🐝 Hive Five 102 – Running a Mastodon server, Reverse Prompt Engineering, and 2022 reviews

Hive Five

By securibee 🐝

Hi friends,

Greetings from the hive!

Happy New Year! I hope you and yours are in good health and achieved all that you set out to.

The start of the year often means reviewing what you have accomplished in the previous one. This prompted me to check out my newsletter stats (which I should do more often). The Hive Five in 2022 had a 77% open rate, an 83% click rate, and contained 390582 words.

I have also looked at different methods and implementations of how people review their year. This format by Mike stood out to me, and I thought I’d share. He listed “six areas of life balance” from his goals page and rated each. So I might give it a try.

Did you have any yearly goals? If so, how did you do on them?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Hachyderm’s Kris Nova on running a Mastodon Server. In Hanselminutes Podcast 872, Scott talks with Kris Nova who has been building and scaling Hachyderm, a Mastodon instance that began in her basement and is now moving into the cloud. more

2. Hunting for Amazon Cognito Security misconfigurations. This is a talk that was delivered as part of NahamCon EU 2022 virtual conference. The topic outlines and discusses a few common security misconfigurations that affect Amazon Cognito implementation along with various techniques and methods to test against these security issues. more | slides

3. Reverse Prompt Engineering for Fun and (no) Profit. For the non-technical folks, the term “prompt injection” was chosen to evoke SQL Injection, the third worst security vulnerability in traditional web applications. more

4. A list of interesting macOS/iOS Kernel Security research in 2022 by Alex. more

5. Pass-the-Challenge: Defeating Windows Defender Credential Guard. New techniques for recovering the NTLM hash from an encrypted credential protected by Windows Defender Credential Guard. more

️💪 Sponsor

Want me to write about your company? Sponsor the Hive Five.

🔥 Buzzworthy

✅ Changelog

1. j3ssie/osmedeus v4.3.0 includes AWS Provider Support, integration with an S3 bucket, new built-in scripts for importing and extracting workspace data. more

2. The 10th edition of OSINT Techniques is now available. The book is required reading for numerous college courses, university degrees, and government training academies. more

📅 Events

1. Justin Gardner and 0xteknogeek are launching a new podcast called Critical Thinking. You can expect coverage of new web hacking techniques, bug bounty tips, exclusive bug explanations, and sick interviews. more

2. ZwinK is planning to publish a Z-winK University series on Udemy. more

3. Omar Espino is starting a new journey at websec as a Senior Security Consultant. more

4. Architecture Notes announces their first CTF which is live now. This is a encryption challenge that is open to participants of all skill levels and I dare you to solve. This first challenge will test your knowledge around encryption and networking. more

🎉 Celebrate

1. Nagli finished 2022 as the 4th Hacker in the world on HackerOne. Amazing! more

2. In 2022 SickSec earned a massive 100K+ in bounties, including a huge 60K$ from a single program in Q4. They also achieved Rank 1 in Uber bug bounty program and reached the top of the leaderboards. Keep going! more

3. zseano’s proudest achievement in 2022 was winning H1702. He also managed to finish 3rd amongst UK hackers on HackerOne this year. Awesome! more

4. In 2022 Mustafa managed to earn 500k in bounties through Synack and with collaborations on Bugcrowd’s LHE. Let’s go! more

5. MrTuxracer earned more than $500k in bounties which is almost twice their goal. They also got their OSWE certification, resurrected their blog, and did more binary exploitation. more

⚡️ Community

1. Best bug people found in 2022. more

2. John Hammond shares the behind the scenes to his YouTube channel with half a million subscribers. more

3. sumgr0 on Axiom, developed by pry0cc and 0xtavian, being a game changer. more

4. Ryan Dewhurst shares that 2022 was the hardest year of his life. more

5. Viktor looks back on 2022 and celebrates his wins. more

📰 Read

1. Netcomm unauthenticated Remote Code Execution. Research performed against the NF20MESH router revealed an unauthenticated remote code execution vulnerability that affects devices running firmware prior to version R6B025. more

2. Katie is surprised that some things haven’t entered the bug bounty community. E.g. Mixer vs Twitch like exclusivity contracts for hackers, platforms could offer better invites, a % on top of all bounties and various other perks for x hours minimum spent hacking on the platform. more

3. 0 click Account Takeover and Two-Factor Authentication Bypass. In September they decided to search in recovery flow processes in web and mobile Facebook application. more

4. What We Do in the /etc/shadow: Cryptography with Passwords. Ever since the famous “Open Sesame” line from One Thousand and One Nights, humanity was doomed to suffer from the scourge of passwords. more

5. Reverse Engineering Rustlang Binaries is a series of notes of BrightProgrammer’s take on understanding how to reverse rustlang binaries. more

🙏 Support

Enjoy reading the Hive Five? You can treat me to a coffee!

You can also share the newsletter with your friends.

📚 Resources

1. The ABS programming language works best when you’re scripting on your terminal. It tries to combine the elegance of languages such as Python, or Ruby, to the convenience of Bash. more

2. Expanding Your Security Horizons: Learning The Ropes 102, a book by Andy Gill. LTR102 takes the lead from LTR101 and dives a little deeper into the wider security topics, bringing an insight into defensive, offensive and collaborative security fields. more

3. The Pocket Guide to Debugging e-zine. It has 47 of strategies for solving your sneakiest bugs. more

4. Fuzzing101 with LibAFL - Part I: Fuzzing Xpdf. Explore the library and writing fuzzers in Rust in order to solve the challenges in a way that closely aligns with the suggested AFL++ usage. more

5. zakird/crux-top-lists caches a CSV version of the Chrome top sites, queried from the CrUX data in Google BigQuery. more

🎥 Watch

1. The official writeup to Intigriti’s December ’22 XSS Challenge. more

2. Computer Networking (Deepdive). This video explains computer networking with pieces of paper, hopefully explaining why in some universities the OSi layer model is taught. more

3. 2023 Path to Master Hacker, the path to becoming a master hacker. From zero to getting the skills you need to be successful. more

4. How To Bypass Website File Upload Restrictions. more

5. Using OSINT to find Mr. Beast video locations. more

🎵 Listen

1. Beautiful podcasts via Jack. Stories that inspire, delight, and show you something beautiful where you end up feeling like you’re floating. more

2. Darknet Diaries Ep. 131 - How Bitcoin Tracers Rescued 23 Kids From Sex Abuse. We like to think that cryptocurrencies are anonymous and private, but new rules for exchanges mean law enforcement can track dark money. This story is part of Andy Greenberg’s new book “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency” more | book

3. The Tim Ferriss show: Steven Pressfield - The Artist’s Journey, Wisdom In Little Successes & More. A glimpse into the mind of the author of The War of Art. more

Subscribe to the Hive Five to read the rest.