By Anna Hammond
August 19, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 07 to 14 of August.
Red Team Village (DEF CON Safe Mode), especially:
Knock knock, Who’s There? Identifying Assets in the Cloud by @NahamSec and StaticFlow
Combining notebooks, datasets, and cloud for the ultimate automation factory by Ryan Elkins
I know I’ve mentioned Red Team Village last week, but these videos were just uploaded and are really worth viewing. Three of them are about advanced automation for higher efficiency. The idea is to leverage automation to free up time and be able to focus on other things that cannot be automated. @DanielMiessler, @NahamSec/_StaticFlow_ and @ryanelkins present three different solutions that will probably make you want to rework your tools!
The last talk is about Android app testing. @B3nac shares his methodology and common attack vectors, with focus on Deep links. This is the talk to wathc if you want to focus on Android bounties.
CVE-2020-11518: how I bruteforced my way into your Active Directory
Open Sesame: Escalating Open Redirect to RCE with Electron Code Review
These are excellent examples of bug chains that escalate impact to the max.
@honoki followed a lead for Java insecure deserialization that needed arbitrary file upload. So, he reproduced the target environment locally, found a vulnerable file upload functionality, and a bruteforeable authentication key. The combination of all these bugs resulted in RCE on an AD-connected server, which means remote access to the company’s internal networks.
In the second writeup, @spaceraccoonsec explains in great details how XSS (with CSP bypass) and open redirect in an Electron app can be escalated to RCE.
Alyssa_Herrera_ Talks About Bug Bounties, Pulse Secure Research, Hacking US Dept of Defense & More!
@Alyssa_Herrera_ is known for her research on SSRF, Pulse Secure VPN, and for hacking the United Stated Department of Defense. It’s nice to hear her talks about all this, and many other things like her background, testing methodology, burnout, imposter syndrome, etc.
SQLi Query Tampering is a Burp Suite extension that basically ports Sqlmap’s tampering functions to Burp. It helps process and generate custom payloads to manually test for SQL injection. This is really handy when you need to generate payloads that evade WAFs and filters, and prefer manual testing to Sqlmap.
Credential Digger is a Github scanner that looks for hardcoded credentials and filters false positives using machine learning models. I haven’t tested it yet, but the machine learning aspect makes it worth testing. Automatically scouring Github for secrets, with less false positives, is interesting for recon.
Got an XSS? Try to 'upgrade' it to SSRF to get a bigger #BugBounty. Thanks for the #BugBountyTip, @georgeomnet!
❓Never head of ESI Injection before? Check out this @defcon talk: https://t.co/ltXGAuP6AZ#BugBountyTips #HackWithIntigriti pic.twitter.com/0XYUgWrS0M— Intigriti (@intigriti) August 14, 2020
This is a great tip by @georgeomnet! The next time you find XSS and caching is used, remember to test for ESI injection. It can lead to SSRF, increasing the impact of the XSS.
CyberTalk ep.9-@LiveOverflow Talks About CTFs, binary exploitation, reverse engineering & bug bounty
Kill Chain: The Cyber War on America’s Elections | Full Documentary for DEF CON | HBO
Geneva – Great Firewall Of China, Black Hat/DEFCON 2020, Have I Been Pwned
Risky Business #594 — How ESNIs will change censorship and NDR
The InfoSec & OSINT Show 20 – Robert Baptiste (Elliot Anderson) & Mobile App Hacking
Security in Five Episode 805 – China Blocking TLS 1.3, Here’s Why And Why You Should Want To Use It
Hunting for Skeleton Key Implants #BlueTeam
IoT Security – Part 11 (Introduction To CoAP Protocol And Security)
Tips and Tricks for Pen-testing iOS Apps with jailbreak detection
Apple iPhone Activation, Asymmetric Encryption & (un)tethering.
Gain access to an internal machine using Port forwarding — Setup experiment environment & Penetration testing
Offense and Defense – A Tale of Two Sides: Group Policy and Logon Scripts
Data Exfiltration | Bypassing a misconfigured DLP to exfiltrate sensitive data.
