🐝 Hive Five 151 - It’s later than you think

Hi friends,

Greetings from the hive.

Don’t keep putting things off. Go for it! I believe in you. Whatever your dream is, I'll see you there.

Let's take this week by swarm.

🐝 The Bee's Knees

1. Next Gen Hacker? atomiczsec shares their experience as a hacker and how they use their skills in cybersecurity to solve problems and pursue their interests. YOUTUBE

2. An interview with MVH, DEFCON Black Badge, and Googler Sam Erb. In this episode of CTBB, they talk about the importance of understanding how systems work to find vulnerabilities, and how his engineering background influences his hunting style and methodologies. YOUTUBE

3. mega7 found an SSRF in HackerOne's Analytics Reports. The issue allowed attackers to make internal requests from our application servers by exploiting a lack of output sanitization in an error message. By crafting malicious requests, an attacker could have accessed internal AWS services and obtained temporary credentials. HACKERONE

4. Trains were locking up for arbitrary reasons after being serviced at third-party workshops. What they found after reverse engineering is wild. HACKERSPACE

5. Blind CSS Exfiltration: exfiltrate unknown web pages. It can extract input’s names and values, textarea name attributes, form actions and even anchor links. PORTSWIGGER

Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. GAP-Burp-Extension by xnl-h4ck3r v4.5: Burp Extension to find potential endpoints, parameters, and generate a custom target wordlist. GITHUB

2. Nikto 2.5.0 is released and it contains hundreds of updates over several years, including ipv6 support. TWITTER

📅 News

1. Intigriti released their Researcher API: feed your automation, get findings faster, and see real time updates. YOUTUBE

2. Ben joined trick3st as an advisor to help the next generation of hackers with automating offensive security. TWITTER

🎉 Celebrate

1. Happy 30th birthday to DOOM! TWITTER

2. Ian started Seats.aero 1.5 years ago as a fun side project. To his surprise, it grew much faster than expected. Let's go! TWITTER

3. Rohan achieved a spot in the HackerOne Top 100. Amazing! TWITTER

4. NahamSec hit the million-dollar milestone on HackerOne. LFG! TWITTER

5. Inti was awarded the "UNDER 30 - Cybersecurity Professional of the Year” title. Well deserved! LINKEDIN

💰 Career

1. Never thought about this before, but Connor shared how to max out PTO in 2024. TWITTER

2. Day In My Tech Life: FIRE with DOD Cybersecurity Engineer Huralain. Step into the world of a DOD Countermeasure Cybersecurity Engineer with her own government cybersecurity contracting company. YOUTUBE

3. Wes on how to raise the bar on your team: aim for a culture of high standards and high feedback. TWITTER

4. 4n6lady is hiring on her team: AWS Customer Incident Response Team in various locations globally. TWITTER

5. This one made me laugh out loud. Kate on the three stages of career development: I want to be in the meeting, I want to run the meeting, I want to avoid meetings. TWITTER

⚡️ Community

1. Charlie shares a talk that's impacted his life profoundly: Richard Thieme - Staring into the Abyss at DEF CON 19. TWITTER

2. A hilarious Twitter post and comments on fun activities to do with a 6-week-old baby. TWITTER

3. Katie shared her desk setup and it looks amazing! TWITTER

4. 2023 SANS Holiday Hack Challenge & KringleCon. Join the global cybersecurity community in its most festive cybersecurity challenge of the year. SANS

📰 Read

1. 2024 HackerOne Live Hacking Events structure and rules. HACKERONE

2. Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol. Valve, the company behind the widespread videogame platform Steam, released in 2019 a feature called Remote Play Together. It allows sharing local multi-player games with friends over the network through streaming. THALIUM

3. OWNCLOUD CVE-2023-49105 allows you to either get complete access to the files of any user (and potentially, get RCE), or if you already have an account, escalate your privileges to admin, paving the way for remote code execution. The other, CVE-2023-49103, is a PHPinfo. AMBIONICS

4. Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Biggest Ports - February 14, 2020, brought an unprecedented Valentine’s Day surprise for Costa Rican police –– in a shipping container of decorative plants, they discovered 3.8 metric tons of cocaine. OCCRP

5. Carlo, an infrastructure engineer at HackerOne, wrote about if infrastructure written as code can go stale. CARLO

💡 Tips

1. A recon tip by xnl-h4ck3r, run xnLinkFinder over waymore results to find more potential links, params, and generate a custom worldlist. TWITTER

2. Damian on a recon method that basically no one performs: monitoring newly registered domains. TWITTER

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @chrisbiscardi | party-corgi.

2. @emgeekboy | Geekboy | Hacker, Co-Founder @pdiscoveryio, Ex-Security Analyst / BugBounty @Hacker0x01.

3. @pikpikcu | pikpikcu | Stay kiddie stay wannabe.

4. @riskybusiness | Patrick Gray | Host of the Risky Business® podcast. Guests by invitation only.

5. @0xpatrik | Patrik Hudak | (Automation x AI)².

🚀 Productivity

1. Categorize your life and use a journaling prompt to see how you align over time. YOUTUBE

2. Everyone's favorite proxy companion, FoxyProxy, introduced shortcuts for enabling/disabling the proxy. TWITTER

3. Greg on the benefit of outlining your vision for the future in detail: "A line is a dot that went for a walk." TWITTER

4. A simple productivity tip that no-one talks about: checklists — Whenever I incorporate these, such as for my newsletter, the results are immediate. I should really implement these further. YOUTUBE

5. A 1-minute short how to use fd, fzf, fzf-tmux, and neovim — I love this format! I even learned a thing or two. YOUTUBE

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. How one developer continues to defy the impossible. Nathan takes a deep dive into the Doom games. YOUTUBE

2. 7 Days of indie game dev — I have no idea who this is or what the game is about but their approach and editing are great: . YOUTUBE

3. Building Basecamp project stacks with Hotwire. Nicklas shows us how they used Turbo and Stimulus to implement project stacks, a new feature to visually group projects in Basecamp. 37SIGNALS

4. Mozilla Hacks introduces llamafile, which lets you turn large language model (LLM) weights into executables. MOZILLA

5. In this series, Vhyrro explains how you can effectively script Neovim to become your perfect text editor. YOUTUBE

🧠 Wisdom

1. Paul on a superpower is to be interested in important things tha tmost other people find boring. TWITTER

2. A Portland father reflects on the sudden loss of his son: "It’s later than you think." OREGONLIVE

3. Danny on future work: generalists > specialists. Learn the basics and let AI do the heavy lifting. TWITTER

4. If you ever wondered how to stand out: just keep going. Paul shares how many people make it through each day of Replit's online 100 days of code tutorial. TWITTER

💛 Cross-pollination

1. How Lauren (and the interwebs) found the original artists of a country song that played in the background of an X-files episode. TWITTER

2. World’s Strongest Man Lives The Sumo Wrestler Lifestyle For 72 hours. YOUTUBE

3. What you should include in the About page of your blog. TWITTER

4. 52 things Tom learned in 2023, such as this gem: "When Italy banned Chat-GPT, productivity of coders in the country fell by 50% before recovering. (David Kreitmeir & Co)". MEDIUM

5. Advice therapists have that completely changed people's outlooks. REDDIT
   Q

🐝 Fact

The sacbrood virus prevents the bee larva from making its final moult when the prepupa turns into a pupa, and it dies before it can spin its cocoon.

Generally only a few larvae in a colony are infected. The dried larvae, in their larval skins, can look as though they have died from AFB but are more easily removed from their cells. The dead larvae have pointed ends that stick up, resembling the upturned toe of a Chinese slipper.

This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to Premium to read the rest.