Hey hackers! As usual, this is a collection of our favorite resources for penetration testers and bug bounty hunters. It covers the week from to the 8th to the 15th of June.
There’s a lot to read, so grab a nice plate of watermelon (yeah, it’s summer baby!) and good reading!
Our favorite 5 hacking items
1. Tutorial of the week
This tutorial presents great OSINT techniques for finding sensitive information leaked by employees.
A tool, LeakFinder, is also provided to automate the process. The author used it successfully on 2 bug bounty programs but the reports have not yet been disclosed.
2. Writeup of the week
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL by Darrell Damstedt
This is a great writeup about finding an XXE using Burp Collaborator.
If you read only one writeup this week, it should be this one: it’s well written, references good articles, presents a detailed methodology and a high impact vulnerability.
3. Conference of the week
- Security Fest 2018, particularly:
Amongst the several security conference videos that were released lately, I particularly enjoyed watching Frans Rosén’s talk at Security Fest. He explains how he found many critical vulnerabilities and the tricks he used to win $45,000 in bug bounties.
4. Tool of the week
Archaeologit scans the history of a user’s GitHub repositories for a given pattern to find sensitive things. So it can be useful for finding sensitive information from target companies while pentesting and bug bounty hunting.
5. Non technical item of the week
The Never Ending Hack: Mental Health in InfoSec Community by Danny Akacki
This is a good talk about depression and mental illness by a hacker. It might help if you suffer from this kind of issues.
Also, if you are a remote worker in InfoSec, you might want to read this article from Danny Akacki too: Working from home is great, ‘till it ain’t.. No-one is immune to depression!
Other amazing things we stumbled upon this week
Videos & Podcasts
- SANS Webcast: Introduction to enterprise vulnerability assessment, finding Struts
- Detectify Crowdsource | Meet the Hacker-Gerben Janssen van Doorn
- Jason Haddix, Bugcrowd - Paul’s Security Weekly #564 & the show notes
- NolaCon 2018, particularly:
- x33fcon conference, particularly:
- Critical .zip vulnerabilities? - Zip Slip and ZipperDown
Tutorials
- Reconnaissance: a eulogy in three acts
- Are Your Cookies Telling Your Fortune? An analysis of weak cookie secrets and OSINT
- Cookies for dummies Part 3: Understanding security flags – Secure, HttpOnly and SameSite
- One company: 262 bugs, 100% acceptance, 2.57 priority, 300million+ user details saved.
- Foothold Acquisition: Dorking for Fun and Profit
- Bypassing Cloudflare WAF to get more vulnerabilities
- Multiple Ways to Get root through Writable File
- Active Directory Penetration Dojo – Setup of AD Penetration Lab : Part 1
- Pentester’s Windows NTFS Tricks Collection
- Penetration Testing on X11 Server
- PowerShell For Pentesters Part 1: Introduction to PowerShell and Cmdlets
Writeups
You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.
Tools
- linkfinder-oneliner.sh
- XSS Finder
- BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application’s source code.
- One-Lin3r
- Archerysec: Open Source Vulnerability Assessment and Management helps developers and pentesters to perform scans and manage vulnerabilities.
- m4ngl3m3: Common password pattern generator using strings list
Misc. pentest & bug bounty resources
Challenges & Training
-
Here is a very nice CSP bypass challenge (aka XSS) You just need to alert(1), that is.
— Abdullah Hussam (@Abdulahhusam) June 14, 2018
It isn't hard or easy ;) https://t.co/MypxZXeUp0
Retweet so we gonna have more winners! - PwnAdventure3 - Game Open-World MMORPG Intentionally Vulnerable To Hacks
Non technical
- Storytelling as a Service in InfoSec
- Password-free logins become a web reality
- My Path to Security – How Kelly Albrink Got Into Cybersecurity
- CV tips and hints
Tweets
For all those that asked the question about giving up full time bug bounty hunting. I will share in the next days. Some may relate, others won't. I don't care either way :) between ALL BBP's I have cleared well over $1,250,000. I have one goal to hit, and need to do it asap :)
— BugBountyHQ (@BugBountyHQ) June 10, 2018
WHAAAAAAAAAAT?! More than a million dollars!
HTTPS = "Is the response untampered & from the expected sender?"
— Jake Archibald (@jaffathecake) June 12, 2018
CORS = "Can I access the content of this resource?"
CSP = "Only allow requests that look like this…"
SRI = "Only allow content that looks like this…"
CORB = "Don't allow my data into another origin's process"
Since some people asked me if I'm willing to share my xss tools after posting here: https://t.co/nDOKrdoMKp
— Damian Schwyrz (@damian_89_) June 16, 2018
You're welcome... but its nothing special... just another hacky pythonscript but it earned some big bugs :Phttps://t.co/tXd35nnpqU #bugbounty #pentest #xss
Subfinder+wfuzz+gitpillage = ftp credentials+db backups = $$$ #bugbounty #hackerone pic.twitter.com/tu7cUQXTq4
— Gwendal Le Coguic (@gwendallecoguic) June 13, 2018
So I recently completed a physical pentest. Was going to live tweet it.
— Tinker ❎ (@TinkerSec) June 15, 2018
But it happened a little too quickly.
Went to case the joint; conduct some active recon.
And then just sort of breached the place while I was there...
I made a CLI-version of the Template Generator, called bountytpl: https://t.co/wXt3c9g76J
— Frans Rosén (@fransrosen) June 12, 2018
markdown-file + JSON = report
Can be used nicely in a pipeline with bountyplz:https://t.co/5FrmMJeml6#bugbounty
I'm curious any other CTF/Boot2Root/Hacking/Pentesting/Infosec @Twitch streamers out there? If you know of one or are one please shoot me links, I want to create a twitter list of them.
