🐝 Hive Five 66 – How to Take Over the World

Hi friends,

Greetings from the hive!

Happy Easter. I hope you were able to spend time with your loved ones.

Let's take this week by swarm!

🐝 The Bee's Knees

1. AWS RDS Vulnerability Leads to AWS Internal Service Credentials: Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension. The internal AWS service was connected to AWS internal account, related to the RDS service.

2. Round Two - An Updated Universal Deserialisation Gadget for Ruby 2.x-3.x: A few months ago they noticed the gadget in their previous article had been patched and no longer worked in Ruby 3.0.3, so they spent a bit of time dusting off the old tools to see if they could find another one. One of the helper scripts they used is based on the original elttam article.

3. Bug Bounty Redacted #2 - Third Party Subdomain Takeover & Exposed Admin Interfaces: This episode covers two reports - the discovery of a third party subdomain takeover and an exposed administration panel. The discovery process and information about the exact report is shared in this video.

4. Learn with j3ssiejjj - Automating Recon at scale using Osmedeus: In this video, Ai Ho Jessie, the author of the Osmedues, demonstrates how to utilise the tool to its full potential, including developing modules, alternative configurations, and many other capabilities.

5. Diving Deeper into WatchGuard Pre-Auth RCE - CVE-2022-26318: The CVE for this issue is CVE-2022-26318. The reverse engineering of this CVE was performed by Dylan Pindur.

🙏🏻 Support the Hive

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

• TCM Security Academy - courses, bundles, gift certs, and access passes. Cybersecurity Training That Doesn't Break the Bank. Don't overspend on your education!

• Privacy.com - Protect Yourself Online. Create virtual cards, set a spend limit on each transaction, and track your spend. Take back control of your payments.

Become a sponsor

🔥 Buzzworthy

✅ Changelog

1. PentesterLab released three new code review challenges in PHP.

2. SpiderFoot v4.0 release: Correlation engine & define your own rules in YAML, 37 predefined correlation rules reporting interesting findings, 8 new modules for popular security tools.

3. Gau v2.1.0 release.

4. Go 1.18 Release Notes: The latest Go release, version 1.18, is a significant release, including changes to the language, implementation of the toolchain, runtime, and libraries.

📅 Events

1. REcon: Talks selection for Phase 1 of the CFP have been done! CFP end on April 24.

2. NahamCon CTF registration is now open: Up to $5,000 in cash prizes! ft. John Hammond.

🎉 Celebrate

1. Yassine on friends being a true life blessing: Couldn't agree more!

2. PentesterLab reached 50k followers: Congrats!

3. mert is going full-time bug bounty: Let's go!

4. Masonhck357 hit his 1 year mark with Bugcrowd: Awesome!

5. YesWeHack wrapped up their live hacking event: Congrats to all winners!

💰 Career Corner

1. Bishop Fox is hiring: Across departments like red team, consulting, and even Team People + Marketing.

2. Tinder is looking for an experienced researcher.

3. Differences between security engineer, penetration tester, and red teamer salaries.

4. Full-time bug bounty hunter discussion: Folks give their perspectives, such as Mustafa and Julien Ahrens.

5. Qomplx is hiring an OSINT specialist: As an Open Source Intelligence (OSINT) Specialist, you will be a Subject Matter Expert (SME) on collecting and leveraging OSINT data and information, use of specialized OSINT tools and services, and consult on the development of OSINT products.

⚡️ From the Community

1. Tib3rius is streaming to raise money.

2. Best high-end headset discussion via pry0cc.

3. Thoughts on OSCP and other certifications.

4. Z-winK asks who you would pen test for, if you could choose anyone: "For me, its @SpaceX because I believe in the mission [...]"

5. The 100DaysOfHacking Challenge was a game changer for Najam: They had known about bug hunting for 2-3 years now but had never been able to start hunting consistently.

📰 Articles & Threads

1. How Corben Leo breached a major telecom company: "Who's your phone provider? Well, there's a good chance that I've hacked them! [...]"

2. How Jason hacked a porn site: "How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities [...]"

3. Packets Remystified: Broadcast Brujería: Packet analysis and other networking tasks are often given a bad rep as something difficult to approach, intimidating.

4. Ruby Deserialization - Gadget on Rails: Recently they encountered a ruby deserialization vulnerability that existed within a rails application.

5. How vx-underground is building a hacker’s dream library: Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.

📚 Resources

1. Learning resources for hackers, bug hunters, and pentesters via Traw.

2. TESS shares a hacker story: "It was a private, wildscope program *.tess.xyz is how the scope looks like. [...]"

3. Creative ways to use GitHub Actions.

4. How to establish secure communications.

5. Bug Bounty Reports Templates: List of templates pdelteil has used since they started doing BBH.

🎥 Videos

1. IppSec doing HackTheBox - Toby.

2. Awkward VLOG at Nullcon Berlin 2022: LiveOverflow finally met a lot of people they haven't seen in a long time, and also met lots of new people.

3. Bounty Thursdays - How do you find hidden stuff on websites: That's one of many questions STÖK, Jason Haddix and KUGG will answer in this episode. A show where they answer your questions and focus on news, tools, and stuff related to bug bounty and the offensive (red) side of cyber.

4. A Double-Edged SSRF, Pritunl VPN LPE, and a NodeBB Vuln [Bug Bounty Podcast]: Quick bounty episode this week with some request smuggling, abusing a SSRF for client-sided impact, a weird oauth flow, and a desktop VPN client LPE.

5. Your next submission is just a Google away! w/ SanderWind: Most information nowadays is freely available on the internet.

🎵 Audio

1. The Privacy, Security, & OSINT Show #257 - Early Warning: This week they discuss the risks of data sharing from Early Warning and present a new concern about privacy-themed companies accessing your email.

2. Smashing Security #270 - Bearded Barbie, EDR scams, and hobbyist crime detectives.

3. How I Built This - WordPress & Automattic - Matt Mullenweg: Matt Mullenweg turned his early passion for blogging into a flourishing business and an unshakeable idea: that users should be able to share and tweak the code that powers their websites, and that most of those tools should be free to use.

4. How I Built This - Discord - Jason Citron: During his early career, Jason Citron stepped away from two stalled businesses and pivoted—twice—to something far more successful.

5. How to Take Over the World - Walt Disney (Part 1): Walt Disney's childhood, adolescence, how how he got his start in animation, and his first successes.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to the Hive Five to read the rest.