Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 04 to 11 of September.
h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c) & h2cSmuggler
Using HTTP/2 used to mitigate HTTP Request Smuggling vulnerabilities. That was until Jake Miller (@theBumbleSec) came up with this variant that leverages HTTP/2 over cleartext (h2c) connections. The idea is to upgrade the HTTP/1.1 connection to HTTP/2 by sending an h2c upgrade header. If the backend server is compatible, the TCP tunnel created is unmanaged, allowing you to bypass the reverse proxy access controls.
This works on HAProxy, Nuster, and Traefik’s default reverse proxy configurations.
The Git repo provides a tool and demo to reproduce the attack.
How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472), Official testing script & NCC’s .NET exploit
Zerologon (CVE-2020-1472) is a CVSS-10 privilege escalation vulnerability in Microsoft’s Netlogon authentication process. It is caused by a flaw in the cryptographic implementation of AES encryption. The reason it is making headlines is its ease of exploitation and critical impact: It allows attackers with unauthenticated network access to Domain Controllers, to obtain Domain Admin privileges and take over Active Directory domains.
The second writeup is about @orange_8361’s new research on Facebook’s MobileIron MDM. He found an RCE using JNDI injection, Authentication bypass and Arbitrary file reading. It is interesting to read how he turns Black box testing into White box testing, and revives his old “Breaking Parser Logic” attack.
Full Time Bug Hunting with Alex Chapman
Interview With @akita_zen || Bug Bounty Methodology, Avoiding Dupes & Staying Zen
@InsiderPhD interviews @ajxchapman about full time bug hunting, with a focus on strategy, risk managament and financial planning. It’s cool to get a peak at the life of a full-time bug hunter and how he makes it sustainable.
@farah_hawa01’s interview with @akita_zen is about all things recon, methodology, avoind dupes, favorite personal findings, subdomain takeovers, advice for beginners, etc.
XXE bruteforce wordlist
XXE aficionados, this wordlist is for you! Pieter Hiele (@honoki) shared his XXE bruteforce list that includes 65 payloads. It’s worth checking out as he knows something about XXE (considering his past writeups).
CloudBrute, ProxyFor & Intro
CloudBrute is a new Go tool for enumerating a target’s resources on cloud providers (including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr and Linode). It takes a keyword (for example the domain or company name) and a wordlist, builds a list of potential URLs by doing mutations, then tests which ones are live and accessible based on their status code.
The only API key needed is a free IPINFO key, and a second tool (ProxyFor) was also released to help with bypassing rate and region limitations.
See more writeups on The list of bug bounty writeups.
Twistr & Intro: A domain name permutation and enumeration library powered by Rust
Gooey: Turn (almost) any Python command line program into a full GUI application with one line
StreamDivert & Intro: Redirecting (specific) TCP, UDP and ICMP traffic to another destination.
bufferover: Extracting DNS data from bufferover API for penetration testers
FES: Fast Endpoint Scanner in Rust, based on TomNomNom’s meg
check-put.sh: Script to test for PUT upload method against a list of hosts
Recon-007 [V1 Beta]: Python tool to automate the bug bounty recon process
uniqurl: Use uniqurl to filter only unique content from a list of URLs with stdin, making it usable within piped commands
get-title: multi threaded python tool to get pages’s title
rakkess: Review Access – kubectl plugin to show an access matrix for k8s server resources
Maigret: Collect a dossier on a person by username from a huge number of sites (Fork of Sherlock)
Wacker: A WPA3 dictionary cracker
Bluescan: A powerful Bluetooth scanner for scanning BR/LE devices, LMP, SDP, GATT and vulnerabilities!
DVS: D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife – Lateral movement using DCOM Objects
TREVORspray: A featureful Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API & bypasses microsoft’s new anti-password-spraying countermeasures
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 09/04/2020 to 09/11/2020.
