Hey hackers! Once again, we scoured the Web to bring you the latest best resources related to pentest & bug bounty.

This issue covers the week from 27 of July to 03 of August.

Our favorite 5 hacking items #

1. Tip of the week #

Finding domains belonging to a specific target by @edoverflow

One of the most important steps during recon is finding domains that belong to your target.

Many talks and tweets tackle the question of subdomains enumeration, but there is a lot less information out there about finding domains. So it’s nice to read these practical tips from a confirmed bug hunter.

2. Site of the week #

Eternal Noobs: Forum for IT security noobs

• Where to start thread

This is a new forum so there aren’t that many discussion threads yet, but the moderators are very reactive, and noob questions are welcome. So this seems to be the right place if you have any bug bounty or pentest questions and don’t know who to ask.

A couple of Web challenges have also been submitted by @brutelogic.

3. Video / Tool of the week #

Haxcellent Adventures [Arsenal] - WPForce by @n00py1

As you can see in the Tools section of this newsletter, there are so many tools released every week! Some are innovative and efficient, others not so much. It is difficult to assess them without trying them, and as I lack time to perform a review of the dozen of tools that seems interesting to me each week, I prefer simply shared them with you so that you can have the information and make your own mind.

{% capture challenge-url %}{{ site.url }}{{ site.baseurl }}{% post_url 2018-06-27-vulnhub-Bsides-Vancouver-2018-walkthrough %}{% endcapture %} For these reasons, I love this new series by @sneakerhax where he tries a tool and gives his opinion on whether it is worth adding to his hacking arsenal or not. The tool in this first video is WPForce. I’ve already played with it while doing a [challenge]({{ challenge-url }}) and confirm that it is very fast and effective.

4. Non technical item of the week #

ZTH-CH2: - Security For Everyone by @ZephrFish

This article presents basic common sense advice to secure yourself online. It’s nothing new but a nice refresher, and could also serve as a tutorial to which you could refer friends, family or anyone that need easy practical tips to improve their online security.

5. Writeup of the week #

• Hacking IoT Cameras with s/swnb479e7d24/swn1bf9f32f2/g
• Hacking Swann & FLIR/Lorex home security camera video

This is a great real-life example of how to exploit IoT devices. The attacks are not technically complicated and there isn’t any mention of a bounty, but I think it is fascinating and scary to see how easy it is to hack these cameras. A simple IDOR to access the video feed of any other camera that’s online!

Other amazing things we stumbled upon this week #

Stuff to watch/listen to #

• HackerOne Hacker Interviews: Andre Baptista (@0xacb)
• Getting Started With Burp (Hacker 101)

Tutorials #

Medium to advanced #

• XSS without HTML: Client-Side Template Injection with AngularJS
• Bypassing and exploiting Bucket Upload Policies and Signed URLs by @fransrosen
• Bypassing Duo Two-Factor Authentication (Fail Open)
• Silent Internal Network Segment Recon using Discovery and Broadcast Protocols

Beginners corner #

• How to brute force efficiently without Burp Pro
• Burp Suite Extension Development Series
• Pwning Web Applications via Telerik Web UI
• Hakluke’s Guide to Hacking Without Metasploit
• About User Enumeration
• How I hacked into my neighbour’s WiFi and harvested login credentials?

Writeups #

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• Manually craft blind SQL injections
• What happened when we hacked an expo?
• iPhone app XSS in Facebook Mail

• Web auditing: Jump on the bandwagon! (or not)
• Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716]
• From writing to /tmp to a root shell on Inteno IOPSYS
• Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375)
• New attack on WPA/WPA2 using PMKID

Tools #

• Cisco Hostscan Bypass: Script for bypassing AnyConnect hostscan requirements
• Neto: A tool to analyse browser extensions
• Raccoon: A high performance offensive security tool for reconnaissance and vulnerability scanning
• Fluxion: Hacking WPA/WPA2 without brute force
• AutoSploit: Automated Mass Exploiter
• CertCrunchy: A recon tool that uses data from SSL Certificates to find potential host names
• OWASP Dependency-Check: A software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies
• Telewreck: A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to CVE-2017-9248
• GoAltdns: A permutation generation tool written in golang
• Remote-Desktop-Caching-: Recover old RDP (mstsc) session information in the form of broken PNG files

Misc. pentest & bug bounty resources #

• Bug Bounty Wiki by EdOverflow
• 4500+ Google Dork List 2018
• guif.re: Pentest cheatsheet
• The new month of Burp pr0n: “Every day during August, we’ll be blogging about a different new feature”. Can be read here: https://portswigger.net/blog
• API Security Checklist: Checklist of the most important security countermeasures when designing, testing, and releasing your API
• Android-Reports-and-Resources: A big list of Android Hackerone disclosed reports and other resources
• Notes on Windows Privilege Escalation
• Tips for Penetration Testing a PCI environment
• Pentest-Report Thunderbird & Enigmail 09.2017 by Cure53
• https://crawler.ninja/: Alexa Top 1 Million Security Analysis (Intro)

Challenges #

• CloudGoat: The ‘Vulnerable-by-Design’ AWS Environment
• vuLnDAP: a vulnerable LDAP based web app written entirely in Golang & Walkthrough
• Tiredful-API: An intentionally designed broken web application based on REST API
• Lin.security: Practise your Linux privilege escalation foo
• Password cracking CTF: A cr4cking g00d time – 12 challenges. 1 cryptocurrency prize!
• Bypassing login form with SQL injection challenge
• XSS challenge

Non technical #

• How to Pass a Red Team Interview
• What to Expect After a Pen Test
• disclose.io: A collaborative and vendor-agnostic project to standardize best practices around safe harbour for good-faith security research
• A Primer to Red Teaming
• Awesome Interwiews: A curated awesome list of lists of interview questions

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this last week. You’re welcome to read them directly on Twitter: Tweets from 07/27/2018 to 08/03/2018

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…