 All right. Hello. Can you all hear us okay? Cool. Welcome, welcome. Well, thank you for joining us. We're going to do a quick introduction of who we are as a team, and then we'll have our solo introduction as well. Corbin and I have been friends for a while. We've been hacking on bug bounties for a very long time, and we have found some really cool stories that I think it's valuable and also very entertaining, I think, that we wanted to share on a big stage. So thank you for joining us. We'll do it quickly about me. I'm Nahamsek. My name is Ben Sadegui, but most people online know me as Nahamsek. I'm a bug bounty hunter, content creator, and I've been bug bounty hunting since 2015. I'm the former head of hacker education at Hacker One, and I'm the co-founder of Hacking Hub, and the good news is with Hacking Hub, everything that we're going to talk about today, you can also try on your own. Just got to go on their website and give it a try and make some of this stuff as well. And yeah, I'm a public speaker and a trainer. I'm actually doing a training for Defcon next week, so if you want to come and learn how I find these crazy things, please join me next week as well. And I've hacked into a bunch of companies, including Apple, Amazon, Zoom, Airbnb, Snapchat, and more, and I think I have more than a thousand submissions on a hundred or more companies so far. And I'm going to let Corbin quickly introduce himself, and hopefully we'll take you guys on a good ride of hacks that we have done in the last year. Well, hey, I'm Corbin. Sorry, I'm like four foot two, so you can't see me over this laptop. My bad. So yeah, I'm Corbin. I go by CDL on Hacker One. I've been doing bug bounty since like 2016. I like hacking stuff. Also a long story, but I'm a co-founder of a mattress company. So I guess they let anyone in here. So if you want to apply for a talk next year, just put something really random in there, and they might say yes. No, I'm not money laundering. If you need a mattress someday, you can go over there or you can tackle my co-founder sitting over there. Yeah, hopefully you guys enjoy this talk. Thanks for coming. Oh, just kidding, I'm back. So this is a story about hacking an auto manufacturer. So this is, they had a bug bounty program. So it started with me scanning their IP range, and by their IP range, I mean the entire internet for SSL certificates. And I found a host, an IP that had SSL certificate for just their main domain. And when you would hit it on HTTPS, it would just respond with back end IP not found. And their SSL certificate was just wildcard.apps.redacted.example.com. And so my main idea is, okay, this is an ingress endpoint. If you look at LinkedIn job posting, et cetera, you can kind of see what sort of services they're using, and my assumption is they're using a lot of microservices. And so a good tip for finding good word lists is to do subdomain enumeration. Also look at, I guess that includes SIRS-SH. Another good idea is nowadays, everyone's using microservices. So if you look up Helm charts, that's what a lot of people use for Kubernetes, for deploying services. You can scrape 13,000 different Helm charts that have DNS names in them, and you can use that to brute force stuff too. So after some brute forcing, I found a host called configurator prod.apps.redacted.com, or .example.com. And so from there, I knew that this host was hit because they got a different response. I didn't say back end IP not found, the response was different, and said path not found or something is pretty obvious. So basically I did FF with that host header then, and it turns out a spring boot actuator, and it was misconfigured, so if you don't know what spring boot actuator is, when it's misconfigured, there's a couple of different end points, and so there's like env, which dumps a bunch of environment variables, and then there's heap dump, which is just like the memory dump of the application. And so within this, I looked through the environment variables in this env end point, and there were some interesting things, but the most, nothing that was like, really like the jackpot that I was excited for. And in this though, there was this field called, like spring.cloud config URI, and it had like an OAuth 2 end point, and it contained the credentials, but the client secret was redacted because spring boot like redacts like secrets, or it's supposed to. So you can just use like the heap dump, run strings on it, and then actually grab, you know, that secret. And so what if we use just those, like what can we reach with those OAuth 2 credentials? So I grabbed those, and you can actually vhost, you can actually hit this like OAuth 2 server externally still, so I hit that and authenticated and got a AuthBare back, and then actually, you see the spring cloud config server, you can also vhost to that, and so I vhosted to that and used the AuthBare to authenticate to the other internal service, and it turns out it was also spring redactuator and also misconfigured again, and both end points were also, you know, like open, and this time, in this environment, there was a field called source URI, and it was pointing to their GitHub instance that was hosted, as a GitHub enterprise, and there was the source username and a source password, and that was also redacted, and it was also a private key for the GitHub user, so I hit heap dump again, and I just grabbed the password, and so then we could, I hit their API and just like GitHub.example, API v3 user, I'm with that username and password, and it turns out it was a super overprivileged account, and it had access to every single GitHub organization and every single repository for this auto manufacturer, so it's like all the source code for everything ever, and yeah, that was a fun time, and they paid me $5,000 for that bug, which is like, yeah, dumb. Anyways, and this is another fun story, this is how I found a