🐝 Hive Five 109 – Find Linux Kernel bugs and Escape, How to Bug Bounty in 2023, Server-side prototype pollution

Hi friends,

Greetings from the hive!

I hope you had a good weekend. I came across this tweet by Morten where he expresses what I’ve been wanting to see: a browser that features tabs vertically next to each other. Preferably serving the mobile versions to make maximum use of the space and reduce clutter.

In the replies, I saw many people mention Arc browser, so I’ll give that a go!

In general, I love this tiling approach, and I use it whenever I can. Some examples are TweetDeck, tmux, vim, and a tiling window manager.

What do you think is missing in tech? What would you like to see?

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Top 10 Web Hacking Techniques of 2022, the 16th edition of the annual community-powered effort to identify the most important and innovative web security research published in the last year. more

2. Recon2022: Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape. chompie’s Recon2022 talk. more | slides

3. VPNs, Proxies and Secure Tunnels Explained (Deepdive). What is a secure “tunnel”? more

4. How to Bug Bounty in 2023 by NahamSec. more

5. Server-side prototype pollution: Black-box detection without the DoS. Server-side prototype pollution is hard to detect black-box without causing a DoS. In this post, they introduce a range of safe detection techniques, which they’ve also implemented in an open source Burp Suite extension. more | Burp extension

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. CoLab is a new section in CTF challenge. It features labs from courses by industry experts. The first two are nahamsec-training and NahamStore from NahamSec’s Udemy course. more

2. Six2dez - reconFTW v2.5.2 codename “conference season” is out. Highlights: byp4xx for 4xx bypasses @lobuhisec, waymore replaces gau and waybackurls @xnl_h4ck3r, added gitlab-subdomains @gwendallecoguic, and included ffuf new hashmap feature @joohoi. more

3. pry0cc on Linode’s axiom ban. more | not-axiom

4. Flamingo v0.0.20 captures credentials sprayed across the network by various IT and security products. more

5. osmedeus v4.3.1 is a workflow engine for offensive security. more

📅 Events

1. NahamSec is back to streaming this week. more

2. HackerOne’s Ambassador world cup is back. March marks the beginning of 9 months of epic competition. more

3. HOU.SEC.CON Security Conference registration is open. more

🎉 Celebrate

1. zseano is having his 2nd baby in May and is planning to go AFK in April, returning sometime later in the year. Congrats! more

2. Greg turned 25. Happy birthday! more

3. Osirys is back (mentally and physically) after over 1.5 months of “forced break”. Welcome back! more

4. Ankit Singh received his Bugcrowd swag for a live hacking event, securing 2nd place and earning over $30,120 in bounties. more

5. Pibble ordered a custom made “Hack the Planet” sign for her man’s office and it turned into a whole office makeover. Looks amazing! more

💰 Career

1. Roadmap to your first cyber job. $60-90k/year starting salary for an entry level cyber position can be yours in the next 6 months with hard work, and most importantly, the right kind of work. more

2. Angie Jones on being careful with that “I:We” ratio when stating your accomplishments. more

3. nemesis’s boyfriend is actively looking for senior red team/offensive security engineer roles. Remote/CA area. more

4. Vic on being affected by a layoff: “know that it’s NOT YOUR FAULT. Your personal worth is not in question. Take care of yourself & go back out there. There is no shame in this.” more

5. Ian Coldwater is open for anything interesting for their skill set, their DMs are open. more

⚡️ Community

1. d0nut felt like he wasn’t good at anything in particular. more

2. Masonhck357 wants to do better at communication and keeping in touch with the community this year. more

3. pry0cc on GitHub copilot being a 10x multiplier. more

4. Cam from Darknet Diaries episode 85 “Cam the Carder” has passed away. Jack mentions that he was a valuable resource to the show and a friend. more

5. Smelly is taking an hiatus from vx-underground due to health issues. more

📰 Read

1. cURL audit: How a joke led to significant findings. In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. more

2. Are you a bug bounty hunter curious about how works on the other side? more

3. What single command people would run if they had a reverse shell/RCE. more

4. Bypassing Okta MFA Credential Provider for Windows (POST exploitation technique). more

5. Exploiting Out Of Band XXE using internal network and php wrappers. more

📚 Resources

1. (Not So) Smart Contracts - This repository contains examples of common Ethereum smart contract vulnerabilities, including code from real smart contracts. more

2. VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. more

3. edoardottt/missing-cve-nuclei-templates contains a daily updated list of missing CVEs in nuclei templates official repository. Mainly built for bug bounty, but useful for penetration tests and vulnerability assessments too. more

4. IAM Vulnerable lets you use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. more

5. Using a Project Discovery’s katana to migrate a website. more

🎥 Watch

1. Deep Dive into Parsing SSH Keys To Exploit Improperly Sanitized Screenshots. more

2. HackTheBox - RainyDay walkthrough. more

3. Broken Access Control - Lab #4 User role can be modified in user profile. more

4. Introduction to the Intelligence Cycle. A look at arguably the primary pillar of cyber threat intelligence and how it all works. more

5. Networking for Pentesters: Beginner. In this Black Hills Information Security (BHIS) series, Serena will be going over networking basics and how they relate to Pentesting. part 1 | part 2 | Part 3

🎵 Listen

1. Daniel Miessler’s new go-to hacking playlist. more

2. Day[0] Binary Exploitation Podcast 188 - Rusty Kernel Bugs, mast1c0re, and OpenSSH. Few discussions this week, from using ASAN for effectively, to vulnerabilities in Rust code, and some discussion about exploiting the OpenSSH double free. more

3. Day[0] Bug Bounty Podcast 187 - Top 2022 Web Hacking Techniques and a Binance Bug. They talk about the Top Web-hacking techniques of 2022, and some TruffleSec/XSS Hunter drama before so we cover a blockchain verification bug, and a simple path traversal to SSTI and RCE chain. more

4. Risky Biz Soap Box: Greynoise has built the world’s biggest, and smartest, honeypot. In this interview they’re chatting with the founder of Greynoise Intelligence, Andrew Morris. Greynoise operates a global network of sensors that collect data on things like mass scanning, exploitation and reconnaissance. more

5. Critical Thinking - Bug Bounty Podcast S01 E07: PortSwigger Top 10, TruffleSecurity Drama, and more. In this episode they talk about PortSwigger’s Top 10 Web Hacking Techniques of 2022, some drama surrounding TruffleSecurity’s XSS Hunter, and, as always, some great bug bounty tips. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.