- Hive Five
- Posts
- π Hive Five 69 β I am. All of us.
π Hive Five 69 β I am. All of us.
Photo by Alexander Shatov / Unsplash
Hi friends,
Greetings from the hive!
Happy belated Motherβs Day and world password day! I hope you and yours had a good weekend.
I had a week off from work but worked my butt off at home instead. Although it was taxing, I enjoyed spending time with my family.
I also watched the latest (last?) Ozark season. What a great show.
What did you do last week?
Let's take this week by swarm!
π The Bee's Knees
Advanced sqlmap Case Study: Many new bug bounty hunters will blindly rely on the output of tools to magically find them bugs.
CloudFlare Pages, part 1 - The fellowship of the secret: The process of reporting, remediating and validating these problems was undertaken with the utmost professionalism and diligence by all parties.
The $16,000 Dev Mistake: This is a writeup on how he located some AWS keys with Recon and was able to leverage it to find out roles and permissions, as well as digging deeper to different services to really solidify the impact.
HYS London 2022: 'Skeleton's in the closest and other tales from beyond the grave' is a collection of stories on just some of the vulnerabilities Katie Paxton-Fear has found during her time as an Ethical Hacker. Slides.
ππ» Support the Hive
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
π₯ Buzzworthy
β Changelog
Osmedeus v4.1.1: A Workflow Engine for Offensive Security.
π Events
The hitchhiker's guide to harvesting open source intelligence for offensive security purposes - May 31st @ 6:30pm: Get a glimpse into harvesting credentials/keys/secrets, etc.
Joe Grand's Open Lab - YouTube Live AMA #2 - May 14th: The questions keep on coming and what better way to answer them than doing it live?
π Celebrate
π° Career Corner
Jake on turbocharging your (infosec) career: "If you want to turbocharge your infosec career, head over to the Harvard MBA reading list. [...]"
Job - Senior SIEM/SOAR master: US based, must be a US citizen or have your visa and live in the US. Remote position but HQ is in Cincinnati Ohio.
β‘οΈ From the Community
STΓK asks what educontent is missing in the cybersecurity space.
Interview with Casey Ellis - Bugcrowd, disclose.io, cybersecurity.
Jason is combining forces with Corben: They will be posting their stories to a newsletter.
π° Articles & Threads
Jason's 100 million person data disclosure: That time he hacked a whole country by accident!
Corben on how simple observations can lead to finding huge vulnerabilities.
Hacking a Bank by Finding a 0day in DotCMS: The CVE for this issue is CVE-2022-26352.
π Resources
Jason's resources cited in the Bug Hunter's Methodology Application analysis v1.
A Clipboard is All You Need to Break Into a Building - Darknet Diaries Ep. 22 - Mini-Stories Vol. 1: A penetration test gone horribly ... right?, mysterious system updates at the windfarm, and the delicate art of social engineering. This episode contains three unbelievable true stories from the dark side of the Internet.
π₯ Videos
Bug Bounty Tools (Advanced) - Extract domains from IPs using SSL Certs: Z-Wink goes over a tool he wrote to loop over IP address ranges and extract common name and subject alternate names from certificates, then check those names to see if they are responsive, extract headers, and write this info out to a file.
Interview #2 - Picking a Bug Bounty Program: How Z-wink chooses a bug bounty program.
Crafting a Minecraft 0day: In this video he shows off his new XRay mod, go mining, almost die in the Nether and discover a vulnerability in the Minecraft Protocol.
HITB2019AMS KEYNOTE 2 - Securing Journalists - Runa Sandvik: Runa Sandvik joined The New York Times in 2016 to build a security program dedicated to the newsroom.
π΅ Audio
Bug Bounty Podcast - XSS for NFTs, a VMWare Workspace ONE UEM SSRF, and GitLab CI Container Escape: Some straight forward bugs this week with some interesting discussion around cryptographic protocols (VMWare Workspace), XSS in the Web3 world, and whether container escapes into a low-privileged VM matter. Along with a couple just note-worthy test-cases to keep in mind while bug hunting.
Malicious Life - Operation Sundevil and the Birth of the EFF: In May 1990, officials from several law enforcement agencies gathered in Phoenix, Arizona, to announce a nationwide crackdown on illegal computer activity.
The Privacy, Security, & OSINT Show #260 - Google's New Policy Change: This week they discuss Google's new data removal policy, the first issue of UNREDACTED Magazine, and numerous privacy & OSINT updates.
Smashing Security #273 - Password blips, and who's calling the airport?.
Darknet Diaries #116 - Mad Dog: Jim Lawler, aka βMad Dogβ, was a CIA case officer for 25 years. In this episode we hear some of the stories he has and things he did while working in the CIA.
Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- β’ Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- β’ Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- β’ EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- β’ MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- β’ Deep DISCOUNTS on paid content.
- β’ Experience continuously added NEW BENEFITS.