🐝 Hive Five 124 - Scraping Kit and the Benefits of Creating in Public

Hi friends,

Greetings from the hive!

I hope you had a nice weekend. Sadly, one of our dogs was attacked by another dog and spent a while at the emergency vet. Thankfully, she’s a miracle dog and is recovering well.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. An interview with Shubham Shah, one of the hackers people look up to in the bug bounty space, and an expert in source code review who regularly finds 0days. more

2. Scraping Kit comprises several tools for scraping services for keywords, useful for the initial enumeration of Domain Controllers or if you have popped a user’s desktop with access to their Outlook client. more | tool

3. A few month after competing in DEF CON CTF 2021, SuperFashi receives a mysterious envelope. more

4. Troy Hunt discusses several aspects of cybersecurity, including the importance of his website, Have I Been Pwned, in notifying users of data breaches in which their information has been compromised. more

5. Talkback is a smart infosec resource aggregator, designed to help security enthusiasts, practitioners and researchers be more productive. more

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🏞️ Bee’s Eye View

![[CleanShot 2023-06-03 at [email protected]]]

🔥 Buzzworthy

✅ Changelog

1. RetireJS/retire.js 4.3.0 is a scanner detecting the use of JavaScript libraries with known vulnerabilities. more

2. projectdiscovery/nuclei v2.9.5 is a fast and customizable vulnerability scanner based on simple YAML based DSL. more

3. j3ssie/osmedeus v4.4.2 is a workflow engine for Offensive Security. more

📅 Events

1. NahamSec will be giving a 2-day training at DEFCON: Hacking Organizations: Phishing Not Required (August 14th-15th 2023). more

2. NahamCon 2023 CTF, workshops, and talks (June 15-17). more

3. James Kettle announced his Black Hat talk: Smashing the State Machine: The True Potential of Web Race Conditions. more

4. On June 12th, many subreddits will be going dark to protest Reddit’s third-party policy announcement. more | price change

🎉 Celebrate

1. Jane moved to SF Bay Area, leaving Hong Kong to embark on a new journey in tech. Exciting! more

2. Mason has a new profile picture. Let’s go champ! more

3. Mustafa hit 1MM dollars in all time earning combined from all platforms and external programs. Amazing! more

4. May was an awesome month for bombon in bug bounty. Congrats! more

5. Bishal purchased a new laptop with bug bounty earnings. Beautiful! more

💰 Career

1. Creating in public can and has landed people jobs. It allows you to represent your ideas and skillset. more

⚡️ Community

1. Lupin had his last day at ManoMano, a 2 year ride as a Sr. Security Engineer and Red Teamer. more

2. Hackers share where they get their tips and tricks from. more

3. Cyber Kitten is enjoying nature, and discovered a new bird using the Merlin Bird App. more

📰 Read

1. Jason describes how he achieved the complete compromise of a password manager company. more

2. Stored XSS via Kroki diagram on GitLab by vakzz. more

3. Sector035, the person behind Week in OSINT, shares more about themselves and their OSINT journey. more

4. Hacking a “smart” toothbrush. After buying a new Philips Sonicare toothbrush Cyrill was surprised to see that it reacts to the insertion of a brush head by blinking an LED. more

🙏 Support

Enjoy reading the Hive Five? You can treat me to a coffee!

You can also share the newsletter with your friends.

📚 Resources

1. 2nd level subdomain bruteforcing method, which is built into ReconFTW. more | reconFTW

2. People share their favorite types of swag to receive at conferences. more

3. Occamsec/CVE-2023-2825 contains the PoC for GitLab CVE. This PoC leverages a path traversal vulnerability to retrieve the /etc/passwd file from a system running GitLab 16.0.0. more

4. valeriyshevchenko90/WhereToGo shows you where to go with an account within the corporate environment. more

5. ihebski/DefaultCreds-cheat-sheet is one place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password. more

🎥 Watch

1. XSS via ES6 Reflect API, the solution to Intigriti’s May ’23 Challenge. more

2. Authentication Bypass Using Root Array. LiveOverflow explores the technical details of a tweet to understand where the tip came from, why it was wrong, and eventually learns about the real underlaying vulnerability. more

3. A SecurityFest 2023 talk by Tomer Bar: OopsSec - The bad, the worst and the ugly of APT’s operations security. more

4. An introduction to JWT Attacks, helping you learn about JSON Web Token (JWT) vulnerabilities. more

5. Mentoring the Formerly Incarcerated talk at DevOps Days ATX 2023. more

🎵 Listen

1. Malicious Life - Ad Fraud, Part 1. Learn how Aleksandr Zhukov defrauded some of the biggest American corporations for millions of dollars. more

2. Smashing Security 324: .ZIP domains, AI lies, and did social media inflame a riot? ChatGPT hallucinations cause turbulence in court, a riot in Wales may have been ignited on social media, and do you think .MOV is a good top-level domain for “a website that moves you”? more

3. Critical Thinking - Bug Bounty Podcast E21: Chill Chat with Legendary DoD Hacker Corben Leo. They chat with Corben Leo about his journey in bug bounty hunting and ethical hacking. more

4. The Privacy, Security, & OSINT Show 299 - Self-Hosted Part I. This week they begin the conversation about self-hosting everything, plus offer the latest privacy news. more

5. The Application Security Podcast: The Future of Application Security Engineers. Jeevan Singh, the director of product security at Twilio, discusses the future of application security engineers. more

Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.