The 5 Hacking NewsLetter 11

Hey hackers! Here are our favorite resources for penetration testers and bug bounty hunters for last week (June 29 to July 6).

Our favorite 5 hacking items

1. Podcast of the week

Web Hacking Pro Tips #16 with Bull by Peter Yaworski

I loved watching this podcast! The story of Bull (@v0sx9b) is impressive: he’s a self-taught full-time bug bounty hunter since only 2016 and already making a lot of money. So it’s good to listen to his hunting philosophy and tips.

For example, he focuses on big bugs and doesn’t report small ones, but rather keeps them to chain them and report higher impact bugs. This way, he reports 6/7 bugs a month on average but with high criticality & reward.

2. Tool of the week

h1-search by David Sopas

This is a handy tool for bug hunters. It’ll allow you to quickly grab all publicly disclosed reports of any HackerOne program you are working on.

3. Writeup of the week

The $12,000 Intersection between Clickjacking, XSS, and Denial of Service by Sam Curry

This is a great write-up on how to find high reward bugs on a target that has been tested by hundreds or thousands of other researchers. The tricks mentioned include:

• How to bypass an open redirect filter using the //external.site trick
• Why you should try both external & internal links when testing for open redirection
• How to cause client Denial of Service with %0t
• How to create awesome XSS PoCs using clickjacking and highlighting the information that can be stolen (web sockets session stored within the browser’s local storage)

4. Tip of the week

Free Lists - Bug Bounty

This is a new mailing list started by EdOverflow. You can browse the archive and read many good tips for bug hunters like how to escalate stored XSS for a better reward, great subdomain takeover tricks, etc.

5. Non technical item of the week

A Brief History Of Kiwicon Visual Design

Both the contents and the design of this poster are great. It sums up all the excuses I heard from clients as an internal security auditor then pentester.

The first time I saw it, it made me laugh and feel comforted because I felt less alone in this fight against the false obstacles and excuses.

Other amazing things we stumbled upon this week

Stuff to watch/listen to

Videos

• Live Web Exploratory Technical Testing Session Example

Podcasts

• Darknet Diaries Ep 18: Jackpot
• Newsmaker Interview: Marten Mickos on the Future of Bug Bounty

Conferences

• S13 A presentation or presentations because presenting Jason Blanchard
• OWASP AppSecEU 2018 – Attacking “Modern” Web Technologies (Slides only)
• WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour (Slides only)
• HIP_2018_The_Past_Present_Future_of_Enterprise_Security.pdf (Slides only)

Tutorials

Medium to advanced

• Bypassing Web-Application Firewalls by abusing SSL/TLS
• Hackability inspector
• Event Injection: A New Serverless Attack Vector
• How To Test Cross Origin Resource Sharing Vulnerability (OTG-CLIENT-007)
• 5 Easy Steps to Understanding JSON Web Tokens (JWT)
• 3 Ways Extract Password Hashes from NTDS.dit
• Analyzing Large Capture Files 4: Whittling with Filters
• How to red team: Domain fronting with Powershell Empire and CloudFront
• Exfiltrating credentials via PAM backdoors & DNS requests
• Advanced ATM Penetration Testing Methods

Beginners corner

• How to brute force efficiently without Burp Pro
• Top 5 my own security audit fails
• Pentesting iOS apps without jailbreak
• Metasploit Basics, Part 13: Exploiting Android Mobile Devices
• From XSS to RCE: XSSer

Writeups

You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.

• How I bypassed the OTP verification process? Part — 1
• How I bypassed the OTP verification process? Part — 2
• PHPMyAdmin 4.8.0 ~ 4.8.1 Remote Code Execution
• How I found my very first CVE
• Abusing JSONP to grab user credentials
• Abusing CORS via null origin

Tools

If you don’t have time

• Defcon Demo Labs: Many great tools, see my blog post on how to install them to start playing with them
• The Majestic Million: Free alternative to Alexa
• Hacks by @EdOverflow: Some random scripts. Just trying to be like the cool kids.
• Hunter: Find email addresses in seconds, for when you need to drop a responsible disclosure and need to find their CTO
• Hackability: Probe a rendering engine for vulnerabilities and other features by https://portswigger.net