bug a couple years ago to publish fake news, so I've been doing an unholy amount of virtual host fuzzing again against this big media company that shall not be named. We're talking like, this is, there's, I have like thousands of sub-domains, like massive word lists, and this was like leading up to a hacker one live hacking event, and so the day of the event, I was hacking with another hacker named Nafi, and we had found a couple cool bugs, and during the day of the event, I found this weird host called like, this is like completely redacted, it's like xyzproxy.prod.ka, it's whatever you can read, and it responded with a different 404 page than like everything else had, and so I started actually brute forcing, and I had like no idea what it was doing, but there was a couple endpoints like slash create and slash update, and so if you hit like dash create, it just responded with like 405 method not allowed, so obviously you just tried doing like a post or put request instead, so I just tried posting like x equals x, and it gave me an error and said, it's just not 405 method not allowed, it should be like 405 content type, so it gave me an error saying like the content type was wrong, and so I tried JSON instead, and just did like CDL, CDL, and it dumped every known property that should be posted in that JSON body, so I made it really easy, okay, thanks, and so I spent the next like three hours of the event trying to figure out what this JSON body was really supposed to be, just like random characters in them, and I just got like a bunch of more errors, but it was really helpful because it gave me exactly what the error was, and so gave me an error about not being able to read tags into an array, so it's like, okay, well tags shouldn't be a string, it should be an array instead, so I just changed that. Another error was like in the streams tag, it was like A, or I just put A in there, and it said like, oh, I just changed that to base64, decoder, encoder, whatever, and so I was like, okay, let me just put some random base, I'll just change that to base64, and okay, it worked, but what did it do? I had no idea what this API was doing, and so it was actually really funny, the event ended, and I'm like, dang, I thought there's gonna be a cool bug here, and so I had some drinks, I left Vegas, actually no, I didn't quite leave Vegas, I was sitting in the airport the next morning, and I went back to this, I'm like, okay, well what is this update endpoint actually doing? And I was really curious about the UID field, so I just went to their main news site, and just view sourced an article and saw UUID in the meta description, I was like, well what if I tried specifying that in the update endpoint, there's no way that would actually work, right? So yeah, we post it, we changed the news article to my name and say, this is a demo release, and by the way, this was like a testy front page, not a good idea, and it actually worked, so I could just change the news whatever I want, it was like during an election too, so I thought it'd be really funny to put some shit on there. And then the best part, and so I wrote this really fast, I got in a plane and like, what the hell just happened? And then they thought I was working with an insider, and I had to spend like three days writing exactly how I found this issue and how I found everything, so I had to write like a 10 page paper, actually I was still in college, so it was just like an extra essay assignment, but they ended up paying for that bug as well. Got to love a good verbose API. Alright, the next one I'm going to talk about is a prison break. This is actually a prison system that is used in a number of different states and a number of different areas that we cannot name also. This application was originally created for inmates to be able to talk to their friends, they can talk to visitors, they can talk to make a request from the people that work at the prison, and also hold things like their social security number, and their records, the conversations they've had, you can send photos, everything, their medical records, you name it, it's on this website. And some of it is public record because if you're a felon, apparently you don't have to do that. But the cool thing is there are some private data that's not supposed to leak. So there's a couple of different assets that are connected to each other that we're going to understand. The first one is the app prison system.fake, we're just going to call it that for security purposes and reasons. They gave me access to this, it was limited functionality, there were some JavaScript files that indicated there was some functionality that does not have access to it. So if you're a felon, you can do that. Shift Z, it will take you to this page, shift F to this page and so on, you get it. So there's also a limited session for now at least that we have access to. So it's very limited on what we can do on this page. And anything that I like to access that's leaked into the JavaScript file, this may redirect it to the main site that I'm on. So we don't have access to it, I couldn't access anything and I was just staring at a blank page for this application. So this is kind of what the shortcut looks like. So I hit ctrl U for example, it takes me to the admin site, with the users, I hit ctrl A, it's the activity on the users, ctrl S and then there's ctrl D and N which is a doc site. So this is a different site, somehow this session was supposed to carry over but obviously I probably wouldn't be able to access it and every time you go to these sites right here, it will take me back to the main site from the last night called apt whatever.com. Well, the JavaScript leaked this thing that said if you hit this site, it will authenticate you to the doc site, so all you have to do is directly go to this API call and it would redirect you to the doc's website and then it would give you