Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 28 of December to 04 of January.

Our favorite 5 hacking items #

1. Tool of the week #

Interlace

This tool is a must for both pentesters and bug hunters! We often need to run commands (like Nmap, Amass, Nikto…) on a list of targets. Interlace allows speeding up this process.

Give it the command you want to run, the target file/domain/network and a number of threads like this:

# time interlace  -tL test.txt -p 443 -threads 5 -c "nikto -host https://_target_"
==============================================
Interlace v1.0	by Michael Skelton (@codingo_)
==============================================
[17:35:54] [THREAD] [nikto -host https://kinepolis.com] Added to Queue 
[17:35:54] [THREAD] [nikto -host https://facebook.com] Added to Queue 
[17:35:54] [THREAD] [nikto -host https://nexuzhealth.be] Added to Queue 
- Nikto v2.1.6
- Nikto v2.1.6
...

It starts one thread per target and runs the command you gave it on the different targets simultaneously. In other words, it easily turn single threaded command line applications into a fast, multi-threaded application.

2. Writeup of the week #

Bypassing Authentication Using Javascript Debugger

This is a great practical example of how to bypass client-side authentication.

@mohitdabas08 was testing the login mechanism of a private program and noticed that it generated JavaScript events. So he analyzed the JavaScript files and found out that authentication was implemented in the JavaScript code, client-side.
So it was easy to bypass by using a breakpoint and modifiying the value of a JavaScript variable on-the-fly.

3. Article of the week #

Open redirects - the vulnerability class no one but attackers cares about

Many bug bounty programs don’t reward open redirects unless you find a way to escalate them (to token theft or XSS for instance). I never understood why and was glad to see this article do it justice.

It explains the different types of open redirect, the various potential impacts and a list of known WONTFIX open redirects.

4. Tutorial of the week #

Bash for Everyone — Part 1 & Part 2

If you’re wondering which scripting language to use to automate your pentest/bug hunting tasks, Bash is a great one. Python, Ruby, Perl, Go are all good, and choosing one language above the others is mainly a question of personal preference.

I prefer Bash because it had the lowest learning curve when I started and allowed me to quickly start automating the tasks that I was already doing manually (i.e. creating wrappers around the many command line tools I used).

If you want to learn Bash or refresh your memory, this is a really good cookbook. It is concise and includes almost everything you need to quickly start writing Bash scripts for your pentests & bug hunting: the syntax & common commands sorted by category (file system, redirection, permissions, networking…).

5. Podcast of the week #

Everyday Espionage Podcast

I am a personal development junkie. I love listening to podcasts and audiobooks on personal growth and topics like happiness, time management, goal setting, etc.

So imagine my joy when I stumbled upon this podcast which combines two worlds: personal development and espionnage.

A former covert CIA intelligence officer explains real-world international espionage techniques that can be used in everyday life. For example, the R.I.C.E episode is about the core motivations that you can use to convince someone to do something. The same techniques can be applied to convince a citizen to spy on his own country or to convince your child to brush his teeth!

Other amazing things we stumbled upon this week #

Videos #

• LiveOverflow & John Hammond AMA & Hangout

Podcasts #

• Malicious Life
• Security in Five: Episode 398 - My Security and Tech Predicitons for 2019
• 7MS #343: Interview with Dan DeCloss
• The Many Hats Club Ep. 32, She hacks purple (with Tanya Janca)
• Application Security Podcast: OWASP IoT Top 10 (S04E22)

Conferences #

• Chaos Communication Congress (35C3), especially:
  • The first part of Attacking Chrome IPC
  • Pivot to the Cloud using Pass the Cookie

• Logically Bypassing Browser Security Boundaries & Slides

Slides only #

• The Rocky Road to TLS 1.3

Tutorials #

Medium to advanced #

• Exploiting JNDI Injections in Java
• I found a GCP service account token…now what?
• Malicious use of Microsoft LAPS
• Security Code Review 101 series: Introduction, Input Validation, Parameterized Statements & Memory

