[HackerNotes Ep.84] 0xLupin & Takeaways from Google's Las Vegas BugSwat

Hacker TLDR;

• Google BugSwat event: Justin and Lupin teamed up for Google’s BugSwat event and took home the Google MVH award. The guys dropped some solid takeaways from the event in Vegas:

  • Focus on the main app: Main apps often hold a tonne of functionality, are under active development and by default will have more impact on a target. This means an increased attack surface and a bigger threat model.

  • Threat modelling and attack vector ideation: Taking the time to threat model a target - mapping out all the functionality and areas which would be high impact, what could go wrong, and how you could approach and attack the target can help turn lower impact bugs into higher impact just by having the context and understanding of your target.

  • Collaborations work: Collaborating with someone on a target who has a different style of hunting can help craft some really creative and impactful bugs. Equally, that added motivation of hacking alongside someone can be critical when trying to break a hardened target down.

  • Targets matter: Hacking on a good target which takes care of their hunters and triages well can be the difference between a good experience and bounties or no bounties. Finding a target which works for you will keep you motivated long-term when hunting.

  • Go after a target you are intimidated by: Hitting a target which scares you or is out of your comfort zone will pay massive dividends when building your skillset and approach as a bug bounty hunter.

  • Pay attention to sandboxed environments: There’s a lot of complexity and a lot of things that can go wrong when implementing a sandbox. Identifying misconfigurations, the services available and any APIs which can be abused to introduce malicious input can help break out of the sandbox.

  • Look at the SDKs of a target: SDKs are often provided to customers or third parties to hook into the ecosystem of the target. More often than not, these SDKs are feature-rich and extensively documented.

  • Legal impact == bugs: Even non-technical bugs can have a significant impact if they involve legal repercussions like GDPR breaches. If you can demonstrate this to a program, you’ll likely land a juicy bounty.

This episode is sponsored by ThreatLocker. Check out their eBook "The IT Professional's Blueprint for Compliance" here!

Google’s Las Vegas BugSwat

Team Critical Thinking hit up Vegas last week for Defcon, the HackerOne LHE and more importantly, the Google BugSwat event.

The guys (Lupin & Rhynorater) managed to secure the Google MVH award with some super impactful findings. Although they both have different approaches to targets and different styles of hunting, they both deliver extremely impactful bugs. Some of their previous research on Google landed them a $50k bounty: https://www.landh.tech/blog/20240304-google-hack-50000/

Luckily for us, they took the time to sit down, recap and share some insights from the overall experience. Here are some takeaways from the event:

Focus on the main app

The main app of a target is usually going to be more impactful by default as it’s their primary application. Equally, most of the time there’s a lot of functionality available and it’s under active development, meaning new functionality is being pushed and existing functionality is being modified frequently.

As hunters, this is what we want. New functionality can often lead to new gadgets, which often leads to new bugs. Combine this with changes in existing functionality and you might have a bug or two.

Threat modelling and attack vector ideation

Spending time on your target, and if available, speaking to the time or researching previous findings on the scope can really help identify where would hurt on the target.

Using a threat model-centric approach helps you turn seemingly lower or medium-impact bugs into much higher impact, just by understanding the context of the app or target. Equally, ideating attack vectors to guide your hunting can help you pinpoint those critical areas or bug classes that would get you those high and crits.

Collaborations work

Combining different styles of hunting and approach can lead to some incredibly creative and juicy bugs. The prime example here is Lupin and Rhynorater - two different approaches, both collaborated and bounced ideas off each other and they both took home the MVH for their bugs.

When it comes to collaborating, ensuring you have a level of trust and mutual understanding on expected input and bounties is essential. Make sure you’re both on the same page before jumping into something!

Targets matter

Google looks at their hunters as an extension of their security team. From a hunting perspective, this culture makes it a lot better experience to hunt as oftentimes it can feel programs are actively working against their hunters.

Finding a good target can be essential in ensuring bug bounty success.

Go after a target you are intimidated by

We’ve probably all steered clear of a target or service on a target which we really do not want to look at; we aren’t familiar with the stack, it’s a different discipline of hacking we haven’t spent much time on, and we aren’t familiar with the ecosystem, the list goes on.

The thing about going after a target that initially intimidated you is that it will probably pay dividends. It will broaden your skillset as a hacker for future targets, and equally, give you the confidence to approach harder targets in the future.

Next time you’ve exhausted your list on a target but you still have that one service or one target that’s always intimidated you, set yourself a goal of spending X hours and going after it.

Pay attention to sandboxed environments

Any time you are able to run code that is run inside of a sandbox, it should be thoroughly checked. Looking for things such as misconfigurations, the services available but also identifying if anything can be put inside of the container to accomplish malicious goals.

Sometimes the container is incredibly locked down but a route from an API that is used from the outside, or an adjacent host which is accessible can pave the way for an exploit.

Look at the SDKs of a target

Companies often publish SDKs for their customers or integrations to use and hook into their ecosystem. SDKs can provide a massive attack surface, and by default, the impact is there as it’s what they are advising their customers to implement and use.

Equally, the documentation on SDKs is usually really good. This alone can help identify bugs, so be sure to check out all the available docs (including old versions of docs) for the SDK as you might uncover some juicy features.

Legal impact == bugs

Understanding if a piece of functionality can be abused to achieve legal impact, can be equally as impactful from a bug bounty perspective. If, for example, something could cause a GDPR breach or a breach of compliance/legislation for that specific industry and you can prove that, you’ll likely get paid well for that impact.

Having a breach of compliance in this day and age can result in major fines for a company, and more often than not the security team has a GRC (governance, risk and compliance) function which acts as a bridge between security and legal.

Not all bugs have to be incredibly technical in nature to be impactful in bug bounty.

A slightly shorter episode this week as the entire Critical Thinking team was on the road. Regardless, some solid takeaways from the Google LHE.

As always, keep hacking!