By Intigriti
February 12, 2019
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series are curated by Mariem, better known as PentesterLand. Every week, she keeps us updated with a comprehensive list of all write-ups, tools, tutorials and resources we should not have missed. You can sign up for the newsletter here.
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 01 to 08 of February.
A $7.500 BUG Bounty Bug explained, step by step. (BLIND XXE OOB over DNS)
Another great video by @stokfredrik! It’s a writeup for a blind XXE OOB over DNS using a PDF file upload.
Classic file upload payloads & attacks didn’t work, so the last thing that @stokfredrik tried was sneaking XML entities through PDF files. He was able to trigger a DNS request from the target server (using Burp Collaborator). He then escalated the attack over multiple stages until he got a full blind XXE.
This is pretty advanced stuff but every stage is detailed and well explained, including tools and references.
Check Point researchers tested different RDP clients: rdesktop, FreeRDP and Mstsc.exe (Microsoft’s RDP client). They found 25 security vulnerabilities.
This made the news on generic infosec sites because two of the clients tested are vulnerable to reverse RDP attacks. The bugs detected allow malicious RDP servers to get remote code execution on these clients…
It’s the Little Things II: Exploiting Vulnerabilities Through Proper Reconnaissance – Slides for Exploiting Vulnerabilities Through Proper Reconnaissance (ShellCon 2018) & Its the little things (Anycon 2018)
This is a nice addition to existing public recon methodologies. It touches a little bit of everything: asset discovery, OSINT, content discovery, and more. It’s worth reading and merging with your own current methodology.
Also, I’m not sure these are the right talks accompanying the slides, but they should at least give you some context around them:
Exploiting Vulnerabilities Through Proper Reconnaissance (ShellCon 2018)
Its the little things (Anycon 2018)
Imagine you want to test a list of targets from your previous bugbounty notes for one specific test, a new endpoint, an XSS payload, a search for a hidden file/directory (like .git)… What would you use?
Tools like Burp Intruder allow sending multiple requests to the same target. Inception does the opposite: test the same thing on a list of targets.
It’s inspired from Snallygaster but includes more tests, is fast (because written in Go), and is highly customizable (new tests can be easily added without writing code).
The author of this blog post, a professional pentester, shares some tidbits on his pentesting methodology and custom tools.
What’s most intriguing/interesting is his framework “recron” which is an “automated continuous recon framework”. He didn’t release it but his explanations might give you new ideas for improving your own automated bug hunting tools.
Also, he shared his tool Scanomaly, a web application fuzzer scanner, which is part of that framework.
Bypass filters using < (less-than sign). A string consisting of two “less-than” signs when passed to the file_get_contents function gets replaced with an asterisk – only on Windows
Sophos podcast Ep. 018 – Home invasions, snoopy apps and Android versus iOS [PODCAST]
Getting Into Infosec: Nipun Gupta – From Security Consultant to Security Innovator
Top 10 Writing Mistakes in Cybersecurity and How You Can Avoid Them: February 22nd, 2019 at 1:00 PM EST
Webinar: From Dev to InfoSec: #MyInfoSecStory on Feb 21, 2019: February 21, 2019 at 1:00 PM US Eastern
BSides Tampa 2019, especially:
Trends, challenge, and shifts in software vulnerability mitigation (BlueHat IL 2019)
Medium to advanced
SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP: SSRF Protocol Smuggling in LDAP authentication, quite common with enterprise and multi-tenancy products
BACNet javascript Injection -Persistent XSS in BACNet devices CVE-2019–7408
Beginners corner
Interlace: A Productivity Tool For Pentesters and Bug Hunters – Automate and Multithread Your
Multiple Ways to Exploiting Windows PC using PowerShell Empire
Day 40: Privilege Escalation (Linux) by Modifying Shadow File for the Easy Win
Challenge writeups
Spying Challenge 2018: Write-up from a CTF with OSINT, social engineering, physical intrusion & hacking
Pentest & Responsible disclosure writeups
Hacking To Deface Into Indian News Media Outlet- ANI News Agency #Web
Vulnerabilities in Tightrope Media Systems Carousel <=7.0.4.104 (and likely newer) #Web
Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT #IoT #Mobile
Multiple Vulnerabilities Found in Mobile Device Management Software #Mobile
Reverse engineering of a mobile game, part 2: they updated, we dumped memory #Mobile
Hacking an Aftermarket Remote Start System (Part 1) #Carhacking
Libreoffice (CVE-2018-16858) – Remote Code Execution via Macro/Event execution #App
Bug bounty writeups
Information disclosure on HackerOne ($20,000) & I told you so
XSS & Open redirect on Twitter ($1,120)
Privacy violation on Twitter ($1,120)
Cache deception on Medium ($100)
Directory listing, SQL injection, Authentication bypass on Private program
See more writeups on The list of bug bounty writeups.