Chaining multiple vulnerabilities to exfiltrate over 250GB of PIA
Exploiting vBulletin: “A Tale of a Patch Fail” & vBulldozer #Web #CodeReview
Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites #Web
Don’t be silly – it’s only a lightbulb #IoT #ZigBee
Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazon’s Alexa #IoT
Just another Null Byte Poison via Unicode variant (MuPDF mutool RCE) #RCE
Hunting for SQL injections (SQLis) and Cross-Site Request Forgeries (CSRFs) in WordPress Plugins #Web
Path Traversal Vulnerability in SecurEnvoy impacts on remote command execution through file upload #Web #CodeReview
SSD Advisory – TerraMaster OS exportUser.php Remote Code Execution #Web
Follow the Data: A Hidden Directory Traversal Vulnerability in QNX Slinger #Web
Critical Vulnerabilities Patched in Quiz and Survey Master Plugin #Web #CodeReview
Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom (Zoom)
CSP Bypass Vulnerability in Google Chrome Discovered – Almost Every Website In The World Was At Risk (Google, $3,000)
Bug Hunting with Param Miner: Cache poisoning with XSS, a peculiar case
Pre-auth Denial-of-Service in Dovecot RPA implementation (Open-Xchange, $550)
Denial-of- service By Cache Poisoning The Cross-Origin Resource Sharing Misconfiguration Allow Origin Header (Automattic, $200)
See more writeups on The list of bug bounty writeups.
CertEagle & Intro: Asset monitoring utility using real time CT log feeds
gl-redteam/gitrob: Gitrob fork that adds several features to gitrob including GitLab support, commit content searching, in-memory repository cloning, and more
ardse: Extracts subdomains of a specified domain using https://api.recon.de
Whoxyrm: A reverse whois tool based on Whoxy API
Vailyn: A phased, evasive Path Traversal scanning & exploitation tool in Python
pmg: Extract parameters/paths from urls
403fuzzer: Fuzz 403/401ing endpoints for bypasses
Evine: Interactive CLI Web Crawler
paraglider: Python tool to check source-code for (hidden) parameters
Mística: An open source swiss army knife for arbitrary communication over application protocols
SkyArk: Helps to discover, assess and secure the most privileged entities in Azure and AWS
Manuka: A modular OSINT honeypot for blue teamers
Overlord: Red Teaming Infrastructure Automation
Cotopaxi: Set of tools for security testing of Internet of Things devices using specific network IoT protocols
Carnivore: A username enumeration and password spraying tool for Microsoft services (Skype for Business, ADFS, RDWeb, Exchange and O365)
DeepSea Phishing Gear: Aims to help RTOs and pentesters with the delivery of opsec-tight, flexible email phishing campaigns carried out on the outside as well as on the inside of a perimeter
AutoGadgetFS: Open source framework that allows users to assess USB devices and their associated hosts/drivers/software without an in-depth knowledge of the USB protocol
Mythic & Intro: Apfell C2 framework is re-branded as Mythic with new features
ACE to RCE #ActiveDirectory
Cybersecurity Skills Gap Worsens, Fueled by Lack of Career Development
Coronavirus: Fall in healthcare data breaches could be due to ‘pandemic distraction’
vBulletin zero-day vulnerability revealed, failed patch to blame
CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability
ReVoLTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations
Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
Remote code execution vulnerability exposed in popular JavaScript serialization package
Beyond KrØØk: Even more Wi‑Fi chips vulnerable to eavesdropping
Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs
A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks
Newly discovered APT group RedCurl offering hack-for-hire services, report warns
CREST: We are investigating NCC Group certification cheat sheet scandal – and not with NCC personnel
Windows, IE11 zero-day vulnerabilities chained in targeted attack
Mac malware spreads through Xcode projects, abuses WebKit, Data Vault vulnerabilities
Mozilla is laying off 250 people and planning a ‘new focus’ on making money
Google: We’ll test hiding the full URL in Chrome 86 to combat phishing
Firefox 79: Latest browser release enables Enhanced Tracking Protection 2.0 by default
Rite Aid deployed facial recognition systems in hundreds of U.S. stores
For six months, security researchers have secretly distributed an Emotet vaccine across the world
Bug Business #8 – Get to know Intigriti’s Top Hackers in Q2: kuromatae
How to Defend Against Pegasus, NSO Group’s Sophisticated Spyware
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/07/2020 to 08/14/2020.