an authentication token in your request. So to print it out, it's not heading anywhere and I was like, oh, okay, like how am I able to authenticate to this doc site but originally I didn't have access to it so the user token makes sense. So what do you do? You just grab that user token and you start throwing things and see if it sticks. So naturally I try to do admin, give it the auth token, nothing works, I try doing a slash admin, maybe I have to have the right path, doesn't work but turns out if you have the right path and the right functionality and then you give it this auth token, it suddenly opens it up so I can see these settings but still what can I do with this information, I want more, I want to know what I have access to. Well, it turns out that I have access to a lot. So I'm doing this thing called reset password and this is a short version of it, it's fake but more of the story was it took a user ID and a password and it would give you the new password that you set up so I can say user ID equals one, password is password one. Cool, we can do that but the problem was it comes back and it says success. I don't have two things here, I don't have a password and I couldn't do anything with it so I go to Twitter, I like crowd sourcing things, I worked at a crowd sourcing platform for a while so I just posted this tweet, I was like hey, I can reset passwords, I just don't have any information, how do I log in and I got a bunch of answers, none of them worked. Well turns out the answer was in the JavaScript file for me. There is another thing that I have to do right, so all I have to do now is I say okay, I have a password, I have the user ID, I want admin, I want user ID one, the password is password and I ask for it so the chain one, the first chain that I got from this vulnerability was I log in, I change the password for admin or whatever user I want and I impersonate that user, I have a read-only account, I can't change anything in my account and then you can just go back and re-log in and get into that website. They give you everything you need, it's a very weird one, but I'm a CDSS fan and this kind of looked lame because you see how it says privilege is still high, that means you have to have an account to log in and be able to do this so the prison system gave us an account, the foothold that we got in was given to us by the CDSS and turned that high on the third one on the left, whoops, too fast, there we go, we want to turn that third one that says high into a low because the score goes from a 9 to a 10 and we're almost there, we're like 0.9 away from it, well, there is something really funny, since I can see everything, I can see what the admin see, I can see what the functionalities are, I can test for things that I could use as a visitor, so you can do an XSS in the name, you can do an XSS in the address, you can do XSS in the account details, but you can put special characters in the email field because I don't think anyone's going to put special characters because Gmail doesn't allow that, but I don't have to have a real email address to be able to inject a payload into this page, so you put a XSS payload which is a script tag pointing to my website at gmail.com, you sign up and whenever the admins go to look at the list of users on slash users, they don't have to go to my username by the way, the email shows in slash users, so whenever the slash user is opened up, the XSS is fired, so the chain that we have, the second chain is we bind XSS to the user, we log in or force them to the user and we take over their prison and we just let everybody out and put money on their books, and that becomes from a 9.1 to a 10.0 base on just looking at the chain, so more of the story is there's always a way out even if you're stuck in a prison and technically we found it for this one, I'm going to have Corbin to the next one. So this one's about hacking a crypto exchange, I've been called from hacking proof, it said it's the biggest bug bounty reward amount of crypto exchanges, you can get anywhere from $50,000 to $1 million for a critical bug and I'm like, sick, let's do it. And so I signed up to this crypto exchange called KuCoin and just started proxying my browser, traffic through Burp Suite and I just clicked every single button and every single button and then I just started going through my burp history and I came across this Git request, it's just Git, forward slash, API, Zendesk, I'm not going to read actually all that, it's way too much to read, being kind of see how that looks and it responded with just some adjacent blob about their help center and in that was like a URL to kukoin.zendesk.com, I thought that was a little bit more interesting because API v2 instead of the API Zendesk. So I was like, is this endpoint just proxying to the Zendesk API? What if we just hit other paths besides that help center endpoint? So I just hit the API v2 and it just responded with just like a big HTML 404 page and I was like, okay, this is kind of curious and interesting. So I filled the Zendesk API documentation and found the following text, you must be a verified user to make API requests, you can authorize against the API using either basic authentication with your email address and password, with your email address, an API token or an OAuth access token. So now I'm thinking, if you have to be a verified user to make API requests, can we just use this API as an endpoint? So I found in the documentation there's an endpoint just API v2 tickets.json and it just loads all the support tickets. So I tried it and it actually worked. And so, yeah, you can see there was request for some sort of criminal investigation that was one of the earliest tickets and even more fun there's a search.json endpoint which allows you to search for a query language. So what if we tried searching for session tokens or something? So I looked up the query language and