Bug Bytes #87 – Google Android Local Arbitrary Code Execution, ADB over WIFI & A bunch of New Relic bug reports

By Anna Hammond

September 9, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 28 of August to 04 of September.

Our favorite 5 hacking items

1. Tutorial of the week

Supercharge Android dev with Scrcpy and ADB WIFI

This will be helpful if you have a physical Android device and want to use it wirelessly from your laptop for tests.

Using Genymotion’s scrcpy, you can cast the device’s screen on your laptop, use ADB over WIFI, record PoCs or demos from your laptop, etc.

2. Writeups of the week

Oversecured automatically discovers persistent code execution in the Google Play Core Library (Google)
~30 reports by Jon Bottarini (New Relic)

The first writeup is about a local arbitrary code execution vulnerability in Google Play’s Core Library. It was possible to target any application (including Google Chrome) by crafting a malicious APK. If a victim installed it, it would perform directory traversal, execute code as the target app and access its data.

The second link is what it looks like when @jon_bottarini plays swith a Web app to get familiar with it. It’s about 30 reports of IDOR, Privilege Escalation, Stored XSS and Logic bugs found on New Relic, without recon, on a span of two years. So interesting, and a perfect response for anyone who says there aren’t any bugs left to find!

3. Video of the week

How to use ffuf – Hacker Toolbox & ffuf translator

This is an excellent introduction to ffuf. @InsiderPhD explains everything you need to start using this powerful tool now: Options for subdomain bruteforcing, fuzzing parameters and headers, cutting down false positives, handling the output, oneliners for common uses, etc.

4. Resource of the week

Weak JWT secrets dictionary & Intro

This is a list of public JWT secrets found with Google dorking and Google BigQuery. It can be used as a wordlist for bruteforcing JWT signatures. The idea is that sometimes developers only sign JSON Web Tokens without encryption, and copy/paste secrets (like the ones compiled) from tutorials.

5. Tools of the week

Masscan Parser

Two Go tools that help with recon automation: Masscan Parser parses Masscan’s output, as the name suggests, and returns IP:port combinations. This is useful for extracting open ports and feeding the list into another tool.
jf is a wrapper around gf which makes it easier to grep for common patterns in text files. jf provides the same functionality but for JSON files.

Other amazing things we stumbled upon this week



Webinars & Webcasts



Medium to advanced

Beginners corner


Challenge writeups

Pentest writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


  • oobfuzz: Conduct OOB Fuzzing of targets with custom payloads towards callback server

  • Fuxi: Penetration Testing Platform

  • iblessing: iOS security exploiting toolkit that includes application information collection, static analysis & dynamic analysis

  • wadl-dumper: Dump all available paths and/ endpoints on WADL file

  • jwt-hack: Go tool for JWT hacking

  • mainRecon: Automated reconnaissance docked image

  • SNIcat & Intro: Proof of concept tool that performs data exfiltration, utilizing a covert channel method via Server Name Indication, a TLS Client Hello Extension

  • Tunshell: Remote shell into ephemeral environments

  • Red Commander & Intro: Red Team C2 Infrastructure built in AWS using Ansible!

  • MoveScheduler: .NET 4.0 Scheduled Job Lateral Movement q

Misc. pentest & bug bounty resources




Bug bounty & Pentest news



Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/28/2020 to 09/04/2020.

You may also like