Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 26 of October to 02 of November.

OMG, this is a spooky one! The story of a whitehat hacker (maybe) wrongfully convicted, CIA agents killed because of Google dorking, researchers theorizing about human memory hacking… Plus the quantity of items listed this time!

There was so many good things shared that I could hardly choose, so this newsletter is even longer than usual. But of course, you don’t have to consume everything if you’re short on time. Just start with what interests you more, as many different topics are covered.

Enjoy and you can share feedback, suggestions, questions, likes… whatever you feel like.

Our favorite 5 hacking items #

1. Tutorial of the week #

How to perform the static analysis of website source code with the browser — the beginner’s bug bounty hunters guide

If you can only check one item from this newsletter, this is it! Reading and analyzing HTML & JavaScript code when testing web applications is a must. But it can be difficult for non-developers, especially because the best bugs are generally found manually.

This guide explains everything: the tools you need, what to look for and where, how to use a JS debugger, etc.

So if you’ve been wondering how to get better at bug bounties, drop everything and read this.

2. Video of the week #

HOW FRCKN’ HARD IS IT TO UNDERSTAND A URL?! - uXSS CVE-2018-6128

This is an amazing explanation of uXSS and how URLs work. Here are my takeaways, but I highly encourage you to still watch the video because it has many more interesting details:

• If a browser fails to enforce the Same Origin Policy (SOP), any malicious site can steal data from any other site you log into
• uXSS is an XSS due to a browser weakness, which bypasses the SOP
• Example of uXSS in Chrome on iOS
  • Run this code on your site https://web-safety.net/: javascript code " history.replaceState('','','..;@www.google.com:%3443/')
  • The url will be replaced with https://web-safety.net/..;@www.google.com:%3443/
  • This fools the browser into thinking you’re on www.google.com, due to an error in URL parsing
  • So you can run JavaScript on your site and the browser will think you’re on www.google.com, bypassing the SOP
  • $7,500 bounty paid by Google even if it’s an Apple bug!

3. Writeup of the week #

2FA bypass on HackerOne

It wasn’t easy to select a single writeup this week. Many are impressive either for the technique and/or the bounty. You’ll find them all listed below.

As THE writeup of the week, I chose this one because it shows that the most dangerous/ impressive bugs are not always the most complicated. Sometimes, some observation and thinking are enough (and pay well, $10,000 exactly). But maybe THIS is the difficulty…

Anyway, it’s a 2FA bypass: The “Submit Report” button requires 2FA. But a URL mentioned in the program’s policy page didn’t. That’s it!

4. Challenge of the week #

Typhoon Vulnerable VM & Practical White hat hacker training material

This is an intentionally vulnerable VM to train for many types of tests: network and web app security testing, password cracking, privilege escalation attacks, post exploitation, information gathering and DNS attacks.

There are already dozens of such VMs out there, but what distinguishes this one is the accompanying training material. It’s very good especially for those learning the ropes of penetration testing.

5. Resource of the week #

Weakpass

Password brute forcing is one of my weaknesses. I never seem to have the right password list whether on real engagements or CTFs!

So I was glad to find this site. It compiles many password lists from different sources: for different languages, with different sizes, real passwords from data breaches, passwords based on dates or names…. To be used for cracking passwords, hashes, WPA2 connections, etc.

Other amazing things we stumbled upon this week #

Videos #

• Hacker101 - SSRF
• The 2 Most Common & Impactful Vulnerabilities a Pen Tester Comes Across

Podcasts #

• SecTools E09 with Tanya Janca
• Podcast Episode 118: White Hat Eye on the Gaming Guy
• Darknet Diaries Ep 25: Alberto

