Bug Bytes #5 -Lazy Hackers, Stök’s blind XXE and Inception

By Intigriti

February 12, 2019

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 01 to 08 of February.

Our favorite 5 hacking items

1. Conference of the week

A $7.500 BUG Bounty Bug explained, step by step. (BLIND XXE OOB over DNS)

Another great video by @stokfredrik! It’s a writeup for a blind XXE OOB over DNS using a PDF file upload.
Classic file upload payloads & attacks didn’t work, so the last thing that @stokfredrik tried was sneaking XML entities through PDF files. He was able to trigger a DNS request from the target server (using Burp Collaborator). He then escalated the attack over multiple stages until he got a full blind XXE.
This is pretty advanced stuff but every stage is detailed and well explained, including tools and references.

2. Writeup of the week

Reverse RDP Attack: Code Execution on RDP Clients

Check Point researchers tested different RDP clients: rdesktop, FreeRDP and Mstsc.exe (Microsoft’s RDP client). They found 25 security vulnerabilities.
This made the news on generic infosec sites because two of the clients tested are vulnerable to reverse RDP attacks. The bugs detected allow malicious RDP servers to get remote code execution on these clients…

3. Slides of the week

It’s the Little Things II: Exploiting Vulnerabilities Through Proper Reconnaissance – Slides for Exploiting Vulnerabilities Through Proper Reconnaissance (ShellCon 2018) & Its the little things (Anycon 2018)

This is a nice addition to existing public recon methodologies. It touches a little bit of everything: asset discovery,  OSINT, content discovery, and more. It’s worth reading and merging with your own current methodology.
Also, I’m not sure these are the right talks accompanying the slides, but they should at least give you some context around them:

4. Tool of the week

Inception

Imagine you want to test a list of targets from your previous bugbounty notes for one specific test, a new endpoint, an XSS payload, a search for a hidden file/directory (like .git)… What would you use?
Tools like Burp Intruder allow sending multiple requests to the same target. Inception does the opposite: test the same thing on a list of targets.
It’s inspired from Snallygaster but includes more tests, is fast (because written in Go), and is highly customizable (new tests can be easily added without writing code).

5. Article of the week

The Lazy Hacker

The author of this blog post, a professional pentester, shares some tidbits on his pentesting methodology and custom tools.
What’s most intriguing/interesting is his framework “recron” which is an “automated continuous recon framework”. He didn’t release it but his explanations might give you new ideas for improving your own automated bug hunting tools.
Also, he shared his tool Scanomaly, a web application fuzzer scanner, which is part of that framework.

Other amazing things we stumbled upon this week

Videos

Bypass filters using < (less-than sign). A string consisting of two “less-than” signs when passed to the file_get_contents function gets replaced with an asterisk – only on Windows

Podcasts

Webinars & Webcasts

Conferences

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

More tools, if you have time

  • Burp HMAC Header Extension & How-to

  • Whatruns.py: Python Script to Fetch the technologies of given domain using whatruns API

  • Nmap-censys: NSE script which leverages the Censys IPv4 API for passive data collection

  • IPOsint: Discover IP Address of the target from a great resource without register or any API key

  • Goscan: Interactive Network Scanner

  • Golookup: A simple tool written in GoLang, which looks for CNAME(s) ,A and AAAA Records , TXT Records , NameServer(s) / MX Record of any domain

  • 420 & Introduction: Automated XSS Vulnerability Finder

  • Leaks_parser: Parser for data dumps Collection #1 / Collection #2-5

  • tmpnix: An alternative to static binaries for post-exploitation

  • PowerPriv & Introduction: A Powershell implementation of PrivExchange designed to run under the current user’s context

  • DnsCache: Reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver

  • Bashfuscator: A modular and extendable Bash obfuscation framework written in Python 3, intended to help both red team and blue team

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty news

Breaches & Vulnerabilities

Other

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/25/2019 to 02/01/2019.

Curated by Pentester Land & Sponsored by Intigriti

You may also like