Bug Bytes #84 – From XSS to SSRF, Chaining bugs to RCE & Automation for mass recon and exploitation

By Anna Hammond

August 19, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 07 to 14 of August.

Our favorite 5 hacking items

1. Conference of the week

Red Team Village (DEF CON Safe Mode), especially:

I know I’ve mentioned Red Team Village last week, but these videos were just uploaded and are really worth viewing. Three of them are about advanced automation for higher efficiency. The idea is to leverage automation to free up time and be able to focus on other things that cannot be automated. @DanielMiessler, @NahamSec/_StaticFlow_ and @ryanelkins present three different solutions that will probably make you want to rework your tools!

The last talk is about Android app testing. @B3nac shares his methodology and common attack vectors, with focus on Deep links. This is the talk to wathc if you want to focus on Android bounties.

2. Writeups of the week

CVE-2020-11518: how I bruteforced my way into your Active Directory

Open Sesame: Escalating Open Redirect to RCE with Electron Code Review

These are excellent examples of bug chains that escalate impact to the max.

@honoki followed a lead for Java insecure deserialization that needed arbitrary file upload. So, he reproduced the target environment locally, found a vulnerable file upload functionality, and a bruteforeable authentication key. The combination of all these bugs resulted in RCE on an AD-connected server, which means remote access to the company’s internal networks.

In the second writeup, @spaceraccoonsec explains in great details how XSS (with CSP bypass) and open redirect in an Electron app can be escalated to RCE.

3. Video of the week

Alyssa_Herrera_ Talks About Bug Bounties, Pulse Secure Research, Hacking US Dept of Defense & More!

@Alyssa_Herrera_ is known for her research on SSRF, Pulse Secure VPN, and for hacking the United Stated Department of Defense. It’s nice to hear her talks about all this, and many other things like her background, testing methodology, burnout, imposter syndrome, etc.

4. Tools of the week

SQLi Query Tampering

Credential Digger

SQLi Query Tampering is a Burp Suite extension that basically ports Sqlmap’s tampering functions to Burp. It helps process and generate custom payloads to manually test for SQL injection. This is really handy when you need to generate payloads that evade WAFs and filters, and prefer manual testing to Sqlmap.

Credential Digger is a Github scanner that looks for hardcoded credentials and filters false positives using machine learning models. I haven’t tested it yet, but the machine learning aspect makes it worth testing. Automatically scouring Github for secrets, with less false positives, is interesting for recon.

5. Tip of the week

Got an XSS? Try to 'upgrade' it to SSRF to get a bigger #BugBounty. Thanks for the #BugBountyTip, @georgeomnet!
❓Never head of ESI Injection before? Check out this @defcon talk: https://t.co/ltXGAuP6AZ#BugBountyTips #HackWithIntigriti pic.twitter.com/0XYUgWrS0M

— Intigriti (@intigriti) August 14, 2020

This is a great tip by @georgeomnet! The next time you find XSS and caching is used, remember to test for ESI injection. It can lead to SSRF, increasing the impact of the XSS.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • CertEagle & Intro: Asset monitoring utility using real time CT log feeds

  • gl-redteam/gitrob: Gitrob fork that adds several features to gitrob including GitLab support, commit content searching, in-memory repository cloning, and more

  • ardse: Extracts subdomains of a specified domain using https://api.recon.de

More tools, if you have time

  • Whoxyrm: A reverse whois tool based on Whoxy API

  • Vailyn: A phased, evasive Path Traversal scanning & exploitation tool in Python

  • pmg: Extract parameters/paths from urls

  • 403fuzzer: Fuzz 403/401ing endpoints for bypasses

  • Evine: Interactive CLI Web Crawler

  • paraglider: Python tool to check source-code for (hidden) parameters

  • Mística: An open source swiss army knife for arbitrary communication over application protocols

  • SkyArk: Helps to discover, assess and secure the most privileged entities in Azure and AWS

  • Manuka: A modular OSINT honeypot for blue teamers

  • Overlord: Red Teaming Infrastructure Automation

  • Cotopaxi: Set of tools for security testing of Internet of Things devices using specific network IoT protocols

  • Carnivore: A username enumeration and password spraying tool for Microsoft services (Skype for Business, ADFS, RDWeb, Exchange and O365)

  • DeepSea Phishing Gear: Aims to help RTOs and pentesters with the delivery of opsec-tight, flexible email phishing campaigns carried out on the outside as well as on the inside of a perimeter

  • AutoGadgetFS: Open source framework that allows users to assess USB devices and their associated hosts/drivers/software without an in-depth knowledge of the USB protocol

  • Mythic & Intro: Apfell C2 framework is re-branded as Mythic with new features

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/07/2020 to 08/14/2020.

You may also like