- Hive Five
- Posts
- 🐝 Hive Five 58 – Eyes on the future
🐝 Hive Five 58 – Eyes on the future
Bee
February 20, 2022
Photo by Amanda Dalbjörn / Unsplash
Hi friends,
Greetings from the hive!
I hope you had a great weekend. I ended up moving around some furniture, watched some productivity (Obsidian) videos, and enjoyed the UFC.
Something else I'd like to talk about is depression. This weekend alone, I noticed STÖK's tweet and a video by a famous YouTuber. I've dealt with depression myself, and in the words of STÖK: "If you feel depressed, alone, or lost, there is help to get. You are not alone.".
Also, resources such as Dr. K's Healthy Gamer, as Jason Haddix recently mentioned, can be helpful and insightful.
Let's take this week by swarm!
🐝 The Bee's Knees
Bounty Thursdays (ft Jason Haddix & the twitter spaces squad): A liveshow of Bounty Thursdays focusing on news, tools and events related to the bugbounty space. Dig into Redirects and SVG's and a Q/A with the community!
Reverse Engineering 101 - Intro to Ghidra on Linux by Reversing 5 crackmes.
COOK: An overpowered wordlist generator, splitter, merger, finder, permutator, encoder, decoder.. A customizable frustration killer, the wordlist framework.
Eliminating Dangling Elastic IP Takeovers with Ghostbuster: Over the last ten years, companies have truly adopted cloud providers such as AWS, Azure and GCP, rapidly spinning up infrastructure to keep up with the growing needs of their businesses.
Hunting for bugs in VMware - View Planner and vRealize Business for Cloud: Last year they found a lot of exciting vulnerabilities in VMware products. They were disclosed to the vendor, responsibly and have been patched. There’ll be a couple of articles, that disclose the details of the most critical flaws.
🙏🏻 Support the Hive
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
🔥 Buzzworthy
✅ Changelog
sw33tLie updated bbscope and added immunifi support: This can be useful to both web and smart contract hackers, as the tool is able to filter for a specific category.
DOMPurify 2.3.6: a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
📅 Current Events
Jason Haddix joins bug bounty Thursday's live: Going forward they'll be working together! They'll experiment with a bi-weekly show taking direct community callers & discussing topics together.
ZAPCon 2022 Schedule is Now Live: They've released the speaker lineup and schedule for the ZAPCon 2022. ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.
Nullcon Berlin Speaker announcement - James Kettle: Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading auditors.
Fenil Shah is looking for an opportunity to work as a Cyber Security Analyst/Consultent Intern.
🎉 Celebrate
naffy is 320 days alcohol and nicotine free: Let's go champ!
sw33tLie got a cool hoodie: Congrats again!
ca$s:e cage is looking forward to many new adventures: Exciting times!
💰 Career Corner
📰 Articles
ElSec's first report on HackerOne - A logic flaw in npm: They discovered a logic flaw in npmjs.com URL routing fallback handler. The report was triaged and later accepted by GitHub’s bug bounty program.
📚 Resources
Coinbase's "largest-ever bug bounty": How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis. Bounty: $250,000
Adam is happy to finally release the game code that oooverflow used to run DEFCON Finals CTF: This was roughly the 3rd attack-defense CTF game infrastructure that they've written, so there's a lot of design principles and lessons learned that they'll share in this.
renniepak's GoogleVRP journey: 60 emails with GoogleVRP and he's back at square 1, trying to get a bounty paid.
Osirys on payload and tampering: they found their setup was lacking the adequate tooling to quickly create dicts/payloads on the fly, as well as a automatic tamper/exotic-encoding to test WAFs.
pure bash bible: The goal of this book is to document commonly-known and lesser-known methods of doing various tasks using only built-in bash features.
🎥 Videos
John Hammond -Hacking ELECTRON - JavaScript Desktop Applications w/ 7aSecurity.
Tib3rius's TryHackMe - Advent of Cyber 3 Days 11 - 17 & Holo Network: A lightly edited recording of a stream where they solved a week of challenges from TryHackMe's Advent of Cyber 3, and continued the Holo Network.
How Bad Can Clicking a Link Be? Getting Shells From Javascript, Offensive JS: BSidesSF2021: @xntrik and @InsecureNature co-present a talk that shows avenues javascript can be used to jump from malicious websites to servers without a browser exploit.
🎵 Audio
What NahamSec has been listening to lately: "I've been listening to a lot of speeches and remixed music with Alan Watts and holy crap. Where has this been all my life?"
The Privacy, Security, & OSINT Show #251 - Six Important Show Updates: This week they offer several show updates surrounding Retail Equation, pfSense, OSINT prosecution, Coinbase spam, silent AirTags, and podcast blocks.
Smashing Security #262 - Macro progress, eyeball-tracking ads, and encryption backdoors.
A Conversation with IppSec - Learning To Think Like A Hacker.
Things Worth Learning - Living Intentionally with Scott Hanselman.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to the Hive Five to read the rest.
Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In