Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue covers the week from 03 to 10 of August.

Our favorite 5 hacking items #

1. Writeup of the week #

How I gained commit access to Homebrew in 30 minutes by Eric Holmes (@vesirin)

Eric was able to make an unauthorized commit to Homebrew’s GitHub repositories. It took 4 steps and less than 30 minutes:

• He used Gitrob to automate the organization’s Github recon
• He looked at previously disclosed issues on https://hackerone.com/Homebrew and found a Jenkins instance (intentionally) publicly exposed
• Git authenticated push meant that credentials were stored somewhere…
• The “Environment Variables” page exposed a valid GitHub API token

2. Tips of the week #

Colorize your hunt by Gwendal Le Coguic (@gwendallecoguic)

Another great blog post by Gwendal Le Coguic! He presents his configuration to test for IDOR & vertical/horizontal escalation:

• Autochrome browser: many options configured by default, separate profiles
• Multi-Browser Highlighting: Burp extension that highlights the Proxy history to differentiate requests made by different browsers
• Logger++: Bup extension to log the requests and responses made by all Burp tools, and display them in a sortable table

3. Videos of the week #

Bugcrowd University videos & Github repository by Bugcrowd

Many of us have been waiting for the release of Bugcrowd University, since it was first announced during Level Up 0x02.

It currently includes links to previous LevelUp talks and beginner modules with videos, slides and lab guides. If you’re a seasoned bug hunter, still keep a look at it because a few more advanced modules are also planned.

4. Tutorial of the week #

Practical Web Cache Poisoning by James Kettle (@albinowax) https://hackxor.net/mission?id=8

James Kettle published this blog post following his Black Hat talk on “How to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.”.

I haven’t finished reading and digesting everything but it is a must for bug hunters. The techniques presented have already been added as new features to Burp Suite 1.7.37.

Also, you can test your knowledge on Web cache poisoning by trying Jame’s challenge.

5. Non technical item of the week #

This is how i fixed my chronic lower back pain by Aditya Agrawal (@exploitprotocol)

If you’re on this blog, it probably means that you’re into infosec and spend a great deal of time sitting on a desk in front of your computer.
I prefer working from bed or a sofa, but it still means sitting 8 to 10 hours every single day! I’ve had crippling knee issues for years and needed orthopedic soles to avoid pain but did not link it to having weak hips and knees from sitting all the time.

I’ve only recently arrived to the same conclusion as Aditya: Incorporating simple consistent habits into my daily routine is key to maintaining a healthy body (especially since I work from home).
It’s inspiring to read how he was able to fix his lower back pain. I plan on trying some of his advice starting with the Strechtly app.

Other amazing things we stumbled upon this week #

Stuff to watch/listen to #

Videos #

• LIVE from Las Vegas: Frans Rosen - How to Win Over Security Teams and Gain Influence as a Hacker by HackerOne
• HACKING BACK - An eye for an eye? by SecJuice
• Haxcellent Adventures [Career] - Carving an Attack Plan to improve security skills
• Maximizing Burp by HackerOne

Podcasts #

• Humans of InfoSec: Ep 12 Georgia Weidman: Writing books, riding horses, and starting companies

Conferences (Slides only) #

• Breaking Parser Logic! - Take Your Path Normalization Off and Pop 0days Out & Case study by Orange Tsai
• Playback: A TLS 1.3 story

Tutorials #

Medium to advanced #

• Capturing NetNTLM Hashes with Office [DOT] XML Documents
• From LFI to SQL Database Backup
• Blind XPath Injection - Approach for Unknown Data Sets
• Bypassing Next Gen AV During a Pentest
• Introducing Burp Extractor
• The Beginning of the End of WPA-2 — Cracking WPA-2 Just Got a Whole Lot Easier
• New attack on WPA/WPA2 using PMKID

Beginners corner #

• Bypassing Web Application Firewalls for Cross-Site-Scripting
• How to Hack WebSockets and Socket.io
• Cracking WPA1/2/Enterprise with HCXTools
• Routed SQL Injection
• How I made a fake access point to harvest login credentials?
• Trello vs the Google Dork
• From LFI to SQL Database Backup
• AWS: Assuming Access Key Compromise

Writeups #

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception)
• The .io Error – Taking Control of All .io Domains With a Targeted Registration
• My first XML External Entity (XXE) attack with .gpx file
• FakesApp: A Vulnerability in WhatsApp

Tools #

If you don’t have time #

• Mykali: Copycat Kali, with mykali for Kali Linux
• Replicator (Burp extension): helps developers to reproduce issues discovered by pen testers

More tools, if you have time #

• WhatsApp Protocol Decryption Burp Tool
• Sanitiz3r: A python script that filters, checks the validity, generates clickable link(s) of subdomain(s), and reports their status
• PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
• The PenTesters Framework (PTF): A way for modular support for up-to-date tools
• WordPress Exploit Framework: A Ruby framework designed to aid in the penetration testing of WordPress systems

Blog posts #

• Bug hunting, for fun and profit. My slightly but not so technical how to guide for anyone.
• Introducing BountyMachine
• An Introduction To Open Source Intelligence (OSINT) Gathering
• The Sequel of HTTP Headers - Advanced Security Capabilities
• With Pain comes Sufferance and you get Humble

Misc. pentest & bug bounty resources #

• wiki.exploitpedia.org
• BountyGraph: Crowdfunded Bug Bounties and Security Audits
• Web Application Penetration Testing Course URLs.docx
• Pure bash bible: A collection of pure bash alternatives to external processes
• IoT Pentesting 101 && IoT security 101

Challenges #

• Bodhi: Client-side Vulnerability Playground
• https://www.sourcing.games/

• Login Bypass Challenge – Cassandra

Non technical #

• India - A Hackers Perspective
• The Six Lessons That I Learned Landing My First Cybersecurity Job
• Looking up IT job salary information
• Temporarily Offline
• Bug Reporting for Bug Bounties

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/03/2018 to 08/10/2018

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…