Bug Bounty Diaries #5 – Learn From Each Other!

Week #14 was the week I started streaming on Twitch on a regular schedule. I had to find a way to force myself to dedicate a few hours each week to playing CTF’s to improve my skills, what better way to do that than to put a public schedule out there and live-stream everything, creating kind of an accountability community. The first stream started a bit slow but from the second one it already went smooth.

We were working on HackTheBox’s Bashed and on CTFChallenge.co.uk, below you’ll find a digest on the things I have learned doing those challenges (among other things I did to learn last week).

Python & Bash

Now that my personal Methodology is slowly taking shape, I thought it was a good idea to create a script that would automate everything that can be automated. I started working on a Python script that would take over my whole reconnaissance process.

Python Subprocess

I already had experience writing Python tools in the past, but I had used OS to run shell commands, which has been deprecated. I had to learn what was the modern way of running bash commands using Python – Subprocess.

To run terminal commands out of Python script, you can use subprocess.call

subprocess.call(
"echo hello world", shell=True)

Very useful.

Bash – Sorting Files

At the same time, I had to brush up on my Bash skills, sorting the files that come back from the scans and processing them for readability and further use.

To combine multiple text files into one, you can use:

cat subfinder.txt amass.txt assetfinder.txt > subtemp.txt

Simple enough.

Now there will be duplicates and non-alive domains in our initial list. To get rid of dupes and sort things, I use sort and uniq before running HTTPROBE.

After this, I use Tomnomnom’s HTTPPROBE to probe for alive domains, HTTPROBE, however, returns the results with http:// and https:// in front of them, which I’d like to remove for better readability and useability.

To achieve this, we can utilize the sed command to get rid of that. The whole command looks something like this:

sort subtemp.txt | uniq | httprobe | sed 's/https\?:\/\///' > subdomains.txt

I hope you get the idea. I’ll explain my script in more depth when it’s finished.

Real-World Bug Hunting

I have just recently updated the Best Hacking Books list and included Peter Yaworsk’s Real-World Bug Hunting book which I am currently reading. Excellent stuff for beginning Bug Hunters. I didn’t have much time to spend reading last week so I just covered the CSRF Chapter.

CSRF

I’ll paste my raw notes below:

This occurs when an attacker can make a target’s browser send an HTTP request to another website.
Target needs to be previously authenticated on the site.
Successful attack results in account takeover or changing of serverside information
  • Forms without csrf token often vulnerable to csrf
  • Basic Auth Header: Authorization: Basic Qio192SA384jFj3h1ADf <– base64
  • Check for GET requests to make modifications to backend

Tools

I started using FFuf (Fuzz Faster u Fool), which is a very fast Web Fuzzer. The beauty on Ffuf is, you can replay it’s output through Burp. That means, if you do content discovery on a target and pointing it to Burp, Burp will automatically populate your Site Map. I love this. The Syntax to do this would be:

ffuf -c -w /opt/SecLists/all.txt -u https://target.com/FUZZ -replay-proxy http://127.0.0.1:8080

Very useful. Definitely give that a try.

CTFChallenge.co.uk

As I have said previously, we done some CTFChallenge.co.uk on Twitch. Unfortunately, when I started, the easy CTF they had was rated 3/5 in difficulty. This week, they have just released a 1/5 which is great! So I had a little bit of a rough time getting warm with it as the challenge was a bit over my skill level.

Anyway, thanks to @AshF0x and my wonderful Twitch community, I was able to get a few flags regardless.

Cookies

In one of the challenges, there was a cookie being used for a user account that had the value of:

Cookie: X-Mapping-fjhppofk=865275F066A833E2C802F474C6630DC1; token=80e779b9be92a08349c06ed7b2fd9d22; user_id=2; admin=false
By using Burp and simply changing the values user_id and admin I was able to gain administrative access to the site. I have never worked with Cookies before so this was kind of an aha moment for me.
Admin access:
Cookie: X-Mapping-fjhppofk=865275F066A833E2C802F474C6630DC1; token=80e779b9be92a08349c06ed7b2fd9d22; user_id=1; admin=true

To not do this manually each time, one can use Match & Replace in Burp. Simply putting up rules to always change user_id=2 to user_id=1 and admin=false to admin= true, so you have permanent admin authentication on the site. Very cool.

Robots.txt

I found a Robots.txt on the challenge with the following contents:

User-agent: *
Disallow: /secr3t_l0g1n/
By simply navigating to https://www.vulnltd.com/secr3t_l0g1n/ I was able to get another Flag.

Pentesterlabs

I got a Pentesterlabs Pro account for free a couple of days ago and also started doing some of their stuff. They have a lot of Linux Basics and I learned a new command from it:

Grepping for Patterns

We can use grep to search for Patterns. Let’s say a Flag has a specific pattern like Key {4929-2193-3121} or something like this. You could then utilize Grep to search for those Patterns:

find /home -name .bashrc -exec grep key {} \;

Conclusion Week 14

This concludes last week’s stuff I have learned. I learned a ton more probably but I just can’t write everything together each week. I will just put down the most significant stuff. I plan on doing (still) an accompanying YouTube Video to those Blog Posts in the near future.

As always, stay hungry and keep learning. Until next week. Ceo out.

 

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap