Sponsored by

The 5 Hacking NewsLetter 33

Posted in Newsletter on December 25, 2018

The 5 Hacking NewsLetter 33

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 14 to 21 of December.

Our favorite 5 hacking items

1. Conference of the week

KringleCon 2018

Kringle con, Kringle con, Kringle all the way… Oh what fun it is to watch hacking conference talks!
Hum, sorry for the little “Jingle bells” song hijacking, I couldn’t help it!

More seriously, this is a great set of talks for penetration testers. They’re rather short (approximately between 6 and 25 minutes), but are all interesting and cover many different topics: Kubernetes security, web app security (relevant for bug hunters), malwares, forensics, social engineering, and even community building (non technical talk).

If you haven’t already watched them, it could be fun to do a KringleCon marathon. Bring the popcorn!

2. Writeup of the week

Reading ASP secrets for $17,000

This is a great finding with a $17,000 bounty, but also a very well-written writeup. I highly recommend it to learn more on hacking ASP.NET apps, LFD bugs, and how to bypass path traversal filters.

Here’s my favorite takeaway: Let’s say you’re testing for path traversal on /utility/download.aspx?f=download.aspx where download.aspx is a file that exists and you can read, and .. is forbidden.

To bypass the filter, launch a Burp intruder attack on /utility/download.aspx?f=.[fuzz]./utility/download.aspx. Is there any characters combination which allows you to read download.aspx, meaning that it is equivalent to ../utility/download.aspx but without ..?

If yes, it means that that payload allowed you to successfully traverse between directories. In this writeup, it was .+. which did the trick.

3. Resource of the week

Cross-Site Request Forgery Cheat Sheet

This is a very cool and concise cheat sheet for CSRF testing. It’s a flowchart to help determine if an app is vulnerable or not, and how best to create a proof of concept.

It may be helpful whether you are struggling to understand CSRF attacks or as a reminder/checklist even if you’re already a CSRF master.

4. Tool of the week

pyHAWK

This is a simple Python script to use for post-exploitation. It searches any given directory for interesting files that have specific extensions or names.

It’s not groundbreaking but it can be a nice addition to your arsenal. If you have a foothold on a server, you can use it to quick detect database files, files with passwords, configuration files, etc.

5. Tutorial of the week

Hidden directories and files as a source of sensitive information about web application & Dictionaries

This is a great article which reminds me of the Small Files And Big Bounties, Exploiting Sensitive Files (LevelUp 0x02 / 2018) talk. It complements it perfectly as it presents additional types of hidden sensitive files and directories: IDE, SVN, NodeJS/JavaScript, Gitlab and Ruby on Rails files.

@Bl4de also shares the custom made dictionary of ~80k entries that he uses to find these files. So check out the article as well as the dictionary, there might be something useful to add to your methodology.

Other amazing things we stumbled upon this week

Videos

Podcasts

Conferences

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

Tools

  • urlscan.io: Search for domains, IPs, filenames, hashes, ASNs
  • Burp-paramalyzer: Burp extension for parameter analysis of large-scale web application penetration tests
  • Androlyzer & demo: Scan the code of mobile APPS for recon
  • SqliRegex: Sqli Error regex taken from Sqlmap. Use with Burp or ZAP to detect SQL injection errors in responses.
  • W3brute: Automatic Web Application Brute Force Attack Tool
  • XSRFProbe: The Prime Cross Site Request Forgery Audit and Exploitation Toolkit
  • retrieve-osxhash.py

Misc. pentest & bug bounty resources

Articles

Challenges

News

The Indian government has authorized 10 central agencies to intercept, monitor, and decrypt data on any computer… Failure to comply with the agencies could result in seven years of imprisonment and an unspecified fine.

Hackers working on behalf of China’s Ministry of State Security had breached the networks of several large tech companies, then used the access to hack into their clients’ computers. A breach at NASA… included the personal data of current and former employees. “Like the OPM, Anthem, Dulles and Marriott breaches, the incident at NASA is just another in a long string of attacks targeting US officials… the data stolen in the breaches haven’t been correlated to any type of identity theft, suggesting that nation state actors have other plans.”

  • US ballistic missile systems have very poor cyber-security: DOD reports finds no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities in the US’ ballistic missile system

  • Twitter Discloses Suspected State-Sponsored Attack After Minor Data Breach: Twitter revealed that while investigating a vulnerability affecting one of its support forms (used by account holders to contact Twitter about issues with their account), they discovered evidence of the bug being misused to access and steal users’ exposed information. The data exposed includes the country code of users’ phone numbers associated with their Twitter account, and whether or not their account had been locked.

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/14/2018 to 12/21/2018


Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…

Top