Bug bounty Tips

🚨 CVE-2024-24043 Directory Traversal vulnerability in Speedy11CZ MCRPX v.1.4.0 and before allows a local attacker to execute arbitrary code via a crafted file. 🎖@cveNotify

⌨️ Try this: curl https://cht.sh/sqlmap

Achieve Remote Code Execution (RCE) on Parasoft Development Testing Platform (DTP) server. Discovered Parasoft DTP login page at https://dtp.xboy.me:8443 using Shodan search. (Image 2 - Login page) Found default credentials admin:admin from Google search. Logged in successfully and reached Team Server dashboard. (Image 1 - Dashboard) Spent time researching for vulnerabilities, but found nothing useful. Decided to try uploading a custom WAR file to the "Manage Plugins" page. (Image 3 - Manage Plugins) Created a simple "Hello World" web application locally using Docker and Tomcat: dockerfile: echo "FROM tomcat:8.5.3" >> Dockerfile build image: docker build -t my-tomcat . run container: docker run -d -p 8080:8080 --name my-tomcat-container my-tomcat create webapp files (index.jsp, web.xml) (Image 4 - Creating local webapp) package to WAR: jar -cvf helloworld.war * deploy to container: docker cp helloworld.war my-tomcat-container:/usr/local/tomcat/webapps/ (Image 5 - Deploying local webapp) Uploaded the .war file to the DTP server via "Manage Plugins" page. Found that uploaded plugins were accessible at https://dtp.xboy.me:8443/plugin/* Created a web shell JSP file, packaged it into a WAR, uploaded, and verified RCE! (Image 6 - Web shell) With RCE, could potentially "own the instance and escalate to other internal corp networks and web apps." (Image 7 - RCE impact) Reported the vulnerability to the program. (Image 8 - Report feedback)

"The Bug Hunter Methodology v4: Recon Edition" and I must say that I learn new things every time I watch the recording. While I recommend you all to watch the talk, I've also captured short notes which might help you. Here's my notes summarized: 1. Choose a large scope target (*.target.com). Few targets also mention that that hosts verifiably owned by the company is in scope as well. 2. For this target, you can find subdomains/seed domains/assets in a variety of ways. This includes - Finding ASNs using https://bgp.he.net. Once we have ASNs, we can use Amass in intel mode to discover seed domains. - Acquisitions: A comapny's acquisitions can be found on sources such as Crunchbase, LinkedIn, Wikipedia and other sources online. - Tools like https://whoxy.com can also be used to find seed domains by performing reverse whois - https://builtwith.com can be used to discover assets related to a target via linked discovery. - Google dork for unique legal parts of the target - eg. Copyright Text to find more subdomains. Also perform Shodan dorking to find interesting information. - Recursively crawl for subdomains not only from HTML pages but also JS files using tools like GoSpider, Hakrawler , Subscraper and Burpsuite. - Tools like Subdomainizer also helps in extraction of HTML/JS links, API keys, S3 buckets and more. - Subdomain enumeration: Amass, Google Dorking, Subfinder - Scripts like https://github.com/gwen001/github-search and https://github.com/incogbyte/shosubgo also helps scrape subdomains from Github and Shodan - Domain names from certificates can also be obtained from tools like Masscan and https://tls.bufferover.run - For subdomain bruteforcing, you can use tools such as Amass, Massdns. Use any wordlist that is large enough such as SecLists while doing subdomain bruteforcing - Altdns can be used when there are patterns in subdomains such as http://dev.comapany.com, http://dev1.company.com, http://dev2.company.com etc. 3. Once subdomain enumeration is done, we can proceed with port scanning. To do this - Run massscan to discover open ports on IP ranges. - Run NMAP on masscan results - Use brutespray to check the above for remote admin services that use default credentials. 4. To look for sensitive data from GitHub, Jason recommends checking this video out: https://youtube.com/watch?v=l0YsEk_59fQ 5. For screenshotting (domains that may/may not have HTTP(S) exposed), we can use tools such as: - Eyewitness - Aquatone - HTTPScreenshot 6. To check for subdomain takeover, we can use this repo: https://github.com/EdOverflow/can-i-take-over-xyz and also Nuclei. 7. For better performance, we can use Interlace which wraps simpler tools to make them effectively multithreaded. Interace: https://github.com/codingo/Interlace

Darkweb Facts vs. Myths The dark web is shrouded in myths and misconceptions, leading many to believe it is an illegal, unsafe, and crime-ridden space accessible only to tech experts. However, these notions are not entirely accurate. In reality, the dark web presents a more complex landscape, with both lawful and unlawful activities coexisting. To gain a deeper understanding of the facts surrounding the dark web, we invite you to explore our enlightening blog post. It will help you see the dark web in a new way and understand that it's not all one thing. Content 🔗: https://www.hackingvidhya.tech/2024/03/dark-web-facts-and-myths.html

WAF checks # https://github.com/EnableSecurity/wafw00f wafw00f -i websites.txt # IP Wafs/CDN lists https://github.com/MISP/misp-warninglists