• Hive Five
  • Posts
  • ๐Ÿ Hive Five 58 โ€“ Eyes on the future

๐Ÿ Hive Five 58 โ€“ Eyes on the future

Hi friends,

Greetings from the hive!

I hope you had a great weekend. I ended up moving around some furniture, watched some productivity (Obsidian) videos, and enjoyed the UFC.

Something else I'd like to talk about is depression. This weekend alone, I noticed STร–K's tweet and a video by a famous YouTuber. I've dealt with depression myself, and in the words of STร–K: "If you feel depressed, alone, or lost, there is help to get. You are not alone.".

Also, resources such as Dr. K's Healthy Gamer, as Jason Haddix recently mentioned, can be helpful and insightful.

Let's take this week by swarm!

๐Ÿ The Bee's Knees

  1. Bounty Thursdays (ft Jason Haddix & the twitter spaces squad): A liveshow of Bounty Thursdays focusing on news, tools and events related to the bugbounty space. Dig into Redirects and SVG's and a Q/A with the community!

  2. Reverse Engineering 101 - Intro to Ghidra on Linux by Reversing 5 crackmes.

  3. COOK: An overpowered wordlist generator, splitter, merger, finder, permutator, encoder, decoder.. A customizable frustration killer, the wordlist framework.

  4. Eliminating Dangling Elastic IP Takeovers with Ghostbuster: Over the last ten years, companies have truly adopted cloud providers such as AWS, Azure and GCP, rapidly spinning up infrastructure to keep up with the growing needs of their businesses.

  5. Hunting for bugs in VMware - View Planner and vRealize Business for Cloud: Last year they found a lot of exciting vulnerabilities in VMware products. They were disclosed to the vendor, responsibly and have been patched. Thereโ€™ll be a couple of articles, that disclose the details of the most critical flaws.

๐Ÿ™๐Ÿป Support the Hive

  • Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

๐Ÿ”ฅ Buzzworthy

โœ… Changelog

  1. TryHackMe released 2 free Red Team Fundamental rooms.

  2. sw33tLie updated bbscope and added immunifi support: This can be useful to both web and smart contract hackers, as the tool is able to filter for a specific category.

  3. DOMPurify 2.3.6: a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

  4. Findomain v7.0.0-beta3.

๐Ÿ“… Current Events

  1. Jason Haddix joins bug bounty Thursday's live: Going forward they'll be working together! They'll experiment with a bi-weekly show taking direct community callers & discussing topics together.

  2. sw33tLie shares his thoughts on Caido.

  3. ZAPCon 2022 Schedule is Now Live: They've released the speaker lineup and schedule for the ZAPCon 2022. ZAPCon takes place on March 8-9, with one day of talks and one day of incredible workshops.

  4. Nullcon Berlin Speaker announcement - James Kettle: Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later? Certain vulnerabilities have a knack for evading auditors.

  5. Fenil Shah is looking for an opportunity to work as a Cyber Security Analyst/Consultent Intern.

๐ŸŽ‰ Celebrate

๐Ÿ’ฐ Career Corner

๐Ÿ“ฐ Articles

  1. ElSec's first report on HackerOne - A logic flaw in npm: They discovered a logic flaw in npmjs.com URL routing fallback handler. The report was triaged and later accepted by GitHubโ€™s bug bounty program.

  2. The multiple meanings of "nameserver" and "DNS resolver".

  3. Why OSINT doesnโ€™t need your feelings.

๐Ÿ“š Resources

  1. Coinbase's "largest-ever bug bounty": How a flaw in the new Advanced Trading feature would have allowed a malicious user to sell BTC or any other coin without owning them, and how Coinbase's reaction speed on a Super Bowl Friday averted a possible crisis. Bounty: $250,000

  2. Adam is happy to finally release the game code that oooverflow used to run DEFCON Finals CTF: This was roughly the 3rd attack-defense CTF game infrastructure that they've written, so there's a lot of design principles and lessons learned that they'll share in this.

  3. renniepak's GoogleVRP journey: 60 emails with GoogleVRP and he's back at square 1, trying to get a bounty paid.

  4. Osirys on payload and tampering: they found their setup was lacking the adequate tooling to quickly create dicts/payloads on the fly, as well as a automatic tamper/exotic-encoding to test WAFs.

  5. pure bash bible: The goal of this book is to document commonly-known and lesser-known methods of doing various tasks using only built-in bash features.

๐ŸŽฅ Videos

  1. John Hammond -Hacking ELECTRON - JavaScript Desktop Applications w/ 7aSecurity.

  2. IppSec takes on HackTheBox - Bolt.

  3. Uncovering NETWIRE Malware - Discovery & Deobfuscation.

  4. Tib3rius's TryHackMe - Advent of Cyber 3 Days 11 - 17 & Holo Network: A lightly edited recording of a stream where they solved a week of challenges from TryHackMe's Advent of Cyber 3, and continued the Holo Network.

  5. How Bad Can Clicking a Link Be? Getting Shells From Javascript, Offensive JS: BSidesSF2021: @xntrik and @InsecureNature co-present a talk that shows avenues javascript can be used to jump from malicious websites to servers without a browser exploit.

๐ŸŽต Audio

  1. What NahamSec has been listening to lately: "I've been listening to a lot of speeches and remixed music with Alan Watts and holy crap. Where has this been all my life?"

  2. The Privacy, Security, & OSINT Show #251 - Six Important Show Updates: This week they offer several show updates surrounding Retail Equation, pfSense, OSINT prosecution, Coinbase spam, silent AirTags, and podcast blocks.

  3. Smashing Security #262 - Macro progress, eyeball-tracking ads, and encryption backdoors.

  4. A Conversation with IppSec - Learning To Think Like A Hacker.

  5. Things Worth Learning - Living Intentionally with Scott Hanselman.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.