Hey hackers! These are our latest favorite resources related to pentest & bug bounty.
This issue covers the week from 03 to 10 of August.
Our favorite 5 hacking items
1. Writeup of the week
How I gained commit access to Homebrew in 30 minutes by Eric Holmes (@vesirin)
Eric was able to make an unauthorized commit to Homebrew’s GitHub repositories. It took 4 steps and less than 30 minutes:
- He used Gitrob to automate the organization’s Github recon
- He looked at previously disclosed issues on https://hackerone.com/Homebrew and found a Jenkins instance (intentionally) publicly exposed
- Git authenticated push meant that credentials were stored somewhere…
- The “Environment Variables” page exposed a valid GitHub API token
2. Tips of the week
Colorize your hunt by Gwendal Le Coguic (@gwendallecoguic)
Another great blog post by Gwendal Le Coguic! He presents his configuration to test for IDOR & vertical/horizontal escalation:
- Autochrome browser: many options configured by default, separate profiles
- Multi-Browser Highlighting: Burp extension that highlights the Proxy history to differentiate requests made by different browsers
- Logger++: Bup extension to log the requests and responses made by all Burp tools, and display them in a sortable table
3. Videos of the week
Many of us have been waiting for the release of Bugcrowd University, since it was first announced during Level Up 0x02.
It currently includes links to previous LevelUp talks and beginner modules with videos, slides and lab guides. If you’re a seasoned bug hunter, still keep a look at it because a few more advanced modules are also planned.
4. Tutorial of the week
James Kettle published this blog post following his Black Hat talk on “How to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.”.
I haven’t finished reading and digesting everything but it is a must for bug hunters. The techniques presented have already been added as new features to Burp Suite 1.7.37.
Also, you can test your knowledge on Web cache poisoning by trying Jame’s challenge.
Here's the web cache poisoning hackxor mission. If you want a brutal challenge, try solving it without first reading my research https://t.co/C2raIlrU4U— James Kettle (@albinowax) August 10, 2018
https://t.co/329EVT6P0X is currently experiencing some intermittent problems thanks to the new cache poisoning mission. I hope to get this properly fixed tomorrow but for now, the server will reset hourly.— James Kettle (@albinowax) August 10, 2018
5. Non technical item of the week
This is how i fixed my chronic lower back pain by Aditya Agrawal (@exploitprotocol)
If you’re on this blog, it probably means that you’re into infosec and spend a great deal of time sitting on a desk in front of your computer.
I prefer working from bed or a sofa, but it still means sitting 8 to 10 hours every single day! I’ve had crippling knee issues for years and needed orthopedic soles to avoid pain but did not link it to having weak hips and knees from sitting all the time.
I’ve only recently arrived to the same conclusion as Aditya: Incorporating simple consistent habits into my daily routine is key to maintaining a healthy body (especially since I work from home).
It’s inspiring to read how he was able to fix his lower back pain. I plan on trying some of his advice starting with the Strechtly app.
Other amazing things we stumbled upon this week
Stuff to watch/listen to
- LIVE from Las Vegas: Frans Rosen - How to Win Over Security Teams and Gain Influence as a Hacker by HackerOne
- HACKING BACK - An eye for an eye? by SecJuice
- Haxcellent Adventures [Career] - Carving an Attack Plan to improve security skills
- Maximizing Burp by HackerOne
- Humans of InfoSec: Ep 12 Georgia Weidman: Writing books, riding horses, and starting companies
Conferences (Slides only)
- Breaking Parser Logic! - Take Your Path Normalization Off and Pop 0days Out & Case study by Orange Tsai
- Playback: A TLS 1.3 story
Medium to advanced
- Capturing NetNTLM Hashes with Office [DOT] XML Documents
- From LFI to SQL Database Backup
- Blind XPath Injection - Approach for Unknown Data Sets
- Bypassing Next Gen AV During a Pentest
- Introducing Burp Extractor
- The Beginning of the End of WPA-2 — Cracking WPA-2 Just Got a Whole Lot Easier
- New attack on WPA/WPA2 using PMKID
- Bypassing Web Application Firewalls for Cross-Site-Scripting
- How to Hack WebSockets and Socket.io
- Cracking WPA1/2/Enterprise with HCXTools
- Routed SQL Injection
- How I made a fake access point to harvest login credentials?
- Trello vs the Google Dork
- From LFI to SQL Database Backup
- AWS: Assuming Access Key Compromise
You can find the latest bug bounty writeups in our dedicated page: List of bug bounty writeups.
Only writeups that did not make it to this selection are listed below. This does not mean that they aren’t worth reading, just that they are not BUG BOUNTY writeups. We will soon post more details about how our curation process.
- CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception)
- The .io Error – Taking Control of All .io Domains With a Targeted Registration
- My first XML External Entity (XXE) attack with .gpx file
- FakesApp: A Vulnerability in WhatsApp
If you don’t have time
- Mykali: Copycat Kali, with mykali for Kali Linux
- Replicator (Burp extension): helps developers to reproduce issues discovered by pen testers
More tools, if you have time
- WhatsApp Protocol Decryption Burp Tool
- Sanitiz3r: A python script that filters, checks the validity, generates clickable link(s) of subdomain(s), and reports their status
- PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
- The PenTesters Framework (PTF): A way for modular support for up-to-date tools
- WordPress Exploit Framework: A Ruby framework designed to aid in the penetration testing of WordPress systems
- Bug hunting, for fun and profit. My slightly but not so technical how to guide for anyone.
- Introducing BountyMachine
- An Introduction To Open Source Intelligence (OSINT) Gathering
- The Sequel of HTTP Headers - Advanced Security Capabilities
- With Pain comes Sufferance and you get Humble
Misc. pentest & bug bounty resources
- BountyGraph: Crowdfunded Bug Bounties and Security Audits
- Web Application Penetration Testing Course URLs.docx
- Pure bash bible: A collection of pure bash alternatives to external processes
- IoT Pentesting 101 && IoT security 101
Need a place to practice your #OSINT skills? Give this website a try. It is an online game where it will ask you to find bits of information to use as a password to pass to the next level. Each game gets harder!https://t.co/KcOufE1Dsx #Challenge @jantegze— OSINT (@AccessOSINT) August 5, 2018
- India - A Hackers Perspective
- The Six Lessons That I Learned Landing My First Cybersecurity Job
- Looking up IT job salary information
- Temporarily Offline
- Bug Reporting for Bug Bounties
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/03/2018 to 08/10/2018
Have a nice weekend folks!
If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.
And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…