Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 30 of November to 07 of December.

Our favorite 5 hacking items #

1. Conference of the week #

BSides Lisbon 2018, especially:

• Keynote - How To Build Your Own Infosec Company
• Keynote - The Infosec Survival Field Guide
• OAuth2: Beyond The Specs

If you’re a professional pentester or looking for a pentesting job, then you should really watch the talk “How To Build Your Own Infosec Company”. It tackles a lot of topics: the advantages of small vs big pentesting companies, how to grow your own name and find your first client, how to organize your work and emails, plus many other tips.

2. Writeup of the week #

RCE in Hubspot with EL injection in HubL

This is a great writeup to learn about server-side template injection in HubL.
It’s written like a tutorial, with details on how to go from detection (entering {{7*7}} and getting ‘49’ displayed back) to information gathering and full remote code execution.

3. Challenges of the week #

Hackerone challenges on HackEDU

Hackerone and HackEDU teamed up to offer the community 5 hacking challenges (“hackboxes”). These are great because they mirror real bugs found by Hackerone bug hunters and disclosed on Hacktivity, and they’re free.

The bugs and reports are listed on this blog post: Test your hacking skills on real-world simulated bugs.

4. Non technical item of the week #

The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed

As pentesters / bug hunters, we’ve all asked ourselves at some point: Where do I start? How do I become good at this? Or… How do I master it?

These are questions that Azeria already tried to answer in a previous talk and is now digging deeper in this new mini-series.

I strongly recommend reading both no matter where you are on the pentest / bug hunting mastery spectrum. Trying the strategy presented might help you deal better with the information overload that we all face in this field.

5. Article of the week #

Blind XSS AngularJS Payloads

This is a good resource for digging deeper into Blind XSS vulnerabilities. It doesn’t explain the basics, but includes a polyglot, a list of payloads and links about AngularJS Blind XSS in particular.

This is specific enough to maybe help you (and me) find less trivial XSS bugs.

Other amazing things we stumbled upon this week #

Videos #

• Hacker101- Source Review
• Hacker Interviews: Sean Melia (@Meals)
• OWASP DevSlop E06 - How to Hack Your Own Apps

Podcasts #

• The Extremely Unabridged History of SQLi and XSS(S04E19)
• 7MS #339: A Pulse-Pounding Impromptu Physical Pentest

Conferences #

• WEBCAST: Raising Hacker Kids / Podcast
• 10 Proven Security Awareness Tips to Implement Now - Webinar / Podcast

Slides only #

• Web Vulnerabilities And The People Who Love Them
• Serverless Security Workshop
• Testing python security PyCon IE & Github repository
• Where 2 worlds collide: Bringing Mimikatz et al to UNIX
• When everyone’s dog is named Fluffy: Abusing the brand-new security questions in Windows 10 to gain domain-wide persistence & Introductory article

Tutorials #

Medium to advanced #

• From CSRF to Unauthorized Remote Admin Access
• iOS Bug Hunting – Web View XSS
• RCE in PHP or how to bypass disable_functions in PHP installations
• Penetration testing & window.opener — XSS vectors part 1
• Analysing and Exploiting Kubernetes APIServer Vulnerability- CVE-2018–1002105
• Tabnabbing Protection Bypass
• Bypass of Disabled System Functions

Beginners corner #

• Bash: How to use in Linux Command Injection
• Web Services Security Testing
• Session Fixation Attack

Writeups #

Pentest & Responsible disclosure writeups #

• Pwning JBoss Seam 2 like a boss
• A small bug in the Election portal !!!
• How To Upload Any File To Amazon’s Free Unlimited Photo Storage Space

Bug bounty writeups #

• Improper access control flaw on Liberapay
• CSRF on Discourse ($512)
• Insufficient Session Expiration on Hackerone ($500)
• Information disclosure on Hackerone ($500)
• Billion Laugh Attack in https://sites.google.com ($500)
• GitHub Desktop RCE (OSX)
• [BBP系列三] Hijack the JS File of Uber’s Website ($6,000)

Other writeups #

• Here is how the entire #pewdiepie printer hack went down
• Exploiting Developer Infrastructure Is Ridiculously Easy
• Implementation of the OWASP Mobile TOP 10 methodology for testing Android applications

See more writeups on The list of bug bounty writeups.

Tools #

If you don’t have time #

• Scan Check Builder: BurpBounty made available on BApp store. Burp Suite extension to improve the active & passive scanner by means of personalized rules (requires Burp Suite Pro)
• Scavenger: A multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as “interesting” files containing sensitive information

More tools, if you have time #

• S2_Jasper_RCE.jrxml: JasperReports Remote Code Execution with a single .JRXML file (useful if JARs are not allowed)
• The OWASP ZAP Heads Up Display (HUD) & Hacking with a Heads Up Display: New interface that provides the functionality of ZAP directly in the browser
• domainresolver: A bash based tool to test if the domains/subdomains on the given file resolves and then save the output
• Linikatz: A tool to attack AD on UNIX
• BruteX: Automatically brute force all services running on a target
• Hayat: Google Cloud Platform Auditing & Hardening Script
• PENTOL: Pentester Toolkit for Fiddler2

Misc. pentest & bug bounty resources #

• Named vulnerabilities and their practical impact
• KringleCon: Register for the free virtual conference if you haven’t already. It’s happenning soon!
• Pentest-guide: Penetration Test Guide based on the OWASP + Extra (Penetration tests cases, resources and guidelines)
• Introducing the NEW SANS Pen Test Poster - Pivots & Payloads Board Game

Challenges #

• Try Hack Me
  • Wireshark challenges
  • OWASP Juice Shop room on Try Hack Me
  • Basic pentesting challenges
• Pwn-School-WAPT-Kali.ova: VM built by @PhillipWylie for a web app pentesting workshop he gave at @BSidesDFW. It has 8 different vulnerable Dockerized apps on a Kali VM
• flAWS 2: Challenges focused on AWS specific issues (no buffer overflows, XSS, etc)
• Top Hacking Simulator Games Every Aspiring Hacker Should Play: Part 1

Articles #

• OPINION: It’s too late now to say sorry, Mark Zuckerberg.
• HTTPS in the real world
• Major sites running unauthenticated JavaScript on their payment pages
• What Moving To the Bay Area Taught Me About Loving My Pentesting Tools
• Securing Your Site like It’s 1999
• The Biggest Bugs in 2018 and What’s to Come
• Kubernetes being hijacked worldwide

News #

• Protecting Hackers (by default) with Disclose.io

Beginning today all Bugcrowd VDP or Bug Bounty programs will include Disclose.io messaging as the default policies within the program briefs

• iOS Fitness Apps Robbing Money From Apple Victims

• Warning! Unprivileged Linux Users With UID > INT_MAX Can Execute Any Command

A low-privileged user account on most Linux operating systems with UID value anything greater than 2147483647 can execute any systemctl command unauthorizedly

• Marriott Breach: What Makes it Unique & What to do Next

The personal information of 500 million guests stolen What makes this breach stand apart … is the data that was taken. Hotels collect more PII data than most enterprise organizations (birthdays, passport numbers, email and mailing addresses, and phone numbers)

Non technical #

• Dos and Don’ts About Presenting In Public
• Healthy Hacking with the Treadmill Elliptical Desk: My journey to staying healthy while hacking!
• Security@ 2018: Hackers Explain Why They Hack and How Orgs Benefit From What They Do
• The adventures of lab ED011—“Nobody would be able to duplicate what happened there”

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/30/2018 to 12/07/2018

Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…