🐝 Hive Five 122 - STÖK is back, WTF is information disclosure, and a $1MM bounty

Hi friends,

Greetings from the hive!

I hope you had a nice weekend. I love the phrase, “let him cook”. I was reminded of it while watching a Marc Rebillet live stream.

It emphasizes giving someone the space and encouragement to do their thing. A form of celebration and acknowledgment of uniqueness and talent.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. Off By One Security Stream strives to bring more technical focused content to the community. Make sure to check out the “Live” tab where they cover a range of topics, such as a deep dive series into the Windows OS exploit mitigations introduced by Microsoft. more

2. In this bug bounty basics, InsiderPhD covers information disclosure. One of the more interesting bugs because they’re so varied in their technicality. more

3. STÖK is back! In this video he talks about escaping the grind and decompiling python 3.9 pyc files to find vulnerabilites. He’s been reversing apps to get a deeper insight into what happens underneath the hood using vscode and codeql to identify vulnerabilites. more

4. How to turn a write-based path traversal into a critical. This video presents an analysis of disclosed bug bounty reports about write-based path traversal vulnerabilities. Specifically, it’s about what files you should write to show the maximum impact of a path traversal like this, ideally escalating it to RCE. more

5. A $1,000,000 bounty? The KuCoin User Information Leak. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🏞️ Bee’s Eye View

🔥 Buzzworthy

✅ Changelog

1. HackerOne now has a command palette to navigate the web app. Navigation using the keyboard is one of my favorite UX improvements anyone can make. more

2. SecLists 2023.2 release — SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. more

3. Hahwul/deadfinder v1.3.1 — Find dead-links (broken links). more

📅 Events

1. Security Fest 2023, May 25-26 with speakers such as STÖK and a keynote by Alethe. more

2. Pwnies Nominations - submit your noms for 2023. more

3. The DEFCON AI village team are looking for volunteers. more

🎉 Celebrate

1. Corgi got promoted. Well deserved! more

2. ZwinK and Gotcha1G celebrate Bugcrowd as the best bug bounty platform. more

3. Nagli was awarded a $22,000 bounty and joined the exclusive 30,000 reputation club. Congrats! more

4. NahamSec is at 88,000 YouTube subs. Let’s go! more

5. Loop daddy is back outside again. Let him cook! more

💰 Career

1. BigCommerce is hiring a Sr Security Engineer - Australia remote. more

2. The best resources for finding a cybersecurity job. more

3. Inject My PDF: Prompt Injection for your resume. To escape a deluge of generated content, companies are screening your resumes and documents using AI. But there is a way you can still stand out and get your dream job: Prompt Injection. more

4. A Career Cold Start Algorithm that can help you ramp up quickly — and in several cases — have an impact in a relatively short period of time, while minimizing collateral damage. more

5. How Kaylie landed her dream job – that didn’t exist. She was quite cheeky in the cover letter that she sent to Checkly. more

⚡️ Community

1. In a single day, Jason hacked a fortune 50, had a call with the Government, and spoke to a movie producer. more

2. Renniepak celebrated his one year as a full-time bug bounty hunter, including stats and commentary. Wonderful! more

3. Meg landed one of her dream partnerships with a huge cybersecurity training company. Let’s go! more

4. Taylor graduated with her Master’s Degree in Information and Cybersecurity. Congrats! more

5. Lina started working full time on her business Xintra. Let’s go! (use code: IMFREE to get 13.37% off all courses for a month.) more

📰 Read

1. Bypass TCC with Telegram in macOS (CVE-2023-26818). This article focuses on a weakness in the Telegram application on macOS that allows for the injection of a Dynamic Library (or Dylib for short). more

2. State of DNS Rebinding in 2023 - Different forms of DNS rebinding attacks have been described as far back as 1996 for Java Applets and 2002 for JavaScript (Quick-Swap). more

3. CS:GO: From Zero to 0-day. They identified three independent remote code execution (RCE) vulnerabilities in the popular Counter-Strike: Global Offensive game. Each vulnerability can be triggered when the game client connects to their malicious python CS:GO server. more

4. Testing a new encrypted messaging app’s extraordinary claims. How crnkovic accidentally breached a nonexistent database and found every private key in a ‘state-of-the-art’ encrypted messenger called Converso. more

📚 Resources

1. Mustafa explains a RCE he found on enterprise software. more

2. Extract contact information from resumes using the Python duckduckgo_search package and PDFgrep utility. more

3. cqcore/OSINT-Browser-Extensions is a collection of Chrome extensions, to help with OSINT, OPSEC, Privacy & Obfuscation. more

4. trickest/cloud monitors the cloud landscape. Their mission with this project is to provide an always up-to-date and freely accessible map of the cloud landscape for every major cloud service provider. more

5. nikitastupin/orgs-data maps bug bounty and vulnerability disclosure programs to respective GitHub organizations. more

🎥 Watch

1. HackTheBox Precious walkthrough leveraging a command injection vulnerability in a web application to gain access to the system. more

2. Directory Traversal - Lab #2 File path traversal, traversal sequences blocked. more

3. We Hack Purple Streams: The Canvas Method with guest Richard Kranendonk. The Canvas Method for Information Security helps non-technical teams to identify information security risks in their own work, and lets them take ownership of improvements. more

4. OSCP got upgrades but are they good? Hakluke shares his review. more | Rana review

5. The Pivot with guest Nico Dekens from ShadowDragon: Make The World A Safer Place With OSINT. Nico Dekens, known as the Dutch_OsintGuy online, is an All Source Analyst specializing in Open Source Intelligence (OSINT), online Human Intelligence (HUMINT) and Online investigations. He has over 20 years of experience as an all source Intelligence Analyst at Dutch Law Enforcement. more

🎵 Listen

1. Who Would Hack the Largest U.S. Bank, But Not Steal a Penny? Darknet Diaries Ep. 76: Knaves Out. In 2013, 83 million user accounts at JPMorgan Chase had been compromised by an attack so sophisticated, authorities assumed it was a nation state actor — especially because no money had been stolen. more

2. Day[0] Bug Bounty Podcast 211 - OverlayFS to Root and Parallels Desktop Escapes. Some awesome bugs this week from tricking Dependabot and abusing placeholder values, to an IIS auth bypass. Ending off with a kernel bug (OverlayFS) and a VM escape. more

3. The Privacy, Security, & OSINT Show 297 - KYC, 2FA, macOS, & OSINT Updates. This week they offer many updates including new Know Your Customer concerns, better 2FA options, their latest macOS Devices digital guide, OSINT tool changes, and how to get your own free TV which of course monitors everything you do. more

4. Critical Thinking - Bug Bounty Podcast E19 - Audit Code, Earn Bounties (Part 2) + Zip-Snip, Sitecore, and more. more

5. Smashing Security 322 - When you buy a criminal’s phone, and paying for social media scams. Personal information is going for a song, and the banks want social media sites to pay when their users get scammed. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.