Ranked 253 among 800 other Security Researchers. Define write-ups. Share. 2. A place to discuss bug bounty (responsible disclosure), ask questions, share write-ups, news, tools, blog posts and give feedback on current issues the community faces. Telegram. WRITE UP – [Google VRP Prize update] GOOGLE BUG BOUNTY: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD, WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance”, WRITE UP: Google VRP N/A – Sandboxed RCE as root on Apigee API proxies, https://github.com/omespino/gcs_instace_takeover, devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev, root@devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev. We will be updating this list on a regular basis, so make sure to subscribe to our […] Welcome All ! For bug bounty proper, like your Facebook or your Google-style bug bounty program. Your email address will not be published. Well, there’s some appropriate news for hackers and trojan horse bounty hunters as Google Bug Bounty. And after waiting for some days, I received a mail from Google Security Team that I’m rewarded with $3133.7 bounty as this is just a DOM based XSS. w00t?! Email. 2035. Managed bug bounty and vulnerability disclosure programs provide security teams with the ability to level the playing field, strengthening product security as well as cultivating a mutually rewarding relationship with the “white hat” security researcher community. So, basically, at this point Google would reward the alert(0) box, they do not need you to explain them why XSS is a big deal as others companies, right? Bug Accepted (P2) Feb 20, 2020: $5,000 bounty awarded Mar 18, 2020: Fixed by Google Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comment or suggestion just drop me a line here or on twitter @omespino, read you later. Twitter. Today I will share about another Information disclosure Vulnerability which was leaking users IP address . Awesome Penetration Testing ~ A collection of awesome penetration testing resources, tools and other shiny things . extracted from Google Cloud shell landing page: “Your online development and operations environmentCloud Shell is an online development and operations environment accessible anywhere with your browser. On the 16th of June, HackerOne paid out over $80,000 in rewards during their first London meetup. but I’m back, I want to tell you a short story about one of my last bug bounties, and how I escalated a simple XSS to a full Google Cloud Shell instance take over as a full administrator (RCE as root). As per Google’s VDP, my vulnerability report falls on the below mentioned category and so $3133.7 bounty. Google announced its decision to increase the reward amounts for product abuse risks reported through its bug bounty program. After that immediately I tested that POC on https://shell.cloud.google.com/ and it worked like a charm!! $3133.7 Google Bug Bounty Writeup- XSS Vulnerability. on that google cloudshell instance. Using some recon tools, I gathered many subdomains and interestingly I visited https://tez.google.com/ (now Google Pay). So the plan was basically:Look into Theia’s GitHub repository issues and filter those with a security tag, analyze all issues and it was my lucky day, an XSS on markdown preview apparently reported by a Googler, and also a working POC,. Anyway I wanted to push myself to escalate this XSS to full instance take over, so was time to escalate this simple alert box.Escalation:So, my first taught was that if the XSS was able to run in the same context that all files, maybe I can run a simple GET to extract any “local” file, but it was not that easy, also another problem that I notice is that the UI Theia editor part for the editor was running in some instance that is different for the actual “command line terminal”So luckily the UI Theia instance part has the private key in the root of the instance, and we just needed to navigate to a new workspace and set / (root) to see that key, anyway sadly there is no screenshot for that, but you have my word, once loaded the workspace “/” you can see that “id_cloudshell” file, So in the end the solution for reading those files via HTTP GET on javascript was using this 2 endpoints:1.- First, https://’ + location.host + ‘/files/?uri=’This to get the id for any uri, per example /files/?uri=file:///etc/hosts, responses something like {id: “5147084a-XXXX-43a9-afb0-bb8a126f1162”} 2.- And then use https://’ + location.host + ‘/files/download/?id=’ with the id /files/download/?id=5147084a-XXXX-43a9-afb0-bb8a126f1162 and getting the actual file content, Putting all together :Google Cloud Shell has an option to import GitHub repositories into Google Cloud shell instances with 1 click , so the main idea was:1.- Create a malicious git repository to store that malicious script in the read.md file2.- We can also put the open in google cloud shell button in the same file md file, 3.- Then trick the user to import that git repository to his google cloud shell instance 4.- Once the read.md file renders we stole the /etc/hosts file to construct the public domain to access that cloudshell instance and also the private key /../id_cloudshellthe hostname is “cs-6000-devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX”, we delete the cs-6000 part and append .cloudshell.dev, getting something like this devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev that is public accessible for anyone5.- Since we know that the root user is always present user in Linux we can use that to login in via ssh6.- with devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev (public domain) we can actually get the IP from devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev making a ping and then do some port scanning, (after that we discovered that the ssh service was running on 6000 port )7.- Profit, knowing the public domain hostname, the ssh port, the user root, and the private key we just needed to login in and run any command that we want‘ssh -i id_cloudshell -p 6000 root@devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev‘Final read.me file code, Extracted from Google VRP’s report: (the actual Google VRP report), Summary: Google cloud shell instance take over (as root), 1.- Setup an SSL server that you own in any port, I will use ngrok + nc combo over port 55555, 2.- Visit https://github.com/omespino/gcs_instace_takeover and click open in Google Cloud Shell, 3.- Wait to load everything and then click the preview button for the .md files (you need to set up the attacker server that you own before de preview), 4.- Receive 2 google vm’s files: ‘/etc/hosts’ and the private key ‘../id_cloudshell’ (scape the container with ‘../’ )        4.1: for the private key you need to replace \n for jumplines and save it as ‘id_cloudshell’        4.2: the hostname is “cs-6000-devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX”, we delete the cs-6000 part and append .cloudshell.dev, getting something like this devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev, 5.- login as root on ssh over port 6000        ‘ssh -i id_cloudshell -p 6000 root@devshell-vm-XXXXXXXX-XXXX-XXXXX-XXXXX.cloudshell.dev‘, 6.- w00t!!!

Joel Rifkin Sister, Ac Black Flag Metacritic, Tarzan Meaning In Kannada, Colourtrend Colour Chart, Villa Ephrussi De Rothschild Wedding, Jacobs School Of Music Office, Wkbc 800 Am Radio, Le Chateau Restaurant, Common Core Algebra 2 Unit 1 Lesson 4 Answer Key, Irish For Good Luck And Best Wishes,