- Hive Five
- Posts
- π Hive Five 51 β Happy New Year
π Hive Five 51 β Happy New Year
Bee
January 02, 2022
Photo by Choong Deng Xiang / Unsplash
Hi friends,
Happy New Year from the hive!
I hope you'll get one step closer to reaching your dreams. Both professionally and personally, 2021 was a great year for me.
Through my newsletter, website, and job at Bugcrowd, I was able to meet, reach and help a lot of people. And it meant the world to me. There's no better feeling than giving back.
In 2021, I also gained new insight through introspection. I also found stoicism, or did it find me? I built a reading habit and started mind mapping. On the health front, I started a daily running habit. Lastly, I was lucky enough to meet with infosec friends, both old and new.
This year, I set out to improve the processes above while adding new ones for my overall goal to be more intentional and mindful.
Let's take this week by swarm!
π The Bee's Knees
Ask TomNomNom anything: He'll do a stream some time in the next couple of weeks to do the answers. It was a 4 hour stream last time he did this.
A Different Kind of Root - How a Dentist Passed the OSCP: TLDR - you can do it, there's no doubt about it. You just have to prep smart. Do the groundwork, jump into PWK, then finish up with PG. The exam is a psychological chess match between you and the machines.
Turning bad SSRF to good SSRF - Websphere Portal: CVEs do not exist for these issues as the vendor is a CNA and refuses to provide us with CVEs. Advisory: Websphere Portal SSRFs & Post Auth RCE.
Hacking a VW Golf Power Steering ECU - Part 1: Attempts at modifying the firmware of an Electronic Power Steering (EPS) ECU from a 2010 Volkswagen Golf Mk6. This steering rack is probably present in all VW PQ platform cars, starting from 2008 up to the present day.
ππ» Support the Hive
Get $100 to try DigitalOcean. The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.
π₯ Buzzworthy
π Current events
TOOOL needs your help: Someone defrauded them out of $20k, their bookkeeper ghosted them, and the bank isn't helpful.
LogMePwn v2.0 - Multi-protocol support: A fully automated, reliable, super-fast, mass scanning and validation toolkit for the Log4J RCE CVE-2021-44228 vulnerability.
π Celebrate
Dazzy is joining Mandiant Red Team: Congrats!
Christopher's health journey: Amazing!
MorningStar had a great bug bounty year: Awesome work!
Six2dez celebrated reconFTW's first birthday: Here's to many more!
ca$s:e crushed her goals: Let's go!
π° Career Corner
Canva has heaps of security roles open: They're looking for smart driven people that want to be a part of Canva's journey. Australia Remote - Happy to discuss remote international.
Ben's advice to employers in the security space: There are barely any qualified and experienced people in this field. Only hiring experts is not sustainable.
π° Articles
Secjuice 2021 Writer of the Year Winner - Andy From Italy: Secjuice is pleased to congratulate the 2021 winner of our annual Secjuice Writer of the Year awards, Andy From Italy.
Another Log4j on the fire - Unifi: In this article, we are going to exploit Log4j vulnerabilities in Unifi software, get a reverse shell, and leverage our access to add our own administrative user to the Unifi MongoDB instance.
Fixing the Unfixable - Story of a Google Cloud SSRF: The post is nominating for the 2021 GCP VRP Prize.
Losers Exist, Donβt Hire Them: This is an internet re-post of a piece by Bryan Goldberg that is no longer available online.
Spaceraccoon's 2Q21 - New Year's Reflections: βThis may be the most important proposition revealed by history: 'At the time, no one knew what was coming.β β Haruki Murakami.
π Resources
What is your hunting on a public program mindset Mohsin asks.
Introduction to Malware Analysis and Reverse Engineering: This class will introduce the CS graduate students to malware concepts, malware analysis, and black-box reverse engineering techniques.
Blocksec CTFs: A curated list of blockchain security Wargames, Challenges, and Capture the Flag (CTF) competitions and solution writeups.
Code Review Checklist: Does this code change accomplish what it is supposed to do? Can this solution be simplified?
π₯ Videos
Dropped or adopted in 2021β¦ app and hardware end-of-year review.
UHC - NodeBlog: Box will be uploaded to HackTheBox by January 5th.
SSRF - Lab #5 SSRF with filter bypass via open redirection vulnerability | Long Version: This application's stock check feature is vulnerable to SSRF.
Advanced Directory Traversal Techniques: This video covers advanced strategies to test for directory traversal issues.
π΅ Audio
Spreading the Networking Vibes with Serena (shenetworks): Serena is a Network Engineer who specializes in Data Center Compute and Virtualization.
Alice and Bob learn application security - Chapter 10 - Continuous learning conclusion.
Subscribe to the Hive Five to read the rest.
Become a paying subscriber of the Hive Five to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In