• Hive Five
  • Posts
  • 🐝 Hive Five 65 – Nahomies

🐝 Hive Five 65 – Nahomies

Hi friends,

Greetings from the hive!

I hope you had a wonderful weekend. It was the return of Sunday Live Recon. Good vibes.

Let's take this week by swarm!

🐝 The Bee's Knees

  1. The Nahomies are back: Excited to watch another season of Live Recon. This time it's co-hosted by @Jhaddix + @stokfredrik. First guest was none other than @ippsec!

  2. ComfyCon AU 2022: ComfyCon AU was originally constructed as a conference in March 2020 as a response to the cancellation of Cyber Security conferences due to the COVID-19 pandemic.

  3. soXSS - writeup: The challenge consisted of two components: Text input for HTML notes. Rendered HTML page from textarea, rendered inside an iframe. The embedded iframe was within the same origin, but data sent to it was sanitized by DOMPurify.

  4. Minecraft, But It's Reverse Engineered...: In this episode we learn how Minecraft servers are implemented by looking at PaperMC and tracing the dependencies. Turns out the custom Minecraft servers rely on decompiling the server source code! It's insane what this Minecraft community has created.

  5. Jason Haddix's infamous Xmind Hunt Template: He gets asked a lot for his XMIND mindmap template which he uses and fills out as he hunts.

🙏🏻 Support the Hive

🔥 Buzzworthy

✅ Changelog

  1. ffuf v.1.5.0: This release adds huge improvements for automation use cases in the form of autocalibration rewrite.

  2. Osmedeus v4.1.0: A new update command and some big refactoring in the codebase to make it faster and cleaner.

  3. Arjun v2.1.5.

  4. ReconFTW v2.2.2: reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

  5. Burp Suite Pro v2022.2.3: Burp Scanner's crawler is between 6x - 9x faster when used against static or stateless sites.

📅 Events

  1. The Diana Initiative's CFP is open: Come to Las Vegas August 10th & 11th to share your knowledge. Round 1 ends April 25th.

🎉 Celebrate

⚡️ From the Community

📰 Articles

  1. Stealing checks worth millions & pwning a bank: Another long (hacker) story when Jason was once contracted to do a penetration test on a bank.

  2. Bypassing CDN WAF’s with Alternate Domain Routing: Content Distribution Networks (CDNs), such as CloudFront and CloudFlare, are often used to improve the performance and security of public-facing websites.

  3. Monocle - How Chime creates a proactive security & engineering culture (Part 1).

  4. Gophish Setup, Gandi – Part 2: Please review the Gophish – Part 1 blog to ensure you are ready to proceed with configuring Gophish with Gandi before proceeding with the following blog post below.

  5. NoSQL Injection in Plain Sight: This article is about their recent discovery on Synack Red Team which was a NoSQL injection.

📚 Resources

  1. Corben Leo on how he gained admin access to a Trans-Atlantic cable: "In 2010, WikiLeaks released a classified document. [...]"

  2. Personal Security Checklist: A curated checklist of 300+ tips for protecting digital security and privacy in 2022.

  3. Stefan Rows visualized Jason Haddix's Bug Hunter Methodology v4.

  4. hakluke sharing 5 great cybersecurity news outlets.

  5. Jason Haddix on how he completely compromised a password manager company: "I was given the project to pentest a password manager company. [...]"

🎥 Videos

🎵 Audio

  1. Spring4Shell, PEAR Bugs, and GitLab's Hardcoded Passwords [Bug Bounty Podcast]: This week they had some fun with some bugs that really shouldn't have passed code-review.

  2. Smashing Security #269 - Trezor Deep Throat, a CCTV stalker, and Amazon's list of banned words: Kolide is a SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.

  3. Art of Network Engineering #89 – SheNetworks: In this episode, they interview SheNetworks, aka Serena.

  4. Darknet Diaries #114 - HD: HD Moore invented a hacking tool called Metasploit.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.

Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.

Already a paying subscriber? Sign In

A subscription gets you:
Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
Experience continuously added NEW BENEFITS.