Bug Bytes #88 – How @orange_8361 hacked Facebook (again), Privilege escalation in Microsoft’s Netlogon & HTTP request smuggling via HTTP/2

By Anna Hammond

September 16, 2020

Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.

This issue covers the week from 04 to 11 of September.

Our favorite 5 hacking items

1. Article of the week

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) & h2cSmuggler

Using HTTP/2 used to mitigate HTTP Request Smuggling vulnerabilities. That was until Jake Miller (@theBumbleSec) came up with this variant that leverages HTTP/2 over cleartext (h2c) connections. The idea is to upgrade the HTTP/1.1 connection to HTTP/2 by sending an h2c upgrade header. If the backend server is compatible, the TCP tunnel created is unmanaged, allowing you to bypass the reverse proxy access controls.
This works on HAProxy, Nuster, and Traefik’s default reverse proxy configurations.

The Git repo provides a tool and demo to reproduce the attack.

2. Writeups of the week

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM 

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472), Official testing script & NCC’s .NET exploit

Zerologon (CVE-2020-1472) is a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process. It is caused by a flaw in the cryptographic implementation of AES encryption. The reason it is making headlines is its ease of exploitation and critical impact: It allows attackers with unauthenticated network access to Domain Controllers, to obtain Domain Admin privileges and take over Active Directory domains.

The second writeup is about @orange_8361’s new research on Facebook’s MobileIron MDM. He found an RCE using JNDI injection, Authentication bypass and Arbitrary file reading. It is interesting to read how he turns Black box testing into White box testing, and revives his old “Breaking Parser Logic” attack.

3. Videos of the week

Full Time Bug Hunting with Alex Chapman
Interview With @akita_zen || Bug Bounty Methodology, Avoiding Dupes & Staying Zen

@InsiderPhD interviews @ajxchapman about full time bug hunting, with a focus on strategy, risk managament and financial planning. It’s cool to get a peak at the life of a full-time bug hunter and how he makes it sustainable.

@farah_hawa01’s interview with @akita_zen is about all things recon, methodology, avoind dupes, favorite personal findings, subdomain takeovers, advice for beginners, etc.

4. Resource of the week

XXE bruteforce wordlist

XXE aficionados, this wordlist is for you! Pieter Hiele (@honoki) shared his XXE bruteforce list that includes 65 payloads. It’s worth checking out as he knows something about XXE (considering his past writeups).

5. Tools of the week

CloudBrute, ProxyFor & Intro

CloudBrute is a new Go tool for enumerating a target’s resources on cloud providers (including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr and Linode). It takes a keyword (for example the domain or company name) and a wordlist, builds a list of potential URLs by doing mutations, then tests which ones are live and accessible based on their status code.

The only API key needed is a free IPINFO key, and a second tool (ProxyFor) was also released to help with bypassing rate and region limitations.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Responsible(ish) disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

If you don’t have time

  • Twistr & Intro: A domain name permutation and enumeration library powered by Rust

  • Gooey: Turn (almost) any Python command line program into a full GUI application with one line

  • StreamDivert & Intro: Redirecting (specific) TCP, UDP and ICMP traffic to another destination.

More tools, if you have time

  • bufferover: Extracting DNS data from bufferover API for penetration testers

  • FES: Fast Endpoint Scanner in Rust, based on TomNomNom’s meg

  • check-put.sh: Script to test for PUT upload method against a list of hosts

  • Recon-007 [V1 Beta]: Python tool to automate the bug bounty recon process

  • uniqurl: Use uniqurl to filter only unique content from a list of URLs with stdin, making it usable within piped commands

  • get-title: multi threaded python tool to get pages’s title

  • rakkess: Review Access – kubectl plugin to show an access matrix for k8s server resources

  • Maigret: Collect a dossier on a person by username from a huge number of sites (Fork of Sherlock)

  • Wacker: A WPA3 dictionary cracker

  • Bluescan: A powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!

  • DVS: D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife – Lateral movement using DCOM Objects

  • TREVORspray: A featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API & bypasses microsoft’s new anti-password-spraying countermeasures

Misc. pentest & bug bounty resources

Challenges

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/04/2020 to 09/11/2020.

You may also like