There is different ways to hunt for vulnerabilities, depending of your knowledge, your skills, your expectation and how you like to chase. I personally love programming and, as a true developper, I’m lazy, so I love to automate things. By writing some piece of code or by combining multiple tools, you can find a lot of interesting stuff. This article is about some scripts/tricks I wrote/use to perform massive tests:

  • XSS with PhantomJS
  • Heroku subdomain takeover
  • Amazon S3 buckets theft
...

Hackerone recently released a CTF created by Jobert Abma. Even if I didn’t complete the challenge, it was so exciting and I was so close from the solution that I wanted to share a writeup. Here is the tweet that tiggered the war:

“Hackers, hack your way to NYC this December for h1-212! An engineer of http://acme.org launched a new server for a new admin panel. He is completely confident that the server can’t be hacked, so he hid a flag. Details: https://www.hackerone.com/blog/hack-your-way-to-nyc-this-december-for-h1-212 …. #TogetherWeHitHarder”

And here is the full description:

“An engineer of acme.org launched a new server for a new admin panel at http://104.236.20.43/. He is completely confident that the server can’t be hacked. He added a tripwire that notifies him when the flag file is read. He also noticed that the default Apache page is still there, but according to him that’s intentional and doesn’t hurt anyone. Your goal? Read the flag!”

...

Here is the way I usually follow to test a Wordpress install.

Information gathering

Get basic informations with WPScan:

wpscan -r --enumerate u --url http://www.example.com

If it can’t retrieve the user list, try to use provided script stop_user_enumeration_bypass.rb For each user found, try to brute with basic passwords:

wpscan -r --url http://www.example.com --wordlist /Wordlists/Passwords/best1050.txt --username <username>

If the version of Wordpress has been found, download it from the official archive directory: https://wordpress.org/download/release-archive/

Open the tested website and take a look at the source to find those strings: wp-content/themes and wp-content/plugins This could reveal more themes/plugins.

...

I already wrote a post about Amazon S3 buckets but they became so popular these last weeks that many people explain what is a bucket, what is the danger and how to exploit misconfiguration. My goal here is more: how/where to find those vulnerable buckets.

First I assume you already know the basics, if not, you can read the excellent article from Frans Rosen on Detectify.

...

Project

  • Find Amazon s3 buckets:
    s3-buckets-bruteforce /opt/SecLists/mine/s3-buckets.txt <project>-
    if found: s3-buckets-extractor <bucket>
  • Explore GitHub account:
    github-search -o <project> -r 1000 -s password
    gitrob analyze quizlet --no-color --no-server
...