This is a real story or not, that occured in mid 2017 or not, about a private program or not, on Hackerone or not, believe me or not, but it changed my life. I would like to thanks all the people from this company I talked with. They were very nice with me, very fast to fix the bugs and I always got the rewards in less than 7 days, frequently the day of the report, even for the smallest bugs. Thanks to them, I wish we could find more program like this one.
There is different ways to hunt for vulnerabilities, depending of your knowledge, your skills, your expectation and how you like to chase. I personally love programming and, as a true developper, I’m lazy, so I love to automate things. By writing some piece of code or by combining multiple tools, you can find a lot of interesting stuff. This article is about some scripts/tricks I wrote/use to perform massive tests:
- XSS with PhantomJS
- Heroku subdomain takeover
- Amazon S3 buckets theft
Hackerone recently released a CTF created by Jobert Abma. Even if I didn’t complete the challenge, it was so exciting and I was so close from the solution that I wanted to share a writeup. Here is the tweet that tiggered the war:
“Hackers, hack your way to NYC this December for h1-212! An engineer of http://acme.org launched a new server for a new admin panel. He is completely confident that the server can’t be hacked, so he hid a flag. Details: https://www.hackerone.com/blog/hack-your-way-to-nyc-this-december-for-h1-212 …. #TogetherWeHitHarder”
And here is the full description:
“An engineer of acme.org launched a new server for a new admin panel at http://22.214.171.124/. He is completely confident that the server can’t be hacked. He added a tripwire that notifies him when the flag file is read. He also noticed that the default Apache page is still there, but according to him that’s intentional and doesn’t hurt anyone. Your goal? Read the flag!”
Here is the way I usually follow to test a Wordpress install.
Get basic informations with WPScan:
wpscan -r --enumerate u --url http://www.example.com
If it can’t retrieve the user list, try to use provided script
For each user found, try to brute with basic passwords:
wpscan -r --url http://www.example.com --wordlist /Wordlists/Passwords/best1050.txt --username <username>
If the version of Wordpress has been found, download it from the official archive directory: https://wordpress.org/download/release-archive/
Open the tested website and take a look at the source to find those strings:
This could reveal more themes/plugins.
I already wrote a post about Amazon S3 buckets but they became so popular these last weeks that many people explain what is a bucket, what is the danger and how to exploit misconfiguration. My goal here is more: how/where to find those vulnerable buckets.
First I assume you already know the basics, if not, you can read the excellent article from Frans Rosen on Detectify.