Here’s a few of the interesting and useful articles and tools that I’ve come across last week.
Articles and news:
Thick client: The attacking databases the fun/easy way
I was recently looking at a desktop application of a large security firm which manages the security of various large buildings around the UK……
50 Million Facebook accounts breached
Bugs in 2 features enabled mass harvest of single sign on tokens
UK Conservative party conference app leaks MP’s details
From the party that is pushing for back doors to encryption…
Security researchers spot first ever UEFI rootkit in the wild
Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe
Don’t put your .env files on the internet
This tweet by @svblxyz highlights a google dork that exposes numerous .env files that are leaking credentials
Tools and tech:
This repo contains dumps of Hackerone and Bugcrowd scopes (i.e. the domains that are eligible for bug bounty reports)
Windows privilige escalation guide
Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for.
Hacking with Git: Git-enum metasploit module released
This is release two of three tools from Secarma’s talk “Hacking with git” which was delivered at Glasgow BSides in 2018.
https://github.com/woj-ciech/Danger-zone
Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.