Hey hackers! These are our favorite pentest & bug bounty related resources for the week from 6 to 13 of July.

Our favorite 5 hacking items #

1. Videos of the week #

SteelCon 2018 - , particularly:

• What I’ve Learned From Billions Of Security Reports Every Month by Scott Helme
• Breaking Into Information Security by Andy Gill
• Can’t Hack, Love To Lurk: Sharing Academic Research by Helen Thackray
• The Dark Arts by Neil Lines
• Opening by Robin Wood
• Exploiting Screen Recording And Automated Input On Android by Amar Menezes
• GDPR For Hackers by Carl Gottlieb
• You’ve Got Mail! by Dan Caban and Muks Hirani
• Not A Hacker, Yet. by Chris Ratcliff
• Profiling The Attacker by James Stevenson

I would have loved to go to SteelCon 2018 and see all these talks live! They are not all technical but when I’m looking for something to watch/pass the time, I usually prefer watching conference videos like these to TV shows. They teach me new technical skills/information and help put me in a hacker’s mindset and motivate me for better bug hunting.

2. Tool of the week #

https://buckets.grayhatwarfare.com/: The Shodan of Amazon S3 buckets

The story of why it was created

This is a searchable database of open Amazon S3 buckets. I haven’t had the time to try it yet, but I love the idea of an equivalent of Shodan for S3 buckets!

70 000 buckets are listed, you can easily search for company names or domain names, and browse the contents of buckets.

3. Writeup of the week #

#BugBounty — Compromising User Account- ”How I was able to compromise user account via HTTP Parameter Pollution(HPP)” by Avinash Jain

This is a good real-life example of HTTP Parameter Pollution. Avinash first detected it on a social sharing button, then tested for the same issue on the password reset functionality of the same site and was able to reset the password of any user, escalating from HPP to account takeover.

4. Tutorial of the week #

OSINT Primer: Domains (Part 1) by Patrick Hudak

Any tutorial by Patrick Hudak is a great tutorial! They are always detailed, informative and easily understandable.

In this one, he explains how to find information related to a given domain, like its owner, reputation, DNS settings…

Finding a domain’s owner can be very useful for bug hunters, to avoid attacking an out of scope domain that does not belong to your target.

5. Non technical item of the week #

Watch Your Hack

Basic security tips for the layman. This is a page to share with your relatives, co-workers, neighbors, etc, to help them protect themselves from black hats.

Other amazing things we stumbled upon this week #

Stuff to watch/listen to #

Videos #

• HackerOne Hacker Interviews: Shubham Shah (@notnaffy)

Podcasts #

• WEBCAST: Attack Tactics 3 & Slides
• Ep. 18, OPSEC fails and OSINT wins
• 7MS #318: Interview with Bjorn Kimminich of OWASP Juice Shop

Conferences #

• Testing iOS apps without jailbreak in 2018 (Slides only)
• CONFidence 2018: Hunting for the secrets in a cloud forest by Paweł Rzepa

Tutorials #

Medium to advanced #

• Hunting for secrets with the DumpsterDiver
• Windows oneliners to download remote payload and execute arbitrary code
• Finding Phishing: Tools and Techniques
• The Pandora Bucket Unleashed
• Unlocking WhatsApp’s hidden GIF provider (Giphy / Tenor) and exploring the code
• Neatly bypassing CSP
• Data exfiltration techniques

Beginners corner #

• Windows Active Directory Post Exploitation Cheatsheet
• Common technical interview questions: DNS basics
• Systemd user level persistence
• OSINT & Social Engineering the Dangers
• Server-Side Template Injection Introduction & Example

Writeups #

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• How I had access to the sourcecode of more than 5.000 websites within just a few hours.
• Exploiting freely accessible WhatsApp data or “Why does WhatsApp web know my phone’s battery level?”
• Out-of-Band XML External Entity (OOB-XXE) exploitation over Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 (0day CVE-2018–12463)

Tools #

• Hawkeye: A tool for analyzing a filesystem/directory recursively looking for interesting stuff for infosec like private SSH keys, config files, etc
• Curate: A tool for fetching archived URLs (to be rewritten in Go) by EdOverflow
• Burp Suite HTTP Smuggler: A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
• TheHaywireHax: A collection of scripts and hacks I made by DeWolfRobin
• StaCoAn: Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications
• Findautoelevate.ps1: super quick powershell script to enumerate executables with auto-elevation enabled, handy for privilege escalation research purposes
• Cheat.sh: the only cheat sheet you need https://cheat.sh/
• Sniff-Paste: OSINT Pastebin Harvester
• file-magic.py: the *nix file tool ported to Windows
• ScreenShooter: Convert your masscan/subdomain-scan results (80,443,8080) into screenshots for better analysis
• Swiftness: Swiftness is a macOS productivity tool for bug hunters and security professionals to intensify penetration testing process with checklist and notes features

Misc. pentest & bug bounty resources #

• API Paths List: A list of API URL paths for use in blackbox API end-point discovery
• List of Helpful Information Security Multimedia
• Week in OSINT — #2018-27
• InfoSec Write-up Slack channel
• 666 lines of XSS vectors, suitable for attacking an Api
• The Hacker-Powered Security Report 2018 by HackerOne
• How I became a hacker and more…: This is the version cached by Google because the original link gives a 404 error
• OSINT Map: A MindMap for Your Investigations
• RegexOne: Learn Regular Expressions with simple, interactive exercises.

Challenges #

• Lin.security – practise your Linux privilege escalation foo
• Real World CTF
• http://hsts.pro/csp.php

Non technical #

• Jonny Moseley Outhacks Them All: First to Win Olympic Gold, Now to Inspire Olympic Hopefuls
• DEF CON Travel Advice
• Is your smartphone spying on you?
• This amazing new web tool lets you create microsites that exist solely as URLs
  • https://itty.bitty.site/ is useful for “bypassing Twitter’s character limit, and using it as a clever alternative for domain redirecting”
• Top 15 Security Testing Interview Questions and Answers
• Unusual Journeys Into Infosec with Netsecml

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this week. You’re welcome to read it directly on Twitter.

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…