Conference slides #

• Prototype pollution attack

Tutorials #

Medium to advanced #

• Using Google Analytics for data extraction
• Improper CSRF token handling leads to site-wide CSRF issue, chained with clickjacking = woot! Multiple sites vulnerable
• Red Team Tales 0x02: from SQLi to Domain Admin
• Sleepy Puppy Extension for Burp Suite
• SSL Pinning bypass on Android Emulator
• Active Directory Penetration Dojo- Creation of Forest Trust: Part 3
• (Re)Evaluating Qubes OS as a pentesting platform
• SMB Named Pipe Pivoting in Meterpreter
• Hacking with Git: Git-Shell Proof of Concept
• Attacking Google Authenticator

Beginners corner #

• Domain hacks with unusual Unicode characters
• (More) Common Security Mistakes when Developing Swift Apps – Part II
• Comprehensive Guide on MSFPC
• Java Deserialization — From Discovery to Reverse Shell on Limited Environments
• Comprehensive Guide on SearchSploit
• Social Engineering: How To Set Up Phishing Attacks
• Masscan as a lesson in TCP/IP
• Network Forensics: Wireshark Basics, Part 2

Writeups #

Pentest & Responsible disclosure writeups #

• Old School Pwning with New School Tricks :: Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability
• Zero-day RCE via XXE & SSRF on NetGear Stora, SeaGate Home, and Medion LifeCloud NAS
• Over a Dozen Vulnerabilities Discovered in ASUSTOR AS-602T

Bug bounty writeups #

• Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone)
• Stored DOM XSS & cache poisoning on catalog.data.gov
• Finding hidden gems vol. 3: quick win with .sh file
• It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program
• [Open Redirect] When your PoC doesn’t work because of the server load balancers

See more writeups on The list of bug bounty writeups.

Tools #

If you don’t have time #

• Aquatone in Go & What’s changed: A tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface
• New dark theme on Burp Pro

More tools, if you have time #

• Swurg: a Burp Suite extension designed for OpenAPI testing
• JNDIAT (JNDI Attacking Tool): an open source penetration testing tool that tests the security of Weblogic servers through T3 protocol
• S3-Downloader: AWS3 downloader, to download the contents of a bucket with recursion
• h1domains: HackerOne “in scope” domains for all your fuzzing needs
• fuxploider: File upload vulnerability scanner and exploitation tool
• cracke-dit & Effortless Password Audits: Makes it easier to perform regular password audits against Active Directory environments
• Dribble & Project Dribble: hacking Wi-Fi with cached JavaScript: A small project for stealing Wi-Fi passwords via browser’s cache poisoning
• Jok3r: Network and Web Pentest Framework
• Killshot: A Penetration Testing Framework, Information gathering tool & Website Vulnerability Scanner

Misc. pentest & bug bounty resources #

• Best payloads from XSS Polyglot Challengev2 added to Seclists
• Command Injection Payload List
• OSCP-Survival-Guide
• Awesome Node.js Security resources
• VPN Extensions are not for privacy
• Some Useful & Interesting PowerShell Scripts for intranet and domain infiltration
• Windows oneliners to download remote payload and execute arbitrary code
• Offsec Discord channel

Hey offsec students,

I created a discord server for us to exchange information and learn from each others. Please join us > https://t.co/UVU48JCO1V ; for OSCP, OSCE, OSEE, and OSWE#offsec #oscp #osce #infosec pic.twitter.com/yt0UYuEogi

— ؜ (@xxByte) October 27, 2018

Challenges #

• ISO to play with CVE-2018-10933, the recent LibSSH auth bypass
• Hack The Admin Panel Challenge

News #

• This is how hackers can take down our critical energy systems through the Internet (Using passive information gathering tools like Shodan)
• The CIA’s communications suffered a catastrophic compromise. It started in Iran. (Or how CIA agents were compromised using only Google dorking…)

Non technical #

• What To Do When You’re Stuck Hacking
• Hackers attacking your memories: science fiction or future threat?
• The hackers getting paid to keep the internet safe
• Things that security auditors nag about, part 5: No security requirements
• Of Failure and Success
• Q&A: What Is It Like to Be a Mobile Security Researcher?

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/26/2018 to 11/02/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…