Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 26 of July to 02 of August.

Our favorite 5 hacking items

1. Tool of the week

Ghostwriter is a new project management & reporting engine by SpecterOps. It is open source and free and has a lot of interesting features:

Client management: for tracking your pentest clients & the information like points of contact, project history, notes…

Project management: for information like the type of project (pentest, vulnerability assessment, etc), start & end dates, the team assigned to the project…

Infrastructure management: for tracking and monitoring the domain names & servers you use for the project (like C2 servers)

Reporting engine: to generate reports in different formats (JSON, docx, xlsx & pptx) with support for template keywords

Automation: running tasks in the background, released C2 domains at the end of a project & Slack notifications

These are just some functionalities. Ghostwriter is an excellent tool for pentest teams and red teams.

2. Writeup of the week

I’m always interested in writeups about bugs chained together for a higher impact. This one is a good example of reflected XSS and Cache poisoning combined, which means that the XSS becomes stored.

The writeup itself brings many lessons such as:

Drupal has many known misconfigurations. So a CMS being used doesn’t mean there are no bugs!

Drupal’s internal caching system is enabled by default

To find out if caching is enabled, look for the x-drupal-cache response header

To find input that gets reflected in the response, try the X-Original-URL and X-Rewrite-URL headers, or parameter bruteforcing

3. Challenge of the week

This is @dijininja’s latest Web challenge. It’s a Github repo that has many sensitive information disclosures.

At first sight, it looks empty (except for the README file and a solutions file). So this is an interesting challenge for beginners who want to learn about information leaks, where to look for interesting information in Github repositories (beyond the visible files), how to use tools like Gitrob & truffleHog, etc.

4. Article of the week

Most port scanning tutorials for bug hunters recommends using Masscan to get a list of open ports, then re-scanning these same ports with Nmap to get their exact version.

The problem with this method is that Masscan can miss many open ports. Nmap is more accurate but so much slower when the testing range is large.

So what’s the solution? This is the question that @CaptMeelo tried to answer by doing some benchmarking.

His conclusion: Run 2 or 3 concurrent Masscan jobs with all 65535 ports split into 4-5 ranges. Then run Nmap on the open ports found to get their version.

5. Tutorial of the week

Websites behind a WAF are protected against DDoS and many Web vulnerabilities (XSS, SQLi, CSRF…). If you can entirely bypass a WAF and speak directly to your target’s servers, you will be able to go faster and test for more vulnerabilities. WAF bypass provides an edge to Web app pentesters and bug hunters.

This article by @gwendallecoguic is an excellent introduction to this topic. It provides several techniques for detecting the real IP address of a server, as well as tools for automation and resources to go further.

Other amazing things we stumbled upon this week

Videos

Podcasts

Webinars & Webcasts

Slides only

Tutorials

Medium to advanced

Beginners corner

Writeups

Challenge writeups

Pentest writeups

Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.

If you don’t have time

Cloudcheck: Checks using a test string if a Cloudflare DNS bypass is possible using CloudFail

Goop: Proof of concept for bypassing Google search rate limiting CAPTCHA (remember, scraping Google search results is illegal!)

Pyrobots: a tool that reads “robots.txt” file and append each path to the domain/subdomain you entered

Atomic-Caldera: Plugin for @MITREattack’s Caldera framework. It makes it easier to convert @redcanaryco’s Atomic Red Team tests to be used with Caldera

LURE: User Recon Automation for GoPhish

Wordlistctl: Fetch, install and search wordlist archives from websites and torrent peers

Ipdiscover

Gowhois: whois command implemented by golang with awesome whois servers list

Inveigh: Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool

Misc. pentest & bug bounty resources

Challenges

Disobey 2020 Puzzle: “Solve the Disobey puzzle and you may get access to a special discounted hacker ticket”

Articles

News

Bug bounty & Pentest news

Reports

Vulnerabilities

Breaches & Attacks

Other news

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 07/26/2019 to 08/02/2019.

Curated by Pentester Land & Sponsored by Intigriti

Have a nice week folks!

If you want to be notified when new articles (including this newsletter) are published, you can subscribe to this blog.

And if you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…

Share this article

v