By Intigriti
October 29, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.
This issue covers the week from 18 to 25 of October.
Introducing our new platform: what to expect
⚠️ Don’t forget to save your drafts securely, as they will not be migrated!
Github-subdomains.py is one of many Github scripts shared lately by @gwendallecoguic for Github recon. It takes a domain as input and returns its subdomains found on Github.
Sometimes, this is just what you need for recon or OSINT!
Erlenc also does one thing: It is a command line tool for URL-encoding and URL-decoding data streams. It can be useful for scripting, or if you find yourself playing with URL encoding all the time during tests.
Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …
Exploiting an XXE during a pentest unexpectedly triggered two DNS interactions instead of one. This led the authors to investigate, and discover that opening the XXE payload in their text editor was triggering the second interaction.
What could have been neglected by others became the subject of very interesting research. From weaponizing the XXE to get RCE, to testing other products that share the same underlying vulnerable library… There are many lessons in this writeup, both technical and about mindset and tenacity.
Kawaiicon 2019 – Liar, Liar: a first-timer “red-teaming” under unusual restrictions
This is the story of an unusual red teaming mission. I don’t want to spoil it by saying to much. So, let’s just that it is captivating, witty, and perfect for those times when you want to relax while still doing something hacking-related.
This is a collection of links for cloud security (from both offensive and defensive aspects). They are organized by topic: AWS/Google/Azure Cloud, vulnerable apps, Kubernetes and Docker.
It is nice to have all these resources at the same place. It should help if you’re interested in Cloud security and don’t know where to start.
I am also realizing there are some tools and presentations listed that I haven’t checked out yet.
Subdomain takeover get harder to find on bug bounty programs. This article breaks down a more subtle form of the attack which affects some subdomains pointing to EC2 instances.
Who knows, it might help you get some of those juicy bounties!
Live Bug Bounty Recon Session and Creating a Recon Database for Yahoo W/ @0xpatrik
Cybertalk – EP1 – Secure Coding, HackTheBox & Web App Penetration Testing
GrrCON 2019 Videos, especially:
Red Team Diary, Entry #2: Stealthily Backdooring CMS Through Redis’ Memory Space
Red Team Tactics: Active Directory Recon using ADSI and Reflective DLLs
JWT (JSON Web Token) (in)security & jwt-pwn (Security Testing Scripts for JWT)
Deep Dive into .NET ViewState deserialization and its exploitation
PHP Remote Code Execution 0-Day Discovered in Real World CTF Exercise #Web #RCE
CVE-2019-16278 – Unauthenticated Remote Code Execution in Nostromo web server #Web #RCE #CodeReview
CVE-2019-12643: Cisco IOS XE Authentication Bypass Vulnerability #Web
OneDrive/SharePoint File Picker Access Token Hijacking #Web #OAuth
Privilege escalation on Semmle ($2,000)
Information disclosure on HackerOne ($2,500) => IDOR
DoS on Moneybird ($100)
Session expiration bypass on Facebook ($1,5000)
RCE, XSS, Logic flaw & Information disclosure on AntiHack.me
See more writeups on The list of bug bounty writeups.
Stepper: A Burp extension designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps
GitHunter: A tool for searching a Git repository for interesting content
Jsfuzz: Coverage-guided fuzzer for testing JavaScript/NodeJS packages
Domain-finder: Quick script to find domains who belong to a company through http://whoxy.com (key required but free)
Apk-mitm: A CLI application that prepares Android APK files for HTTPS inspection
Ntlmscan: Scan for NTLM directories
Dirstalk: Modern alternative to dirbuster/dirb
RAS-Fuzzer: RAndom Subdomain Fuzzer
SUID3NUM: Python script to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin’s repository & auto-exploit those
BabooSSH: Python script that allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.
Lava: Microsoft Azure exploitation framework
HomePWN: Swiss Army Knife for Pentesting of IoT Devices
OneLogicalMyth_Shell: A HTA shell to assist with breakout assessments
PHuiP-FPizdaM: Exploit for a bug in php-fpm (CVE-2019-11043)
ED 105: Server Side Template Injection (SSTI): SSTI lab & walkthough
Tracking down the developer of Android adware affecting millions of users #OSINT
Abusing Windows 10 Narrator ‘Feedback-Hub’ for Fileless Persistence
Smart Spies: Alexa and Google Home expose users to vishing and eavesdropping
Vulnerability in content distribution networks found by researchers
ATTK of the Pwns: Trend Micro’s antivirus tools ‘will run malware – if its filename is cmd.exe’
Unpatched Linux bug may open devices to serious attacks over Wi-Fi
Equifax used ‘admin’ as username and password for sensitive data: lawsuit
Researchers find stealthy MSSQL server backdoor developed by Chinese cyberspies
Russian cybercrooks co-opted Iranian hacking tools to attack dozens of countries
Air Force finally retires 8-inch floppies from missile launch control system
Weaponizing and Gamifying AI for WiFi Hacking: Presenting Pwnagotchi 1.0.0
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/18/2019 to 10/25/2019.
Curated by Pentester Land & Sponsored by Intigriti Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.