By Anna Hammond
November 4, 2020
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 25 of October to 01 of November.
Intigriti’s November XSS Challenge
#Eko2020 Workshops | Rajanish Pathak, Rahul Maini & Harsh Jaiswal: Demystifying the Server Side & Slides
This is a great workshop on server-side vulnerabilities. It includes concise introductions to SSRF, XXE, Remote Code Execution and Reverse Proxy attacks. The case studies especially are very interesting.
Weblogic RCE by only one GET request — CVE-2020–14882 Analysis (in Vietnamese), Exploit, Bypass & AttackerKB analysis
Ability To Backdoor Facebook For Android
CVE-2020-14882 is a pre-authentication Remode Code Execution in Oracle WebLogic. It was patched but a bypass was released a week after. So, now it is being exploited in the wild. For pentesters and bug hunters, it is interesting to add to testing workflows as it has a 9.8/10 CVSSv3 score and takes only one GET request to exploit.
The second writeup is about an insecure development deeplink that could’ve allowed backdooring Facebook for Android. It provides great insight into deeplinks abuse, an excellent read on Android hacking!
Samy Kamkar (@samykamkar) updated an old attack that tricks firewalls and NAT devices to give access to machines not normally reachable from the Internet. After first reading about this incredible impact, I thought it was some kind of Halloween joke but the attack is real. The lenghty writeup goes into all technical details and prerequisites (Application Level Gateway support and that the victim visits a malicious site). If you just want the gist of it, here is a high-level TL;DR.
Reporting, whether in bug bounty or pentest, can be tedious. This Burp extension will help as it makes copying HTTP requests, responses and response headers quicker and easier. A fantastic ideas since copy/pasting these elements is always needed for reporting vulnerabilities.
How I made 1k in a day with IDORs! (10 Tips!)
Katie Paxton-Fear (@InsiderPhD) already has a couple of introductory videos on IDOR. With this new one, she digs deeper into the topic with 10 hunting tips and a recent bug she found. If you understand IDORs but struggle to find them on bug bounty programs, this might just be the video you need.
Honoki Talks About Recon, Bug Bounty Reconnaissance Framework, Hacking on Intigriti, and more!
Bypassing Restrictions | Website Unblocking | ft. UserAgent | Medium, ETPrime
The InfoSec & OSINT Show 31 – Chris Rock & Cyber Mercenaries
Security Now: Top 25 Vulnerabilities – Chrome 0-Day, Edge for Linux, WordPress Loginizer
Risky Business #603 — YOU get sanctions, and YOU get sanctions
SECARMY Village @ GrayHat 2020 & Red Team Village, especially:
The Tale Of The Lost, But Not Forgotten, Undocumented Netsync: Part 1 & Part 2
Remote Desktop Services Shadowing – Beyond the Shadowed Session
Pentest Tales #001: You Spent How Much On Security? & Video version
Using A C# Shellcode Runner And Confuserex To Bypass UAC While Evading AV
pulse-secure-vpn-mitm-research (CVE-2020-8241 & CVE-2020-8239) #VPN
Remote Command Execution in Ruckus IoT Controller (CVE-2020-26878 & CVE-2020-26879) #RCE #IoT
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260) #Web
When a stupid oplock leads you to SYSTEM #LPE #Windows
CVE-2020-16939: WINDOWS GROUP POLICY DACL OVERWRITE PRIVILEGE ESCALATION #LPE #Windows
Link Previews: How a Simple Feature Can Have Privacy and Security Risks
Half-Blind SSRF found in kube/cloud-controller-manager can be upgraded to complete SSRF (fully crafted HTTP requests) in vendor managed k8s service. (Kubernetes, $5,000)
CSRF on launchpad.37signals.com OAuth2 authorization endpoint (Basecamp, $2,000)
HEY.com email stored XSS (Basecamp, $5,000)
See more writeups on The list of bug bounty writeups.
NetblockTool & Intro: Python script that finds netblocks owned by a company
tld_detection.py: TLD matcher for any domain
Scrying: A tool for collecting RDP, web and VNC screenshots all in one place
iSH: Linux shell for iOS
Grype: A vulnerability scanner for container images and filesystems
Serval: A Netcat-style backdoor for pentesting and pentest exercises
Hot Manchego & Intro: Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library
CQOffensiveSecurity Toolkit: The Extreme Windows Offensive Security Toolkit for advanced Windows Infrastructure Penetration Testing
Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage
Abusing Teams client protocol to bypass Teams security policies
Trick or Treat! What We Can Learn from the Spookiest Vulnerabilities of the Year
Hacking in an epistolary way: implementing kerberoast in pure VBA
A Researcher’s Guide to Some Legal Risks of Security Research
How to Write Well: What I’ve learned over two decades of writing online
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/25/2020 to 11/01/2020.