🐝 Hive Five 63 – The Power of Now

Hi friends,

Greetings from the hive!

I hope you had a good weekend. I received a bunch of different books this week, and ordered one myself on Ben's recommendation: The Power of Now - A Guide to Spiritual Enlightenment.

I can't wait to read them all. Have you read anything interesting lately?

Let's take this week by swarm!

🐝 The Bee's Knees

1. LiveOverflow has been Hacking for 10 Years! (Stripe CTF Speedrun): In 2012 he came across his first hacking CTF. Stripe organized a Capture the Flag competition with 6 levels to learn about different vulnerabilities. This is what it all started for him.

2. rootxharsh Talks About Recon, Finding A $50,000 Remote Command Execution in Apple, and more!: rootxharsh is an amazing hacker with a ton of experience. In this interview, Harsh shares his story about how he got into hacking and bug bounties, his recon approach, as well as his $50,000 bounty on Apple!

3. $100k Hacking any website in Safari with uXSS - a 0-day chain.

4. C++ Memory Corruption (std::string) - part 4: This is the next part of the C++ memory corruption series*. In this post, we'll look at corrupting the std:string object in Linux and see what exploitation primitives we can gain.

5. Thinking About the Future of InfoSec (v2022): Daniel is starting a new series with this 2022 edition where he thinks about what Information Security could or should look like in the distant future—say in 2050. The ideas will cover multiple aspects of InfoSec, from organizational structure to technology.

🙏🏻 Support the Hive

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

• TCM Security Academy - courses, bundles, gift certs, and access passes. Cybersecurity Training That Doesn't Break the Bank. Don't overspend on your education!

• Privacy.com - Protect Yourself Online. Create virtual cards, set a spend limit on each transaction, and track your spend. Take back control of your payments.

Become a sponsor

🔥 Buzzworthy

✅ Changelog

1. ffuf v1.4.0 release: This is a release with a ton of bugfixes and few major new features from community contributors. And a new mascot!

2. Sharpener v1.2 release: Now in BApp Store.

📅 Events

1. Bia will be speaking at H.O.P.E. conf: Hackers On Planet Earth - July 22-24, 2022 - Queens, New York City, USA.

🎉 Celebrate

1. Akita got his own apartment: Congrats!

2. lil c was on her first official OSINT engagement: Exciting!

3. Yassine's last Ramadan week: 🙏.

4. Patrick celebrating Snyff and Pentesterlab: Agreed!

5. Nagli (and team) secured gold and silver: Well done!

💰 Career Corner

1. How to Build a Career in Tech: Kurt Kemple Connects the Dots: Jason Lengstorf interviews Kurt Kemple.

2. A year without a job, what did Serena do instead.

3. 180+ OKR and goal examples.

⚡️ From the Community

1. Ben's drunk AMA.

2. TomNomNom started at Bishop Fox.

3. People's top 3 YouTube binge channels via rez0.

📰 Articles

1. Left To My Own Devices – Fast NTCracking in Rust.

2. How to Disagree: Paul Graham has a great piece on how to disagree with people in the best possible way.

3. Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121): This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group.

4. Implementing a toy version of TLS 1.3.

5. Basic recon to RCE II: They originally wanted to name this article “The RCE that everyone missed”, but since it was too “clickbait”, this is the title you see now.

📚 Resources

1. Smart contract audit checklists.

2. Which certs are best for particular InfoSec specializations (thread).

3. What Jason Haddix uses for bug bounty: "Testing Environment: DO Ubuntu VPS, 2 vCPUs. 4GB mem / 60GB Disk, ($20/mo)."

4. People's favorite hacker YouTube channels.

5. Cybersecurity handbook: This digital handbook was crafted by the GuideSmith team in order to provide a simple and easy guide for newcomers.

🎥 Videos

1. CORS - Lab #2 CORS vulnerability with trusted null origin | Long Video: This video covers Lab #2 in the CORS module of the Web Security Academy.

2. Heap Exploitation on Linux 101: The House of Force Technique.

3. IppSec tackling HackTheBox - Secret.

4. PHP Type Juggling - Why === is Important.

5. Chrome Heap OOB Access and TLStorm [Binary Exploitation Podcast]: A few issues this week, a OOB access in chrome and in the Linux Kernel's Netfilter, and a few issues in Smart UPS devices.

🎵 Audio

1. The Privacy, Security, & OSINT Show #255 -Dedicated VPN IP Addresses: This week discusses the benefits of a dedicated VPN IP address, and an overall update to thoughts on VPN providers.

2. Smashing Security #267 - Virtual kidnapping, two helipads, and a naughty Apple employee: A Russian bank tells its customers to stop installing security updates, an Apple employee ends up in hot water, and learn our tips to avoid being virtually kidnapped.

3. Risky Business #659 - Okta and Microsoft meet LAPSUS$.

4. Malicious Life - Cyber PTSD.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.