you could specify the created date. You could search tickets by the created date. And I also searched for just the word session. And it turns out if you use the mobile app it actually leaks their session token and I don't know why that happens but it does. So I looked up the query language. So I looked up the query language. And then you can also just dump all of the users with the users.json endpoint. So that discloses the person's name, email, their phone number, their location. And this API is even better because you can paginate so I can just hit every single page and I can just go back to the query language. And so I reported it to them and they're like oh yeah okay this is like a high. Okay that's fair. And then they just gave me $5,000 and said go away. So that's the end of that story. I'll hand it back to Ben. This is where the fun begins. So everything we talked about is different in a different industry. There was the news media and there was the cryptocurrency stuff. But now we're going to do a back-to-back casino because we're in Vegas and we're at a bunch of casinos and for once we were able to beat the casinos at their own game. So this one, yeah we got some money from the casinos. So this is one of the bigger European one. We have a US version of it. He's going to do the US version. I'll do it for the European folks. They could do things with their lottery site. I don't know what the purpose of it was being in California. Apparently you can't have access to this site. But I could at least see some of the functionality. So you have this login page that comes back to you. And the login page says hey this is how my login works. You send a request. You say username and password and it's auth login. And there is also a forgot password link in the description. There is no registration. At least that we can see. There is nothing else. This is an admin panel. It's not just a lottery system. It's a backend of the lottery system. I'm assuming some sort of a online thing. So the thing to highlight here, I wish I could point to it, but this right here it shows an auth login within API v1. So the problem is that there was nothing that I could find that was useful or usable to get access to this site. Well, you start to do a brute force for API v1. I did API v1 auth login. We have that one. We have forgot password. There is one that hits for a 405. That's new. So it's just slash new. And then there was users, which is 401 because I don't have access to see the users. So there is the ID of one, two, three, 401, user me, 401. And then there is also a verify for users. But the interesting one out of them all is the new, auth slash new, which piqued my interest. Well, it turns out auth.new is also very verbose, just like he was mentioning. It told me, hey, you're missing an email password and a password verification. So all you have to do was hit that API and you can create an account. You can log in, but the trick was this is an internal panel, so somebody had to actually confirm this account for me. There's a way to confirm it. We're not sure how. I didn't get an email, so even though I gave it an email address, I didn't get anything that says, hey, come and confirm your account because this is supposed to be internal, so I'm assuming if I didn't have an ad domain or whatever that domain was, I wouldn't get any emails from them. So we do know two things. There is a verify and there's a user slash me that I have access to. Those two that I'm showing on the screen are from the previous scan that I did, but I remember to have access to those two things. So if I'm authenticated to my non-confirmed account and I hit this slash me, it's going to give me my user accounts details, but it is going to also give me a verification code. So it says, here's your user ID. I'm going to give it a user ID and I'm going to give it a user ID anyway, which doesn't make sense a lot at the time, but then I realize that I have verified that I can use to activate my account. So I've also stashed verify that I have to go through. So the way the verification thing worked was you give it a user ID, you give it your verification ID, it verifies that it is a user ID. So if you're in a corporate environment or whatever you work for, usually they create email addresses like this, and there's one more thing to say, the login page asks for a user name and not an email address. So I don't know what user name is, but the company usually gives you your first name .lastname at domain.com. It's pretty standard. So when you send this verification email, it takes the email address, not the user name it says what's your email address, what's your verification ID, you send it back and it says success. So when we go back to the user ID convention, it's asking me for a user name. I have my email, verification took my email address with my verification code, but I still don't have a user name. Nothing was emailed to me. Well I thought let's go back to the stream before the add sign. It's probably the user name. So we're going to go ahead and try that really quickly. So as I mentioned all this, we're going to take that and we're going to log in and it actually logged in. So I give it my user name, it becomes whatever it is before the add string, it's automatically your user name, the password is what I gave it, my account's activated, and when I get into this account where it's verified, it gives me access to other users, the forgot password I don't care about, auth new we don't care about, then there's a user you can do like one, two, three, there's user slash me and user slash verify. But it turns out the user's one is the best one because it gives you a list of all the users and all their details and it's only in read only. So my account isn't an admin fully, it's just a read only, probably something like I don't know, operations person and just need to have access to read all the functionality