The 5 Hacking NewsLetter 17

Hey hackers! These are our favorite resources related to pentesting and bug hunters that we came across recently.

This issue covers the week from 17 to 24 of August.

Our favorite 5 hacking items

1. Tutorial of the week

How To Setup an Automated Sub-domain Takeover Scanner for All Bug Bounty Programs in 5 Minutes by Luke Stephens (@hakluke)

This is a great tutorial on how to set up an automated subdomain takeover scanner “Franz-Rosén style”. The author uses subfinder to find subdomains and Subover to check for subdomain takeover, but you could easily modify the BASH script suggested to add other subdomain tools (like Amass or Massdns).

2. Writeup of the week

Remote Code Execution on a Facebook server by Daniel Le Gall (@Blaklis_)

Daniel Le Gall found a Facebook Django server with debug mode enabled. Sometimes stacktraces are not directly exploitable but in this case, Daniel noticed interesting environment variables that allowed him to forge his own session and therefore execute arbitrary commands on the server. From “technical information disclosure” to RCE, for $5,000!

3. Tool of the week

FindSubDomains: Online tool for subdomains lookup

I’m still playing with this site to determine if it adds value to my current process for finding new subdomains. But this is a nice tool anyway because it allows you to quickly obtain a list of subdomains for when you’re in a hurry or do not have a good network connection to run tools like Amass or Massdns.

4. Tips of the week

Unusual cases of reflected XSS by Mikhail Klyuchnikov (@__Mn1__)

These two unsual reflected XSS cases are nice examples of thinking out of the box to find new XSS flaws on sites that are being tested by myriads of other bug hunters.

In the first case, the Referer header had to match a specific format.
In the second case, a value based on the User-Agent was calculated on-the-fly and sent as a GET parameter for the request to pass. Mikhail created a PHP script which retrieves the victim’s User-Agent, gets the corresponding GET parameter value before redirecting the victim to the vulnerable page. He didn’t share the PHP script’s source code (unless I missed it!) but here is an XSS challenge replicating the same behavior: http://infosec.gearhostpreview.com/9p9ch/.

5. Non technical item of the week

Prioritizing and choosing a program to focus on by HackerOne

The question of choosing a bug bounty program is critical. I used to hesitate a lot and bounce from a program to another without exploring any one deep enough. But the most interesting bugs require good knowledge of the target app!

This blog post is helpful if you too are hesitant when choosing a target: It presents criteria to find the right programs based on your personal goals.

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts

Slides only

• Secrets of Google VRP
• XML External Entity (XXE) Attacks

Tutorials

Medium to advanced

• Subdomain Takeover: Finding Candidates
• ImageMagic RCE
• AV Evasion
• Stealing 2FA Tokens on Red Teams with CredSniper
• Gone Phishin’ - An Attacker’s Perspective & Solutions

Beginners corner

• The Hidden face of Google Caching
• Active Directory Penetration Dojo- Setup of AD Penetration Lab : Part 2
• Open Redirect Vulnerability
• Finding The Real Origin IPs Hiding Behind CloudFlare or TOR
• SQLi Without Quotes
• Gaining Shell using Server Side Template Injection (SSTI)

Writeups

• SOLEO IP Relay - Vulnerability Report
• The dark side of XSS and hacking into Password Vault
• Bug or Backdoor - Exploiting a Remote Code Execution in ISPConfig
• How I Hacked BlackHat 2018
• Edge mixed content security policy bypass

Got 10k$(initial+final payments) for IDOR via graphql request. It was possible to change some information on all https://t.co/DfO7jgfFjB personal pages.#BugBounty pic.twitter.com/Crw5GJkylQ

— lalka (@0x01alka) August 23, 2018

Site wide XSS public: https://t.co/gMW9LMmFSh (They provide bounties)
POC: https://t.co/01gzygsEeS

Them response: pic.twitter.com/QChs0KF7N3

— Jamesclyde90 (@jamesclyde90) August 22, 2018

Tools

• Useless CSP: List of sites with misconfigured CSP headers
• nmap-parse-output: A tool for analyzing Nmap scans
• SSH Auditor: The best way to scan for weak ssh passwords on your network
• Scrounger: iOS and Android mobile application penetration testing framework
• quick-hits.php: A small PHP script to quickly find files in a given host list (by @gwendallecoguic)
• Apache-Struts-v3: Script to exploit 3 ApacheStruts RCE vulnerabilities

Misc. pentest & bug bounty resources

• How I did not get a shell
• Bug Bounty Guide
• Scanning the Alexa top 1M sites for Dockerfiles
• Disclose.sh: A platform which allows independent security-researchers to submit vulnerabilities found on the Web
• Professionally Evil Web App Pen Testing 101 Course: Free introductory course to Web app pentesting

Non technical

• DOs and DON’Ts of Pentest Report Writing
• Life as a Bug Bounty Hunter: A Struggle Every Day, Just to Get Paid
• From Dev to InfoSec Part 1 – The Journey Begins
• Improve Credential Sharing with Hacker Email Aliases

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 08/17/2018 to 08/24/2018

Have a nice weekend folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…