venmo. It grabs profile information, friends lists & transactions

  • BADministration & Introduction: Tool to leverage SolarWinds Orion servers from an offensive standpoint

  • RedTeamCSharpScripts: C# Scripts for Red teaming

  • Kali Linux Tools Interface: A graphical interface to use tools in Kali by the browser

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/05/2019 to 07/12/2019

Curated by Pentester Land & Sponsored by IntigritiDisclaimer:
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like