FOMO to JOMO: How to Survive a Downturn Economy

The days of the 100X ARR multiple are over. This past week, a16z published the “Navigating Down Markets” framework and wrote in jest: Continuing our example, a $20M ARR business which last raised at $2B might observe the leading public companies in its space trading at 10x revenue, rather than 100x. Adjusting for the startup’s faster pace of growth, relative to public comps, let’s say that 15x ARR is a reasonable valuation for its next round of funding.

HackerOne's Shot in the ARM

ARM, short for Attack Resistance Management, is the latest buzzword we didn’t know we needed. As part of the next multi-million dollar marketing campaign to push ARM, HackerOne is going all out with the latest iteration of company vision. As revealed in the ARM whitepaper, HackerOne’s full suite of security solutions features not only bug bounty, but also security talent management, continuous reconnaissance, code review, red teaming, dev training, and more.

Bypassing __jsl_clearance_s Cookie To Scrape CNVDs

CNVD is the Chinese vulnerability enumeration scheme to report the latest cyber threats, very similar to CVEs referenced as the standard in the U.S. Although many CNVDs cross over and map directly to CVE IDs as well, there are high-profile vulnerabilities that are exclusively identified by a CNVD ID, such as Ghostcat CNVD-2020-10487 from March 2020. The CNVD (China National Vulnerability Database) is an essential data source to gain a broader perspective on reconnaissance.

How To Scan AWS's Entire IP Range to Recon SSL Certificates

Naffy (nnwakelam) shared in his recent nahamsec interview a creative approach to extend a target’s attack surface. Scan Amazon AWS’s entire IPv4 network space, and match the SSL certificates back to hostnames of your target. Many companies and governments, rather than spinning up assets on their assigned IP blocks (ASNs), increasingly rely on cloud services like Amazon AWS and Microsoft Azure to host their production and development assets. With public cloud infrastructure fast becoming the norm, your reconnaissance will miss out on many assets just by scanning an organization’s private network ranges using tools like Nmap or Shodan.

OneForAll, A Powerful Chinese Subdomain Enumeration Tool

OneForAll is a Chinese recon tool for enumerating subdomains. Chances are you already use OWASP Amass as your primary subdomain enumeration tool; but unlike other instances of tool overlap, OneForAll is a practical supplement to provide an extra edge due to its Chinese context. OneForAll pulls from a multitude of exotic Chinese data sources that other tools typically do not query — FOFA, Baidu Cloud Observation, Gitee, and ChinaZ Alexa, to name a few in its vast collection.

Werkzeug Console PIN Exploit

See Werkzeug “console locked” message by forcing debug error page in the app. The console is locked and needs to be unlocked by entering the PIN. You can find the PIN printed out on the standard output of your shell that runs the server Locate vulernable Werkzeug debug console at path, but is locked by secret PIN number. You can reverse the algorithm generating the console PIN. Inspect Werkzeug’s debug __init__.

Upgrade Default Reverse Shell to Fully Interactive Shell

After reverse shell with netcat listener (e.g. nc -lvp 6969), by default the “dumb shell” is non-interactive and cannot pass special keyboard commands such as tab autocomplete, backspace, arrow keys, etc. To upgrade dumb shell to fully interactive shell, run this python command to get partially interactive shell: python -c 'import pty;pty.spawn("/bin/bash");' <Ctrl-z> in terminal to background netcat. Now with the shell backgrounded, change terminal line settings to type raw and tell it to pass keyboard shortcuts:

Bruteforce MongoDB Credentials with Regex Match Payload

If a login form is vulnerable to NoSQL injection attack, try bypassing authentication with a payload such as: username[$ne]=foo&password[$ne]=foo But explicit login credentials may be required for deeper system access. When this injection vulnerability exists, a regex matching payload could also enumerate the full plaintext password. Here is a Go script to bruteforce admin credentials on a login form that uses MongoDB as a backend. In this example, the script assumes unique HTTP response code of 302 when password regex is matched.

Expose & Decrypt Ruby on Rails credentials.yml.enc

Ruby on Rails is vulnerable to critical information disclosure using the “Accept” header technique (CVE-2019-5418). This can leak the rails app’s secret credentials via directory traversal. Expose master key and encrypted credentials First find a path in the Rails app that uses the render file method. Typically a 404 page implements this to render the view. Read more about the root cause of this vulnerability from chybeta. Using Burp Suite Repeater or curl request, test vulnerabilty by setting header value to Accept: .

Serving PoC Exploits with an HTTP Attack Server

Quickly serve your exploit files with Node.js-based http-server by http-party. After testing several different http server scripts, this one fits my use case the best. It’s easy to deploy (no installation), activitely maintained on github, and provides live verbose logging of incoming requests. The logging is useful especially when you need to exfiltrate data from the victim. How to deploy On your machine/VPS, cd into the directory containing the file(s) you want to serve.