— Rob Fuller (@mubix) June 10, 2018
More tweets (Tips)
Just found an interesting bug.. can you invite other users (via email usually) to xyz? Try the invite link on a different account and see what happens. In my case, it auto leaked my other accounts email to me. (no prompts to accept invite, didn't validate user) #BugBountyTips
— zseano💫 (@zseano) June 13, 2018
How I just found this WAF bypass and multiple XSS in minutes on a fresh program? Scanned subdomains, then ran common parameters with XSS payloads on each index page. Be surprised how many easy low hanging fruit bugs you'll find :) #BugBountyTips
— zseano💫 (@zseano) June 11, 2018
#BountyProTip : Not really a genius trick or anything but when you discover a subdomain that doesn't have any content in the web root, make sure to Google the subdomain for cached URI paths (in addition to checking https://t.co/LM3Ls2jfCF)
— Jason Haddix (@Jhaddix) June 11, 2018
#bugbounty Pro Tip - If HTTP response contains sensitive details such as passwords, credit card #'s or SSN's, check for the following headers:
— CrowdShield (@crowdshield) June 13, 2018
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
👍 pic.twitter.com/DYz3Gtz3c3
Pentest tip: this may seem obvious to many, but was helpful recently: when privesc on a linux box w/ a limited shell, check "sudo -l". You may have sudo access to specific binaries you didn't expect.
— c0Ba (@c0Bchik) June 13, 2018
#Protip raw scanners in bash with for:
— Omar Espino (@omespino) June 13, 2018
scan 65535 ports with curl, wget or even nc, ps. also works with ssh, ftp, etc
for var in {1..65535};do curl -s host:$var;done
brute force files or directories
for var in $(cat files_dictionary);do curl host/$var;done#Bugbounty #infosec pic.twitter.com/0ZMTQYNPqO
Noticed some more interesting behaviour with Akamai WAF. If I use <script> then it will error, however using </script><script> works. Weird..
— zseano💫 (@zseano) June 15, 2018
So you're not allowed to execute PowerShell scripts? Try this: "type payload.txt \| p^o^w^e^r^she^l^l -v 2 -nop -" This works extra well combined with Invoke-Obfuscation from @danielhbohannon
— Keiran Dennie (@TestingPens) June 14, 2018
Subdomains recon tip: use 1.1.1.1 DNS resolver when bruteforcing subdomains. Besides the speed it also correctly handles some wildcard implementations (e.g. 3xx redirect-based) out-of-box.
— Evgeniy Yakovchuk (@h1_sp1d3r) April 19, 2018
Want an easy way to find new bug bounties? Search for the term "bug bounty" on Indeed or LinkedIn Jobs. You will see public AND private bounty programs. 🙃
— Paul Seekamp (@nullenc0de) June 13, 2018
Red tip #326: WHOIS Protection in place on domains? Try get WHOIS information from the Autonomous System Number then use that to perform reverse WHOIS to find additional domains. https://t.co/Z2mHFB4ZRH
— Vincent Yiu (@vysecurity) June 15, 2018
#BugBountytip ALWAYS check the full response on any request. Errors can sometimes give u the keys to the kingdom if u actually figure out what ur looking at witin the error response.
— BugBountyHQ (@BugBountyHQ) June 14, 2018
#bugbountyprotip Always look at Companies @YouTube channel. Go to Playlist, you'll find Unlisted Videos which could well leak lot of internal info (in rare cases also includes passwords which was written in Notepads for video demo 🤦♂️) #TogetherWeHitHarder #BugBounty #infosec
— Prateek Tiwari (@prateek_0490) June 16, 2018
?"></script><base%20c%3D=href%3Dhttps:\mysite> - nice little bypass to Akamai WAF :) </script><base c= is the parameter, href=https:\mysite> is the parameter value (surprised it didn't pick up on </script>.. *shrug*)
— zseano💫 (@zseano) June 11, 2018
#XSS Trick
— 🏹 Xero-Z (@LurisJame) June 10, 2018
<svg onload=1?alert(9):0>
<svg onload=0?1:alert(9)>
by @MarcS0h @Mick4Secure#bugbounty
Pro tip: when testing for authorization issues using different profiles/browsers going through the same proxy, set a unique canary in the user agent property of one of them. Then in Burp -> Search for that canary -> Highlight all #bugbountytip
— Miguel Regala (@Regala_) June 11, 2018
Autorize BurpSuite plug-in tests for authentication issues while you browse to see if you can make requests without being authenticated. Very handy as an extra measure.
— Paul Stewart (@InfoSecPS) June 12, 2018
More (fun) tweets
I made another version of the amazing #pentesting timeline chart. pic.twitter.com/14gkvvQdZC
— (☞゚∀゚)☞ (@dacoursey) June 11, 2018
Root Cause (https://t.co/AqxH4SPUsb) pic.twitter.com/kCweDjeggw
— monkeyuser (@ismonkeyuser) June 12, 2018
This one reminds me of my years as a security auditor, we were always asked to look for the root cause!
Mum: I read an article today about Russian cyber-attacks. There's going to be a lot of work for white rabbit hackers like you
— Liam O 🦆 (@liamosaur) April 17, 2018
Me: White... what?
Mum: White rabbit hackers
Me: Mum do you mean white hat hackers?
Mum: Oh no! I've told all my friends that you're a white rabbit hacker
See you next time!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…
Comments