Sponsored by

The 5 Hacking NewsLetter 16

Posted in Newsletter on August 19, 2018

The 5 Hacking NewsLetter 16

Hey hackers! These are our favorite resources shared last week by hackers, pentesters, bug hunters and red teamers.

This issue covers the week from 10 to 17 of August.

Our favorite 5 hacking items

1. Tips/Video of the week

Burp Hacks for Bounty Hunters by James Kettle (@albinowax)

These are advanced Burp hacks by James Kettle of PortSwigger Web Security. His day job is to design vulnerability detection techniques for Burp Suite, so when he shares tips on how to maximize your Burp ROI, he knows his stuff!

The talk is addressed to bug hunters, but the tips also apply to pentesters. I’ve been using Burp pro for years and wasn’t aware of many of these hacks.

2. Tutorial of the week

@EdOverflow’s Guide To Subdomain Takeovers by EdOverflow

This is a great introduction to subdomain takeovers for bug hunters: what they are, the difference with second-order subdomain takeovers, the methodology and tools to detect them, multiple exploitation scenarios, etc.

3. Writeup of the week

How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System

This is a writeup of a bug found on Amazon. It is a real life example of the vulnerability presented at Black Hat USA 2018: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out.

Here are my main takeways:

  • Vuln 1: When Nuxeo is used with Tomcat, it is possible to bypass authentication by requesting /nuxeo/login.jsp;/..;/[unauthorized_area] (Equivalent of /nuxeo/[unauthorized_area]). But you get a 500 error
  • Vuln 2: It is possible to access unauthorized Seam servlets by using http://host/whatever.xhtml?actionMethod=/foo.xhtml:user.username (where user.username is the Expression Language (EL) you wan to execute)
  • Vuln 3: By chaining two ELs, it is possible to execute an arbitrary EL (the second one) if you can control the value returned by the first one
  • Vuln 4: It is possible to bypass Seam’s EL blacklist by changing "".getClass().forName("java.lang.Runtime") to ""["class"].forName("java.lang.Runtime")
  • By combining these 4 vulnerabilities, it is possible to inject shellcode (in JBoss EL) and get an RCE

4. Conference of the week

BSides Manchester 2018, especially:

It’s been a while since conference videos pertaining to pentest/bug bounty/red team were released. So it was refreshing to watch some of these talks (instead of just reading slides). Some are very technical and advanced, and others are not technical but are still informative. So there should something for everyone here.

5. Non technical item of the week

Defcon 26 Music Album

This is not the kind of music I usually listen to. For hacking/work, I listen exclusively to electro music like Kygo, Avicii or the underrated Vexento.

But I always enjoy discovering new tracks through Defcon music albums. I thing they’re great if you’re looking for “hacker music” that is not too hardcore.

Other amazing things we stumbled upon this week

Stuff to watch/listen to

Videos

Podcasts

Conferences

Slides only

* To find slides for other talks, just search for site:https://i.blackhat.com/us-18 in Google

Tutorials

Writeups

Tools

If you don’t have time

  • Massh-enum: OpenSSH 7.x Mass Username Enumeration
  • EndPoint-Finder: Finds the End-Points in JavaScript files
  • param-miner: Burp extension to identify hidden, unlinked parameters (useful for finding web cache poisoning vulnerabilities)

More tools, if you have time

  • Singularity of Origin: A DNS Rebinding Attack Framework
  • ScanCannon: Combines the speed of masscan with the reliability and detailed enumeration of nmap
  • Gopherus: Generates gopher link for exploiting SSRF and gaining RCE in various servers & Detailed description
  • No-Script Automation Tool: Designed to solve complexity & management issues surrounding scripting multiple tools batch files or other scripting languages for Windows systems
  • Sippts: Set of tools to audit SIP based VoIP Systems
  • RidRelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv
  • hideNsneak: A CLI for ephemeral penetration testing

Misc. pentest & bug bounty resources

Challenges

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/10/2018 to 08/17/2018


Have a nice weekend folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…

Top