• Hive Five
  • Posts
  • ๐Ÿ Hive Five 62 - Valuable lessons

๐Ÿ Hive Five 62 - Valuable lessons

Photo by sydney Rae / Unsplash

Hi friends,

Greetings from the hive!

I hope you had a good weekend. Mine was pretty eventful, I moved and built some furniture which is always rewarding yet exhausting.

Also, as you may know, I enjoy listening to hip hop. Someone at work showed me this amazing mixtape by J. Cole that I somehow had overlooked: Truly Yours. Cole summer is my favorite track.

What did you do this weekend?

Let's take this week by swarm!

๐Ÿ The Bee's Knees

  1. CVE-2022-0337 (reward: $10,000 - Google) - Write-up and Video: System environment variables leak on Google Chrome, Microsoft Edge, and Opera.

  2. Bounty Thursdays - live #3 (news/tools and community): In this episode of Bounty Thursdays they focus on news, and tools related to bugbounty and the offensive (red) side of cyber.

  3. Alissa Knight Talks About API Hacking, Car Hacking, Creating Content for Hackers and More: Alissa Knight is a cybersecurity influencer, content creator, and community manager as a partner at Knight Ink that provides vendors go-to market and content strategy for telling brand stories at scale in cybersecurity.

  4. Bug Bounty Redacted #1 - Exposed Redis and HAProxy: Welcome to Assetnote's new series called Bug Bounty Redacted. In this series they will be going through reports they have submitted to bug bounty programs over the last five years.

  5. From XSS to RCE (dompdf 0day): The popular PHP library dompdf (used for rendering PDFs from HTML) suffers from a vulnerability that allows Remote Code Execution in certain configurations.

๐Ÿ™๐Ÿป Support the Hive

๐Ÿ”ฅ Buzzworthy

โœ… Changelog

  1. tls.bufferover.run cloud data is now refreshing hourly: A super interesting problem getting the scanner to run this fast on a single machine via erbbysam.

๐Ÿ“… Events

  1. Trace Labs Global OSINT Search Party CTF 2022.03: Trace Labs is a Not-For-Profit organization with the mission of crowdsourcing the collection of Open Source Intelligence (OSINT) to generate new leads on missing persons cases to assist law enforcement. Sat, March 26, 2022 6:00 PM โ€“ 10:00 PM EDT.

  2. SANS Open-Source Intelligence Summit 2022: Thu, Apr 7, 2022.

  3. NahamCon2022 - April 30, 2022: Keynote by Jason haddix and hosted by STร–K.

๐ŸŽ‰ Celebrate

๐Ÿ’ฐ Career Corner

  1. struggling to get into the cybersecurity field (thread): What is something that you wish you had known while you were going through that experience that may have helped you/given you hope?

  2. hakluke is looking for cloud security folk: Specifically to write some blog posts.

  3. Career Conversations with seclilc - Offensive Cybersecurity: Check out what Lily is up to.

From the Community

  1. Ben is doing some researcher for a blog post/video: "Can anyone recall any news/headlines or stories about companies being breached due to leaked credentials on GitHub or GitLab?"

  2. Jason on next innovations of recon frameworks: "HTTP pipelining support, autodetection of black-listing (both CDN-based & app-level), automatic cut-up of large wordlists to be distributed, "stay below this request rate" scanning, & auto-suggested contextual wordlists are the next innovations in all the recon frameworks."

  3. Trace Labs calling for volunteer judges to help with their CTF: "This is a great way to up your osint game, have fun and contribute to osint for good."

  4. prin asks why just bug bounty hunting?: "why not car hacking, sdr hacking, hardware hacking, iot hacking, forensics?"

  5. shubs asks if anyone is going to GISEC 2022: DM him if you'd like to catch up.

๐Ÿ“ฐ Articles

  1. 6 valuable lessons I learned working for a cybersecurity startup: NahamSec says: "It has been an amazing 6 years and working at HackerOne, not only changed my life, but it also helped shape me into who I am today while also teaching me invaluable lessons. "

  2. Basic security for humans in 4 Fridays: Instead of talking about the industry or business security, they're going to share their guide on how to set up your own basic personal security.

  3. Top 10 CI/CD Security Risks: Adversaries of all levels of sophistication are shifting their attention to CI/CD, realizing CI/CD services provide an efficient path to reaching an organizationโ€™s crown jewels.

  4. How Avi discovered thousands of open databases on AWS: Their journey on finding and reporting databases with sensitive data about Fortune-500 companies, Hospitals, Crypto platforms, Startups during due diligence, and more.

  5. Finding gadgets like it's 2022: Discover vulnerabilities across a codebase with CodeQL, their industry-leading semantic code analysis engine.

๐Ÿ“š Resources

  1. ฮœฮ”DฮžRฮ”S shares privacy resources: Pay Attention to Privacy Track Pending US Privacy Laws, Federal & By State.

  2. CVE-2022-0847-DirtyPipe-Exploits: A collection of exploits and documentation for penetration testers and red teamers that can be used to aid the exploitation of the Linux Dirty Pipe vulnerability.

  3. Bug Bounty Reports Explained email archive is now public.

  4. Learning Blockchain Hacking/Auditing.

  5. Jiska published a Frida tutorial with a focus on iOS devices: It contains an introduction to Frida and iOS, low-level iOS interfaces (GCD, XPC, IOKit, Mach), and Objective-C instrumentation.

๐ŸŽฅ Videos

  1. It Was Easy to Hack a Billionaire: For most Americans, the following rings true: Weโ€™re aware thereโ€™s risk online, but we donโ€™t know what to do about it.

  2. IppSec tackles HackTheBox - Stacked.

  3. CORS - Lab #1 CORS vulnerability with basic origin reflection: In this video, they cover Lab #1 in the CORS module of the Web Security Academy.

  4. The Pivot - Ritu Gill from OSINT Techniques - Everything about OSINT: Ritu Gill is an Intelligence Analyst with 14 years of experience working in open-source intelligence (OSINT).

  5. Hard Truths & Unexpected Realities - Cybersecurity Lamentations.

๐ŸŽต Audio

  1. The Privacy, Security, & OSINT Show #254 OSINT+Fugitives=Rewards.

  2. Human Factor Security Show #179 - Sarah Janes: Jenny speaks to Founder of Layer8 Sarah Janes about culture, champions and why being an eternal optimist is good for productivity.

  3. Smashing Security #266 - Dick pics, secret spies, and Kaspersky: Germany tells consumers to stop using Kaspersky anti-virus products, OSINT reveals a secret government department (with help from an Apple AirTag), and the UK says it's taking a hard line on dick pics.

  4. Risky Business #658 - Germany sounds alarm on Kaspersky software.

  5. How Resilient Is Our Banking System? [ML B-Side]: What is the most critical of all critical infrastructure? Is it Electricity? Water Supply?

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.

Subscribe to keep reading

This content is free, but you must be subscribed to Hive Five to continue reading.

Already a subscriber?Sign In.Not now