access, but what I do have is a list of all the user names in their email addresses. So what we do is we just grab the list of users, so whatever the user names are, I'll grab them because I need that for the login. I took a good password list and when I say a password list I mostly mean password one, password one, two, three and password two and then the company's name in the year and it turned out I can actually get an access to one of those accounts with password one. So one of the actual admin accounts that I dumped a user name from the read only account had a password of password one and it actually gave me access to it which turned out to give me access to this entire casino's back end for the lottery system and you had not file upload, you had other users, there was a lot of details but being a bug bounty hunter you don't really get to have a lot of fun and see what happens. But more of the story is there's also passwords that work. I don't know, it's 2023, somehow password one and password one, two three still work. So if you have a good list of user names when you hack into a company and you can dump it through an API, it never hurts to try these easy passwords. So yeah, this is the original thing that I had. It's just a bunch of non-access things to finally getting the keys to the kingdom from one of the biggest ones that I'll let this guy handle. This is a story about fishing not a casino. So a little backstory on this one. This was for like a live bug bounty event and so they invited a bunch of bug bounty hunters and they thought it would be a good idea to put social engineering in scope. The only rule they had was don't email more than 100 to 200 people. That was the only rule and they said they'd pay like a thousand dollars per user fished. So I was like okay, well what if I get 200 people to fall for a fishing email? It's also like a really bad idea to invite a 23-year-old with no good filter on what I should and shouldn't do. Yeah. So a little recon on this company is they used Okta and Duo 2FA and it was not a casino.okta.com and when these users would login, they would enter their username and password and then they'd be prompted to enter a six-digit number from Duo to login. So I just bought a domain that looks similar to theirs. I set up Evil Engine X2 Go Fish and Mail Gun. I'm not going to get into all the infrastructure but basically with Evil Engine X, it basically allows you to basically reverse proxy to the real Okta instance but also in the middle and capture everything between the two. So that was kind of a pain to set up but I googled enough, read documentation and set up all the infrastructure for it and the next challenge was to figure out who should I actually try to fish here. So God bless LinkedIn Sales Navigator. I just signed up. We had like $100 for like a subscription for a month and I was able to figure out their email format was like the first character with their first name, last name at thecomby.com so I wrote like a really simple Chrome extension that let me just scroll through LinkedIn Sales Navigator and just grab their first name, last name and just generate this. And so okay I have emails but what should I say in this fishing email or in hindsight now it's like this never do this. And so like I've actually never done a fishing campaign against a real company in like environment and this is exactly why you probably shouldn't invite a 23 year old bug bounty hunter to do this. But I just was thinking like okay what would I fall for and what would I click on and so again it was really rough and I'm a complete douche bag for doing this and so I typed a few different variations and I'm like okay we're gonna have like a reference number and like brackets and like just to keep it like short and say like action required because like okay you have to fill this out. And so I mean you guys can read the questionnaire actually pointed to a sub domain of theirs if you like covered the link it would be like casino.com and I abused a cross-site scripting bug to actually redirect to my fishing page so it looked I guess even a little more. So yeah I sent this to like 200 employees within like not even a minute the cookies just started rolling in and so then now I can just authenticate to Okta and within two minutes I had access to their root AWS account so that includes like all their EC2 instances all their databases literally everything you could possibly dream of so here's a picture of me just sending the email here's 30 seconds after so the result is ended to 200 people and I ended up with 40 pairs of credentials I had access to Outlook Word Calendar I fished of like one of the vice presidents actually I had access to AWS console the GitHub their like customer search tool a buttload of internal applications and then they never did this again because apparently like the Nevada gaming commission like requires these casinos to report each instance and finds them and so I think I cost them like several million dollars in like legal legal fines but hey I guess they learned their lesson and I don't mind they didn't pay a thousand dollars per user but they paid me a twenty thousand dollars for that so that was a fun bug not bug but yeah you can yeah I mean we don't have usually supposed to end your talk with solutions we don't have any solutions for phishing verbose APIs yeah he says get good is a good answer good solution for it yeah but I mean if you want to try these out they're all on the on our website you can give it a try if you want to come and talk to us actually we think we do have a little bit of time we ended a little bit early for questions if there are any questions we can answer them otherwise please connect with us we're both on Twitter I'm at Nahamsek he's at Hacker thank you and then yeah if there's any questions I'm glad we were able to answer all of you guys's questions thank you for attending our talk