Hey hackers! Once again, I scoured the Web to get you the best resources on hacking, pentesting and bug bounty hunting shared this week.
I’m publishing this a little late because there’s a lot of research involved and, well, sometimes life gets in the way… So the week covered is from the 1st to the 8th of June.
Have fun reading this, and don’t forget to share, retweet, comment, ask…!
Our favorite 5 hacking items
1. Webcast I enjoyed watching
This is a great webcast! I loved watching it for all the state of the art information, tips and feedback from professional pentesters.
2. Writeup of the week
Getting PHP Code Execution and leverage access to panels,databases,server
This is a very well written writeup that details the recon process and the methodology used to find a PHP code execution and an SQL injection. It’s a real life example that is very educational for beginner penetration testers and bug bounty hunters.
3. Tutorials of the week
29 short videos that teach you how to use Shodan from the command-line
As a pentester or bug bounty hunter, you probably use Shodan all the time. But if you’re not currently using its GUI (i.e. the website) and not the command line, these videos are highly recommended! The GUI is nice but the CLI is a lot more practical, especially for logging purposes and when testing dozens of IPs & hosts at once.
4. Non technical item of the week
I like watching these short and fun videos. J4vv4d doesn’t take himself too seriously and tackles topics that anyone in the infosec field can relate to. Some of my favorites are:
- Bug bounty
- 10 infosec conversation starters
- 19 ways to say “Good job” to your security colleagues (Recommended if you’ve had a bad day at work!)
- Security Terminology
5. Article of the week
This is a nice introduction to understand Content Security Policy (CSP) and start looking for CSP bypass vulnerabilities!
Other amazing things we stumbled upon this week
Videos & Podcasts
- 7MS #313: Push-Button Domain Admin Access
- SANS Webcast: Everything I Didn’t Learn in School
- Path Traversal - Basic example of how to improve active scanner with Burp Bounty extension (Choose the 720p60 HD quality for this Youtube video to be able to read text)
Tutorials
- Pro Tips: Testing Applications Using Burp, and More
- SPN discovery
- Recon— my way.
- Find path traversal (CVE-2005–3299) with Nmap
- Abusing Insecure WCF Endpoints
- Top Five Ways the Red Team breached the External Perimeter
- The Shortest Reflected XSS Attack Possible
- The big bad wolf - XSS and maintaining access
- Red Team: Initial Access
Writeups
- How I was able to list some internal information from PayPal #BugBounty
- How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte
- How i converted SSRF TO XSS in jira.
- How I found XSS via SSRF vulnerability -Adesh Kolte
- #BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection.
- How I hacked an online dating website?
- Hacking Photopea : SSRF is the new XSS
- How I Hacked Fotor & Got “Nothing”
- #Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay
- Internet Explorer has a URL problem
- Side-channel attacking browsers through CSS3 features
- Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper
- Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected)
Tools
- BurpBounty - Burp Suite extension that improves the active and passive scanner
- GyoiThon - A growing penetration test tool using Machine Learning.
- Freddy: Burp Suite extension to automatically identify deserialization issues in Java and .NET applications
- Hash-Buster - A program which uses several APIs to perform hash lookups
- Scanners-Box - The toolbox of open source scanners
- Namechk - Osint tool based on namechk.com for checking usernames on more than 100 websites, forums and social networks.
Tweets
A new version of Gitrob is out! It has been rewritten in Go and is now much simpler to set up, super fast and dives deep into commit history to surface interesting files. Enjoy! michenriksen.com/blog/gitrob-now-in-go/
)- New comics by Julia Evans:
This awesome tool just saved my ass on a pentest. http://breenmachine.blogspot.com/2014/09/transfer-file-over-dns-in-windows-with.html
Protip: Having trouble finding s3 bucket names to test? Decompile their android apps, grep through hardcoded strings for their s3 buckets!
A magic open redirect payload I recently used. http://target.com/?redirectUrl=//evil.me/?:
Use nmap as a vulnerability scanner with scripts that map the open ports to existing exploits or even existing external scans "nmap --script shodan-api --script-args 'http://shodan-api.target =$IP,shodan-api.apikey=API_KEY'"
Unpriv RCE to Root? If you get any sort of Unprivileged RCE that you cannot take it any further, for the sake of bounties run "aws s3 ls" and you'll be shocked how many S3 buckets & sensitive data you get. Sometimes stored root password (Yes I mean it)
In the beginning of a bug bounty program you should proudly send some bugs, even shitty ones to see how the company reacts.
Download a file from S3 by just supplying <bucket>/path/to/file...
We have created a mini-CTF for CONFidence recently. It's not particularly hard, but still you might have some good time trying to solve it. It's still live and will be for some time now. http://172.104.154.101/...
How to make $80k in one day: Blockchain bugs...
A stupid little bash-profile alias to turn any command into a console...
#Protip Did you know that you can bookmark google dorks?...
#Protip Did you know that you can run javascript in href o hyperlinks elements? try with...
Misc. pentest & bug bounty resources
- Collection of infosec resources (bookmarks, challenges, blogs, articles…)
- Bug Bounty Channel
- Appsec e-zine #225
- List of tools I’ve been collecting since I started pen-testing. Curated and organized. by n00py
- WebAppSec - Attack payloads
- XSS-Payloads
- Search for open source repositories on github, gitlab, and bitbucket all at once.
Non technical
- 2018 State of Bug Bounty Report by Bugcrowd
- NSA security/motivational posters from the 1950s and 1960s
- SANS Poster: Building a Better Pen Tester
- Penetration Testing has gotten tougher – and why that increases your risk
Penetration Test vs. Red Team Assessment: The Age Old Debate of Pirates vs. Ninjas Continues
See you next time!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments