Bug Bytes #56 – Pwning A Pwned Citrix, Upgrading Your Recon with Discord & Tip of the week by @jobertabma
By Intigriti
February 5, 2020
Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The first series is curated by Mariem, better known as PentesterLand. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the week from 24 to 31 of January.
Our favorite 5 hacking items
1. Tip of the week
Awesome IDOR technique by @jobertabma! The idea is to replace an ID with one that does not exist yet (e.g. ID+1). Wait for ID+1 to exist and see if you can access its information.
Now to revisit old programs to test for potentially missed IDORs/info disclosures…
2. Writeup of the week
This is an excellent writeup on Shitrix (CVE-2019-19781). It shows how to exploit the vulnerability “manually” when public exploits are not working. In this case, the NOTROBIN malware had infected the target and made changes to prevent other exploitation attempts.
Knowing how to bypass it can be helpful for penetration tests.
3. Podcast of the week
Yay! My favorite bug bounty podcast is back, with @0xacb this time. No spoilers, let’s just say that it is worth listening to if you’re into bug bounty and want to know how to reach “cosmic brain level 10”.
4. Articles of the week
– Samesite by Default and What It Means for Bug Bounty Hunters
The first article is awesome work but will break a few hearts! It explains the impact of Samesite cookies beyond CSRF. Many other client-side bugs are affected including Clickjacking, XSSI, XSLeaks, Cross-Site WebSocket Hijacking…
The second article in an awesome interview with @EdOverflow. Among other things, he shares insight on finding logic flaws and discovering “goldmines” (untapped areas of research).
5. Tutorial of the week
This is a great tutorial on leveraging Discord WebHooks for automated recon. This feature makes it easy to send notifications to Discord from Bash scripts.
A subdomains monitoring example is also given. It has never been so easy!
Other amazing things we stumbled upon this week
Videos
HackTheBox – AI: A cool out of band SQL Injection using “Speech To Text”
@STÖK Talks About Team Disturbance, Getting Started With Bug Bounties, and Live Hacking Events!
How to Start a Career in Cyber Security with The Cyber Mentor
Podcasts
How the Innocent Lives Foundation Uses OSINT to Uncover Online Predators
Security Weekly News #8 – Coronavirus, Ragnarok Ransomware, Ned In The Basement, Cisco
Webinars & Webcasts
Conferences
Slides only
Owning the cloud through SSRF and PDF generators – Public v2
An Opinionated Guide to Scaling Your Company’s Security & Twitter thread
NullHyd Jan Meetup Talk on Chaining bugs and Writing single click Exploits
Tutorials
Medium to advanced
Beginners corner
Writeups
Challenge writeups
Pentest writeups
Responsible(ish) disclosure writeups
Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure (Part I) & Part II #Web #Cloud
xmlrpc-common deserialization vulnerability (CVE-2019-17570) #Web
CVE-2020-1925: Requests to arbitrary URLs in Apache Olingo #Web #CodeReview
Validating the SolarWinds N-central “Dumpster Diver” Vulnerability #DesktopApp
Picking apart an IOT Camera (Bloomsky) #Web #IoT
Code injection in Workflows leading to SharePoint RCE (CVE-2020-0646) #RCE #Web
LPE and RCE in OpenSMTPD (CVE-2020-7247) #RCE #SMTP
High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin #Web
Bug bounty writeups
Race Condition allows to redeem multiple times gift cards which leads to free “money” on Reverb.com ($1,500)
Account take over of ‘light’ starbuckscardb2b users on Starbucks
Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC ($1,000)
See more writeups on The list of bug bounty writeups.
Tools
If you don’t have time
Go-pillage-registries & Introduction: Pentester-focused Docker registry tool to enumerate and pull images
Shodomain: Shodan subdomain finder
Flamingo & Introduction: Go tool for capturing credentials sprayed across the network by various IT and security products
More tools, if you have time
Wordlistgen: Quickly generate context-specific wordlists for content discovery from lists of URLs or paths
Burp-teams: A Burp extension to enable teams of people to share repeater tabs and data
XSS tag_event analyzer & : Python script for detecting valid tags/events on XSS exploitation
GoLinkFinder: A fast and minimal JS endpoint extractor
Dom-red: Python script to check a list of domains against open redirect vulnerability
Chain Reactor & Introduction: Open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints
StickyReader & Introduction: Powershell script to read Sticky Notes from compromised Windows 10 hosts
Socialscan: Check email address and username availability on online platforms with 100% accuracy
Prettyloot: Convert the loot directory of ntlmrelayx into an enum4linux like output
Red_Team: Some scripts useful for red team activities
TikTokOSINT: Python script that dumps public data of any user
MoveKit, StayKit & Introduction: Cobalt Strike lateral movement & persistence kits
Misc. pentest & bug bounty resources
Alternatives to Extract Tables and Columns from MySQL and MariaDB
Kompar & Choosing the right static code analyzers based on hard data
Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS
Articles
Internet Explorer mhtml: – Why you should always store user file uploads on another domain
How to decrypt WhatsApp end-to-end media files, whats-enc.py & WhatsApp Media Decrypt
News
Bug bounty & Pentest news
Burp Suite Pro / Community 2020.1 released, with major enhancements to HTTP message editor and more
HTTP Request Smuggler now supports overriding the request method!
Kali Linux 2020.1 Release: Non-Root users by default now
Microsoft launches Xbox bug bounty program with rewards of up to $20,000
In the line of fire: Will California’s AB5 labor law cause havoc for cybersecurity consultants?
Reports
Vulnerabilities
LoRaWAN networks are spreading but security researchers say beware
Serious Security – How ‘special case’ code blew a hole in OpenSMTPD
200K WordPress Sites Exposed to Takeover Attacks by Plugin Bug
Breaches & Attacks
Wawa’s massive card breach: 30 million customers’ details for sale online
Breach at Indian airline SpiceJet affects 1.2 million passengers
Five Years Later, Ashley Madison Data Breach Fuels New Extortion Scam
Ragnarok Ransomware Targets Citrix ADC, Disables Windows Defender
Iranian hackers target US government workers in new campaign
Other news
Avast Shuts Down Jumpshot After Getting Caught Selling User’s Data
Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors
Ring Android App Sent Sensitive User Data to 3rd Party Trackers
First MageCart Hackers Caught, Infected Hundreds of Web Stores
Facebook knows a lot about your online habits – here’s how to stop it
Google now charges the government for user data requests, report says
Non technical
How to Hack Your Employees With a Phishing Simulation Campaign
Making Mr. Robot: Jeff Moss on the push for authenticity in award-winning hacker show
What’s the difference? Information Assurance vs Information Security vs Cyber Security
Tweeted this week
We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 01/24/2020 to 01/31/2020.
The views and opinions expressed in this article are those of the curators and do not necessarily reflect the position of intigriti.
Curated by Pentester Land & Sponsored by Intigriti
You may also like
Intigriti Bug Bytes #220 - January 2025 🚀
January 10, 2025
Intigriti Bug Bytes #219 - December 2024 🎅
December 13, 2024
Bug Bytes #218 – Advent of Cyber, RCEs and hacking poems
December 6, 2023