Hey hackers! These are our favorite resources shared last week by hackers, pentesters, bug hunters and red teamers.

This issue covers the week from 10 to 17 of August.

Our favorite 5 hacking items #

1. Tips/Video of the week #

Burp Hacks for Bounty Hunters by James Kettle (@albinowax)

These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!

The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.

2. Tutorial of the week #

@EdOverflow’s Guide To Subdomain Takeovers by EdOverflow

This is a great introduction to subdomain takeovers for bug hunters: what they are, the difference with second-order subdomain takeovers, the methodology and tools to detect them, multiple exploitation scenarios, etc.

3. Writeup of the week #

How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System

This is a writeup of a bug found on Amazon. It is a real life example of the vulnerability presented at Black Hat USA 2018: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out.

Here are my main takeways:

• Vuln 1: When Nuxeo is used with Tomcat, it is possible to bypass authentication by requesting /nuxeo/login.jsp;/..;/[unauthorized_area] (Equivalent of /nuxeo/[unauthorized_area]). But you get a 500 error
• Vuln 2: It is possible to access unauthorized Seam servlets by using http://host/whatever.xhtml?actionMethod=/foo.xhtml:user.username (where user.username is the Expression Language (EL) you wan to execute)
• Vuln 3: By chaining two ELs, it is possible to execute an arbitrary EL (the second one) if you can control the value returned by the first one
• Vuln 4: It is possible to bypass Seam’s EL blacklist by changing "".getClass().forName("java.lang.Runtime") to ""["class"].forName("java.lang.Runtime")
• By combining these 4 vulnerabilities, it is possible to inject shellcode (in JBoss EL) and get an RCE

4. Conference of the week #

BSides Manchester 2018, especially:

• Practical Web Cache Poisoning: Redefining ‘Unexploitable’ by James Kettle (BSidesMCR 2018)
• It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas & Slides
• How CTF Mindset Will Hurt You As A Penetration Tester by Idan Ron
• Cracking The Perimeter: How Red Teams Penetrate by Dominic Chell
• Diversity In InfoSec (Not That Sort!) by Victoria Walberg
• Adventures In WAF by Michael Thompson
• Hospitals And Infosec: The Consequences of Bad Security in Health Care: by Jelena Milosevic
• Social Engineering Tales Of Pirate Queen: by Sharka

It’s been a while since conference videos pertaining to pentest/bug bounty/red team were released. So it was refreshing to watch some of these talks (instead of just reading slides). Some are very technical and advanced, and others are not technical but are still informative. So there should something for everyone here.

5. Non technical item of the week #

Defcon 26 Music Album

This is not the kind of music I usually listen to. For hacking/work, I listen exclusively to electro music like Kygo, Avicii or the underrated Vexento.

But I always enjoy discovering new tracks through Defcon music albums. I thing they’re great if you’re looking for “hacker music” that is not too hardcore.

Other amazing things we stumbled upon this week #

Stuff to watch/listen to #

Videos #

• HackerOne Hacker Interviews: @GeekBoy by HackerOne

Podcasts #

• InSecurity Podcast: Katie Moussouris Breaks Down Bug Bounty Programs
• Ep. 22, Amazing adventures of the RedactedFirm by The Many Hats Club

Conferences #

• PowerUpSQL - 2018 Blackhat USA Arsenal Presentation & slides

Slides only #

• Tangled World of Web Technology ― Are we safe?
• AppSec EU 2018
  • WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour
  • The Last XSS
  • Exploiting Unknown Browsers
  • FIESTA: an HTTPS side-channel party
• BSides SATX
  • A Journey Into a Red Team
• BSides LV
  • PACU The Open Source AWS Exploitation Framework & PACU repository
• DEF CON Media Server
  • Presentation slides & demos
    • Bug Bounty Hunting on Steroids
    • Playback: A TLS 1.3 Story
    • Edge Side Include Injection: Abusing Caching Servers Into SSRF and Transparent Sessin Hijacking & demos & initial blog post that led to this talk
    • All Your Family Secrets Belong to Us
  • Workshop slides
    • Lateral Movement 101
    • JWAT?? Attacking JSON Web Tokens
    • Finding Needles in Haystacks - An introductio to code review
    • Pentesting ICS 101 & workshop material
    • Where’s My Browser? Learn Hacking iOS and Android WebViews
    • Attacking Active Directory and Advanced Methods of Defense
• Black Hat USA 2018*
  • Practical Web Cache Poisoning: Redefining ‘Unexploitable’
  • It’s a PHP Unserialization Vulnerability Jim but Not as We Know It
  • Breaking Parser Logic: Take Your Path Normalization off and Pop 0days Out!

* To find slides for other talks, just search for site:https://i.blackhat.com/us-18 in Google

Tutorials #

• Remotely Enumerate Anti-Virus Configurations
• Trust no one: TrustKit SSL pinning bypass
• One new Burp Suite feature presented every day

Writeups #

• Discovering CVE-2018-11512 - wityCMS 0.6.1 Persistent XSS
• Sudo Date…Thanks For Read Access To Every Non-Binary File
• I thought I found a browser security bug
• OpenSSH Username Enumeration & Proof of Concept

Tools #

If you don’t have time #

• Massh-enum: OpenSSH 7.x Mass Username Enumeration
• EndPoint-Finder: Finds the End-Points in JavaScript files
• param-miner: Burp extension to identify hidden, unlinked parameters (useful for finding web cache poisoning vulnerabilities)

More tools, if you have time #

• Singularity of Origin: A DNS Rebinding Attack Framework
• ScanCannon: Combines the speed of masscan with the reliability and detailed enumeration of nmap
• Gopherus: Generates gopher link for exploiting SSRF and gaining RCE in various servers & Detailed description
• No-Script Automation Tool: Designed to solve complexity & management issues surrounding scripting multiple tools batch files or other scripting languages for Windows systems
• Sippts: Set of tools to audit SIP based VoIP Systems
• RidRelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv
• hideNsneak: A CLI for ephemeral penetration testing

Misc. pentest & bug bounty resources #

• https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017-voting-open
• [technical] Pen-testing resources
• http-state-tokens: Ideas for tightening HTTP state management

Challenges #

• http://tomnomnom.uk/iframe-me/

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/10/2018 to 08/17/2018

Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…