Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 14 to 21 of December.

Our favorite 5 hacking items #

1. Conference of the week #

KringleCon 2018

Kringle con, Kringle con, Kringle all the way… Oh what fun it is to watch hacking conference talks!
Hum, sorry for the little “Jingle bells” song hijacking, I couldn’t help it!

More seriously, this is a great set of talks for penetration testers. They’re rather short (approximately between 6 and 25 minutes), but are all interesting and cover many different topics: Kubernetes security, web app security (relevant for bug hunters), malwares, forensics, social engineering, and even community building (non technical talk).

If you haven’t already watched them, it could be fun to do a KringleCon marathon. Bring the popcorn!

2. Writeup of the week #

Reading ASP secrets for $17,000

This is a great finding with a $17,000 bounty, but also a very well-written writeup. I highly recommend it to learn more on hacking ASP.NET apps, LFD bugs, and how to bypass path traversal filters.

Here’s my favorite takeaway: Let’s say you’re testing for path traversal on /utility/download.aspx?f=download.aspx where download.aspx is a file that exists and you can read, and .. is forbidden.

To bypass the filter, launch a Burp intruder attack on /utility/download.aspx?f=.[fuzz]./utility/download.aspx. Is there any characters combination which allows you to read download.aspx, meaning that it is equivalent to ../utility/download.aspx but without ..?

If yes, it means that that payload allowed you to successfully traverse between directories. In this writeup, it was .+. which did the trick.

3. Resource of the week #

Cross-Site Request Forgery Cheat Sheet

This is a very cool and concise cheat sheet for CSRF testing. It’s a flowchart to help determine if an app is vulnerable or not, and how best to create a proof of concept.

It may be helpful whether you are struggling to understand CSRF attacks or as a reminder/checklist even if you’re already a CSRF master.

4. Tool of the week #

pyHAWK

This is a simple Python script to use for post-exploitation. It searches any given directory for interesting files that have specific extensions or names.

It’s not groundbreaking but it can be a nice addition to your arsenal. If you have a foothold on a server, you can use it to quick detect database files, files with passwords, configuration files, etc.

5. Tutorial of the week #

Hidden directories and files as a source of sensitive information about web application & Dictionaries

This is a great article which reminds me of the Small Files And Big Bounties, Exploiting Sensitive Files (LevelUp 0x02 / 2018) talk. It complements it perfectly as it presents additional types of hidden sensitive files and directories: IDE, SVN, NodeJS/JavaScript, Gitlab and Ruby on Rails files.

@Bl4de also shares the custom made dictionary of ~80k entries that he uses to find these files. So check out the article as well as the dictionary, there might be something useful to add to your methodology.

Other amazing things we stumbled upon this week #

Videos #

• Hacker Interviews: Ariel (@arl_rose)
• The secret world of teenagers hacking Fortnite
• Upcoming webinar series on post exploitation
• Sven Morgenroth Talks About PHP Object Injection Vulnerabilities on Paul’s Security Weekly Podcast
• Cross-Site Scripting Attacks (XSS) - Secure Digital Life #93 & notes
• What The Heck Are “Security Basics”? - Paul’s Security Weekly #587 & notes

Podcasts #

• PODCAST: BHIS Sorta Top Used Tools of 2018 & Webcast
• The NULLCON Podcast - Episode 3: Aadhaar, The State of Security & Privacy in 2018

Conferences #

• Zero Nights 2018
• OWASP Session - Women in Cybersecurity CTF: Web App Pentesting Training

Tutorials #

Medium to advanced #

• Subdomain Takeover: Second Order Bugs

• A Container Hacker’s Guide to Living Off of the Land

• iOS Pentesting Tools Part 3: Frida and Objection

• Epic Holiday Cookie Baking & AnomalousCookie: Auto fuzz cookies to detect weaknesses (leading to additional vulnerabilities) and create screenshots

Beginners corner #

• How to make Kali bearable to look at..
• Gathering Usernames from LinkedIn using Burp Suite Pro
• Multiple Ways To Exploiting HTTP Authentication

Writeups #

Challenge writeups #

• Detailed writeup of both one line php and Return of one line php

Pentest & Responsible disclosure writeups #

• Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
• CVE-2018-20157 XXE vulnerability in OpenRefine
• PHP code injection on Discuz (CVE-2018-14729) & https://paper.seebug.org/763/
• Multiple vulnerabilities in AspNetSaml
• Übersicht Remote Code Execution, Spotify takeover: on the security implications of locally hosted web services
• XSS in Ghost
• [PoC Video] jQuery-File-Upload: A tale of three vulnerabilities
• Rsunk your Battleship: An Ocean of Data Exposed through Rsync & RSync the old is still new…
• Jigsaw’s Outline VPN pentest report by @cure53berlin
• Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

Bug bounty writeups #

• Authentication Bypass on Asus
• Subdomain Takeover on private program
• Denial of service via cache poisoning on HackerOne ($2,500)
• Stored XSS on Kaspersky Lab ($2,000)
• Mixed content on FanDuel ($100)
• Exploiting access to Apache Jserv (port 8009) on private program
• Authorization flaw & Privilege escalation on private program

See more writeups on The list of bug bounty writeups.