If you don’t have time
Armory & Introduction: A tool meant to take in a lot of external and discovery data from a lot of tools, add it to a database and correlate all of related information
Subjs: A tool to get javascript files from a list of URLS or subdomains
GitHub HistoryBrowse the history of any file from GitHub with style
More tools, if you have time
Whatruns.py: Python Script to Fetch the technologies of given domain using whatruns API
Nmap-censys: NSE script which leverages the Censys IPv4 API for passive data collection
IPOsint: Discover IP Address of the target from a great resource without register or any API key
Goscan: Interactive Network Scanner
Golookup: A simple tool written in GoLang, which looks for CNAME(s) ,A and AAAA Records , TXT Records , NameServer(s) / MX Record of any domain
420 & Introduction: Automated XSS Vulnerability Finder
Leaks_parser: Parser for data dumps Collection #1 / Collection #2-5
tmpnix: An alternative to static binaries for post-exploitation
PowerPriv & Introduction: A Powershell implementation of PrivExchange designed to run under the current user’s context
DnsCache: Reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver
Bashfuscator: A modular and extendable Bash obfuscation framework written in Python 3, intended to help both red team and blue team
AWS Hacking: Offensive guide to securing AWS infrastructures
HackerOne-Lessons: Transcribed video lessons of HackerOne to pdf’s
Intranet Penetration Tips (Original in Chinese)
A guide to HTTP security headers for better web browser security
The Difference Between Threats, Threat Actors, Vulnerabilities, and Risks
No DA? No Problem! How Attackers Can Access Sensitive Data without Escalated Privileges
PHPMyAdmin 3.5.X-3.5.8 Reflected XSS: What could have been, but really wasn’t
Your drivers may have an open Web server exposing you to attacks
Public hacker test on Swiss Post’s e-voting system: Between Feb. 25th and Mar. 24th 2019. Register on https://www.onlinevote-pit.ch/
Introducing My Programs (HackerOne)](https://www.hackerone.com/blog/Introducing-My-Programs
It’s 2019. Should billion-dollar corps do better than offer swag for vulns?: A t-shirt for RCEs on Sony & Sony Pictures
Researcher Assaulted By A Vendor After Disclosing A Vulnerability
BountyCon: Invitation-only security conference by Google & Facebook, in Singapore on March 30-31, 2019. Airfare & accommodations covered for some selected students
Phishing Attacks Against Facebook / Google via Google Translate
Critical Android Bug that Allows Attackers to Compromise your Android Device Using PNG Image
Major Security Breach Found in Hospital and Supermarket Refrigeration Systems
KeySteal could allow someone to steal your Apple Keychain passwords: 18-year-old German researcher found a critical iOS 0-day but refuses to share details with Apple in protest of their invite-only/iOS-only bounties
Apple will pay the teenager who discovered the Group FaceTime bug
Red team, blue team and rockstar culture in infosec (interesting comments too)
How Dr. Jessica Barker Brought Positivity Into Cybersecurity
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/25/2019 to 02/01/2019.
Curated by Pentester Land & Sponsored by Intigriti