🐝 Hive Five #28 – Hunt for jobs like a hacker

Hi friends,

Greetings from the hive!

I hope you had a great week and a wonderful weekend.

Earlier today, I watched another excellent Sunday live recon session. This one came with a twist, it was a resume edition, where Ben and Jason shared tips and tricks. This excellent subject reminded me ofget your work recognized: write a brag document and how to hunt for jobs like a hacker.The latter is featured in my Must-watch infosec talks of 2020, naturally both Ben and Jason are on the list as well.

Let's take this week by swarm!

🐝 The Bee's Knees

1. July Lightning Event Featuring Ben Sadeghipour: Ben delves into the different ways hackers can leverage their experience with bug bounties to create revenue streams that works best for them.

2. Nagli's BountyTricks: Sharing Bug Bounty tips and tricks with the community including but not limited to automation, one liners and useful thoughts.

3. Awesome Penetration Testing: A collection of awesome penetration testing resources, tools and other shiny things.

4. Sliding Bounties and Why You Should Use Them: If you’ve been doing bug bounty for any time, either as a hunter or a program, you’ve doubtless heard complaints about CVSS scoring.

5. Inside the War Room That Saved Primitive Finance: It was 5:50pm in Lisbon on a Saturday evening when Mitchell Amador of Immunefi messaged Alexander Angel of Primitive Finance. There are some things you don’t want to hear. “U up?” is one of them.

🙏🏻 Enjoy This Newsletter?

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

💌 Want to sponsor an issue?

🔥 Buzzworthy

✅ Changelog

1. Frida 15.0 Released: So much has changed. Let’s kick things off with the big new feature that guided most of the other changes in this release: Earlier this year they were brainstorming ways they could simplify distributed instrumentation use-cases.

2. bbscope update: Just released an update for bbscope so it now uses the new HackerOne API token.

3. HackerOne researcher API: This release is now out of beta and is available to the hacker community. It includes a collection of API endpoints that help automate common workflow tasks.

4. Fleex 1.1: Introduction to modules, Bug fixes, improved scan, improved install script, and more.

5. Cerbrutus implemented FTP: Modular brute force tool written in Python, for very fast password spraying SSH, and in the near future other network services.

📅 Events

1. Jason Haddix thinking about dropping TBHM V4: "If I can get the motivation, I’m thinking about dropping the bug hunters methodology v4 narrow/appsec/non-recon edition at a smaller venue for feedback."

2. DEFCON 29 speakers.

🎉 Celebrate

1. Harsh Bothra got a new home: it's a big goal checked off from their list. Awesome!

2. honoki's BBRF passed 300 stars on GitHub: it really motivates him to continue making it better. Congrats!

3. cje is over the moon about Bugcrowd & Corellium partnership: he's been a fanboy of Corellium's tech for a long time. So exciting!

4. Naffy is 100 days nicotine free. You got this!

5. RogueSMG: is celebrating 365+ Days. 22 Videos. 3000+ Fam. 5x Learnings. 50x Friends. Amazing!

💰 Jobs

1. Manchester Metropolitan University Cyber Security Engineer/Analyst: work full time on an 2-year Knowledge Transfer Partnership (KTP) to develop an AI-Augmented Security capability for IoT-enabled critical national infrastructure.

2. Principal Product Manager at Bugcrowd.

3. Careers — Krebs Stamos Group: KSG strives to maintain a simple and straightforward set of positions and career paths. We envision that successful early-career applicants will fit into one of two career tracks:

4. Discord — Senior Security Engineer.

5. Senior Analyst - Red Team Corporate Support Center: The United IT team designs, develops and maintains massively scaling technology solutions that are brought to life with innovative architectures, data analytics and digital solutions.

📰 Articles

1. The July 2021 Security Update Review: Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new.

2. My Experience on Bug Bounty Hunter: "The only true wisdom is in knowing you know nothing." ~Socrates This was them when they first got into Bug Bounty.

3. BugBountyHunter Chats: 0xblackbird, YouGina, JTCSec and HolyBugx have been members from very early on and have shown great progress, but recently they paused testing on BARKER and got together to collaborate on a chosen bug bounty program.

4. Chapter 2: Is a Bug Bounty Program Right for You?: You might be intrigued by the idea of interacting with researchers, and wondering about the risks of exposure that comes with researchers hacking away at your product.

5. ProTips - Catching Bugs with Adrien Jeanneau: Adrian will share his favorite expert tips on how he stays successful in hunting bugs on most of the major bug bounty platforms.

📚 Resources

1. My Javascript Recon Process - BugBounty: This is a simple guide to perform javascript recon in the bugbounty.

2. TomNomNom on the find command: The 'find' command is one of my most used commands.

3. emadshanab/Acomplete-guide-to-dir-brute-force-admin-panel-and-API-endpoints: A complete guide to dir brute force,admin panel and API endpoints.

4. CTF Writeups for events participated in as part of {The NaN Squad}.

5. GF-Patterns-Redux: These are small modifications on Tomnomnom and 1ndian133t's GF patterns.

🎥 Videos

1. SQL Injection - Lab #16 Blind SQL injection with out of band data exfiltration.

2. $20,000 RCE in GitLab via 0day in exiftool metadata processing library CVE-2021-22204: This video is an explanation of bug bounty report submitted to GitLab by William Bowling.

3. Hacker Heroes #5 - rana__khalil: An educator, Youtuber and security specialist.

4. Hacker Tools - CyberChef: A look at CyberChef and a practical example of how to use it in your day-to-day bug bounty life.

5. ep03 - CTF development - creating a CTF from scratch: In this video, Adam builds and hosts a CTF from scratch, taken from a vote the vulns were an IDOR which pivoted to a blind XSS.

🎵 Audio

1. Swyx on Marketing Yourself.

2. Writing Advice by David Perell w/ Courtland Allen.

3. James Clear on What You Want.

4. 6 Lessons - leaving the white picket fence for travel life.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.