Tools #

• urlscan.io: Search for domains, IPs, filenames, hashes, ASNs
• Burp-paramalyzer: Burp extension for parameter analysis of large-scale web application penetration tests
• Androlyzer & demo: Scan the code of mobile APPS for recon
• SqliRegex: Sqli Error regex taken from Sqlmap. Use with Burp or ZAP to detect SQL injection errors in responses.
• W3brute: Automatic Web Application Brute Force Attack Tool
• XSRFProbe: The Prime Cross Site Request Forgery Audit and Exploitation Toolkit
• retrieve-osxhash.py

Ever end up on an OSX box during a pentest and realize there's no /etc/shadow? I wrote a script to extract the hash and put it into a format you can crack with @hashcat. Nothing fancy, but I've been getting mileage out of it. Enjoy! https://t.co/Iqj9WoRtx8 pic.twitter.com/UVLEEMPxWW

— Jayme (@highmeh) December 18, 2018

Misc. pentest & bug bounty resources #

• Big List of Naughty Strings: A list of strings which have a high probability of causing issues when used as user-input data
• A black-box methodology for attacking business logic vulnerabilities in web applications
• Shodan Quick Start Reference
• Humble Book Bundle: Hacking for the Holidays by No Starch Press
• Understanding open ports in Android applications: discovery, diagnosis, and security assessment
• Entersoft Vulnerabilities Knowledge Base
• Crypto101: Free introductory course on cryptography
• Most Important Android Security Penetration Testing Tools for Hackers & Security Professionals
• Open Source Intelligence Tools and Resources Handbook
• APIsecurity.io Issue 11: Mutual TLS authentication in Golang open to DoS, XSS in Google Code-in

Articles #

• The Difference Between a Penetration Test and a Red Team Engagement

• Your trust, our signature

• Stop Active Directory Reconnaissance for sensitive infrastructure, once in for all.

• Beware of Deserialisation in .NET Methods and Classes + Code Execution via Paste!

• My Experience with Google Bug Bounty (Thanks for the shoutout @GraphX!)

• A New Kind of Web Application Penetration Test

• Social Engineering – Impersonation made easy

• Top Ecommerce Bugs and What They Mean

• 9 biggest web security news of 2018

• Cyber Security Stories From 2018 You Should Know About

• Everything you should know about certificates and PKI but are too afraid to ask

• scip Cybersecurity Forecast: Predictions for 2019

Challenges #

• OWASP Mutillidae II: 2.7.0 (new command injection, XSS & LDAP injection challenges)
• HackCenter: Private challenge platforms (Free)

News #

• Someone is trying to take entire countries offline and cybersecurity experts say ‘it’s a matter of time because it’s really easy’
• Indian government to intercept, monitor, and decrypt citizens’ computers

The Indian government has authorized 10 central agencies to intercept, monitor, and decrypt data on any computer… Failure to comply with the agencies could result in seven years of imprisonment and an unspecified fine.

• How 3ve’s BGP hijackers eluded the Internet—and made $29M
• State-backed hackers switch to inferior tactics to avoid being fingered for attacks
• Bug Bytes for December 21: Nation State Attacks, Cybersecurity Legislation and Bug Bounty News

Hackers working on behalf of China’s Ministry of State Security had breached the networks of several large tech companies, then used the access to hack into their clients’ computers. A breach at NASA… included the personal data of current and former employees. “Like the OPM, Anthem, Dulles and Marriott breaches, the incident at NASA is just another in a long string of attacks targeting US officials… the data stolen in the breaches haven’t been correlated to any type of identity theft, suggesting that nation state actors have other plans.”

• US ballistic missile systems have very poor cyber-security: DOD reports finds no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities in the US’ ballistic missile system

• Twitter Discloses Suspected State-Sponsored Attack After Minor Data Breach: Twitter revealed that while investigating a vulnerability affecting one of its support forms (used by account holders to contact Twitter about issues with their account), they discovered evidence of the bug being misused to access and steal users’ exposed information. The data exposed includes the country code of users’ phone numbers associated with their Twitter account, and whether or not their account had been locked.

I had made Twitter aware of a security vulnerability on @Hacker0x01 which lead to disclosure of mobile number country codes of all types of users almost 2 years back but it wasn't well received and the report was closed as informative. pic.twitter.com/TzmQzxjH15

— Fawaz (@zk34911) December 18, 2018

• Facebook’s terrible year just got worse: What you need to know

Non technical #

• The budget breakdown of a 25-year-old who makes $100,000 a year and is excellent with money
• Hacker Q&A: Sam Eizad
• Hacker Spotlight: Ambassador Jesse Kinser
• Hacker Spotlight – Sam “zlz” Curry
• Those Small Things That Matter When Working Remote
• GDPR vs. CCPA: Which goes further to protect personal data?
• The Year Ahead: Cybersecurity Trends To Look Out for In 2019
• You’re Not the Customer
• Why are some vulnerabilities disclosed responsibly while others are not?
• From The Boardroom To The Scrum: Security Makes It Full Circle In 2018

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/14/2018 to 12/21/2018

Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…