More tools, if you have time

• Sn1per: Automated Pentest Recon Scanner https://xerosecurity.com (Community & Pro versions)
• https://buckets.grayhatwarfare.com/: Online tool to search for Open Amazon s3 buckets
  • How to search for Open Amazon s3 Buckets and their contents — https://buckets.grayhatwarfare.com
• SSHReverseShell: Reverse Shell over SSH
• CVE-2018-0296: Script to test for Cisco ASA path traversal vulnerability (CVE-2018-0296)
• JSgen.py: bind and reverse shell JS code generator for SSJI in Node.js with filter bypass encodings
• evil-ssdp: Abusing SSDP/UPNP on Windows networks to phish inside Windows Explorer. How to spawn spoofed devices on machines across the LAN, tricking users into visiting a phishing page and capturing the NTLM hash.
• Dangerous Methods: A Burp Suite Professional extension for finding the use of potentially dangerous methods/functions in Javascript, jQuery, AngularJS, and others.
• TP-Link-defaults: Python script for trying default passwords for some TP-Link Hotspots
• domain_hunter: A Burp Suite Extender that search sub domain and similar domain from sitemap
• Simple Twitter Profile Analyzer: Tweets metadata scraper & activity analyzer
• RouterSploit: Exploitation Framework for Embedded Devices
• Msldap: LDAP library for auditing MS AD
• Recon using Crt.sh: Perform recon on domains using certificate transparency

Hello folks.! I was working on to create an automated script to gather unique host names from https://t.co/iD06whZgHc and resolve it into the ip. Do check and contribute. https://t.co/qy8GnD0AWe

— The_Maniac (@h4ckologic) June 29, 2018

• Burp NTLM Challenge Decoder: Burp extension to decode NTLM SSP headers and extract domain/host information

Wrote my first Burp Extension! Got real tired of using obscure (and often sub-par) python scripts to dump domain Metadata during engagements. https://t.co/3yIIeRzfcD

— Louis Dion-Marcil (@ldionmarcil) June 29, 2018

Misc. pentest & bug bounty resources

• Cloud Metadata Dictionary useful for SSRF Testing by Jason Haddix
• Hacks by @EdOverflow - Some random scripts. Just trying to be like the cool kids.
• Week in OSINT — #2018-26
• Penetration Testing Tools Repo: Penetration Testing tools - one repo to clone them all… containing latest pen testing tools
• FreeLists - Bug Bounty mailing list
• Awesome Ninja Admins: A collection of awesome lists, manuals, blogs, hacks, one-liners and tools for Awesome Ninja Admins
• Awesome macOS open source applications: Awesome list of open source applications for macOS
• [DRAFT] Recon.JSON - A JSON-based Recon Data Standard: Recon.json is a project dedicated to creating a flexible and consistent JSON format across popular recon tools.
• The Easiest Metasploit Guide You’ll Ever Read - An Introduction to Metasploit, featuring VMWare Workstation Pro, Kali Linux, Nessus, and Metasploitable 2 (PDF) / HTML version
• OWASP Mobile Security Testing Guide - 1.0 Release (Free)

Challenges

• http://leettime.net/xsslab1/chalg1.php

XSS Lab1: https://t.co/ewaYrG5iSo
Payload: <script>alert(document.URL)</ script>, I hope this could help you #XSS #openbugbounty #bugbounty pic.twitter.com/s47Yo9KrtQ

— deb_security (@deb_security) June 29, 2018

• https://aspnetctf.asitename.com/sqli_test.aspx

Here is my SQLi ASPNet CTF - pre #AppSecEU 2018: https://t.co/z60ksS2TAJ - hosted on a new server now - dare to challenge yourself even further? through CloudFlare WAF using: https://t.co/g0gzKyzewm Looking forward to see you at https://t.co/VTK4TZOYdO @NCCGroupInfosec https://t.co/isKcs9JKkU

— Soroush Dalili (@irsdl) July 1, 2018

• Windows / Linux Local Privilege Escalation Workshop

• I have created a CTF. First one to figure it out and get through it, I'll get you a $10 Amazon GC. Good luck.#pentest #ctf #cybersecurity #infosec

  — HackerPom (@InfoSec_Pom) July 4, 2018

• http://xss.stackchk.fail/

I came across an interesting technique when working on @0x6D6172696F XSS challenge this year. I couldn't really find a direct reference to it anywhere, so I made a challenge: https://t.co/BtSs2xkh4j Your goal is to bypass the XSS auditor on up to date chrome and alert the cookie

— itszn (@itszn13) June 26, 2018

Non technical

• H1-3120: MVH! (H1 Event Guide for Newbies)
• Bug Bounty Programs Turn Attention to Data Abuse
• Hacking back: is it a good idea?
• New WPA3 Wi-Fi Standard Released
• WPA3 Is a Major Missed Opportunity: Here’s Why
• OSCP Write-up
• My OSCP Journey
• “Stylish” browser extension steals all your internet history
• We Need to Change the Dictionary Definition of ‘Hacker’
• 10 things to know before getting into cyber security

Tweeted this week

We created a collection of our favorite pentest/bug bounty related tweets shared this week. You’re welcome to read it directly on Twitter.

---

Have a nice weekend folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…

Share this article

---