Beginners corner #

• S3 Bucket Misconfiguration: From Basics to Pawn
• Session Management - Client Side vs Server Side
• Active Directory Penetration Dojo – AD Environment Enumeration -1
• Advanced Pentesting Lab with VMware, VyOS, Kali, and Metasploitable3

Writeups #

Challenge writeups #

• Real World CTF

Pentest & Responsible disclosure writeups #

• Social Engineering in Japan
• Unprotected Domain Controller Backups -> Full Domain Compromise
• From Responder to NT Authority\SYSTEM
• Bypassing Kaspersky Endpoint Security 11
• R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)
• Vivotek IP Camera Vulnerabilities Discovered and Exploited

Bug bounty writeups #

• Local File Download on Ratelimited
• Namespace attack on Hackerone
  • https://twitter.com/ZuuitterE/status/1080656720832024576
• Logic flaw on Hackerone ($500)
• Brute-force on Hackerone ($500)
• Email validation bypass on private program
• XSS on private program ($616)
• Token theft on Facebook ($1,000)

See more writeups on The list of bug bounty writeups.

Tools #

• B1tMass: Multiple Weaknesses Checking for Mass Subdomains
• Vhost_buster: A simple tool with the power of “Go” to find the hidden Vhosts defined at the server
• shodicontest.py: Search for hosts on Shodan by Favicon hash (http.hash.favicon)
• PenTestKit: Useful tools and scripts used during Penetration Tests
• Kalitorify: Transparent proxy through Tor for Kali Linux OS
• Shodansploit: Wrapper for Shodan CLI
• AndroidProjectCreator & Introduction
• PRETty: “PRinter Exploitation Toolkit” LAN automation tool
• Burpcollaborator-docker: Set of scripts to install a Burp Collaborator Server in a docker environment, using a LetsEncrypt wildcard certificate

Misc. pentest & bug bounty resources #

• I Am Looking For Your Cybersecurity Horror Stories
• CTF Series : Vulnerable Machines: This post (Work in Progress) records what we learned by doing vulnerable machines provided by VulnHub, Hack the Box and others.
• Pentesting Cheatsheet
• Penetration Testing Tools: Great collection of my Penetration Testing scripts, tools, cheatsheets collected over years, used during real-world assignments or collected from various good quality sources.
• PWK Notes: SMB Enumeration Checklist [Updated]
• Issue 12: Car APIs leaking location, breached security cameras, regulation that helps

Articles #

• Top 10 web hacking techniques of 2018 - nominations open

• How To Blow Your Online Cover With URL Previews
• Bug Bounties — A Beginner’s Guide
• A Review of my Bug Hunting Journey
• The Internal Bug Bounty Programme
• Inter-application vulnerabilities and HTTP header issues. My summary of 2018 in Bug Bounty programs.
• Hacking the Echo echo echo
• Discovering and Hacking IoT Devices Using Web-Based Attacks
• Top Ten Bug Bounty Payouts of 2018
• Top 10 Remote Exploits of 2018
• Best Practices for Writing Bash Scripts

Challenges #

• Andrill: Android mobile application interacting with a back-end API that is vulnerabile with various levels of difficulty

News #

• Can’t unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass
• It Appears China is Building a Massive Espionage Database on America
• Firefox is now placing ads and here is how to disable it
• Hackers Hijack Smart TVs to Promote PewDiePie
• Marriott Revises Breach Scope to 383M Records

Non technical #

• Terrified of speaking at a conference? Submit anyway!
• The Process of Mastering a Skill
• Hacker Spotlight: Ambassador Rey Bango
• Misguided misguidings over the EU bug bounty
• 3 Helpful Tips for Short and Long Term Goals
• The 18 biggest data breaches of the 21st century
• 2018 Data Breaches: The List No One Wanted To Make
• The Worst Hacks of 2018

Tweeted this week #

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 12/28/2018 to 01/04/2018

Have a nice week folks!

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…