🐝 Hive Five 72 – Learning Blockchain, Delegating, running Docker without Docker Desktop

Hi friends,

Greetings from the hive!

On Memorial Day, we honor the memory of those who made the ultimate sacrifice.

To my surprise, I was included in a newsletter analysis by the always insightful Daniel Miessler. An honor as usual! I'll make sure to implement some of the takeaways.

Let's take this week by swarm!

🐝 The Bee's Knees

1. Learn Blockchain, Solidity, and Full Stack Web3 Development with JavaScript – 32-Hour Course: This course will give you a full introduction into all of the core concepts related to blockchain, smart contracts, Solidity, ERC20s, full-stack Web3 dapps, decentralized finance (DeFi), and more.

2. YassineAboukir Talks About His Recon Flow, Bug Bounty, Mental Health and More.

3. BSides Knoxville 2022 recordings are available on YouTube: Here's one of those presentations: Ben Sadeghipour - Would I even be here if it wasn't for the Internet?.

4. Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass): As part of Assetnote's ongoing work on their Attack Surface Management platform they are continually researching new and relevant vulnerabilities. In some cases, they’ve experienced other talented researchers finding vulnerabilities in software they audited.

5. Bypass CSP Using WordPress By Abusing Same Origin Method Execution: Paulos wrote a new blog post about how to bypass CSP if Wordpress is hosted on same-domain or subdomain.

🙏 Support the Hive

Enjoy reading the Hive Five? Consider sponsoring the next edition.

You can also follow me on Twitter.

🔥 Buzzworthy

✅ Changelog

1. pry0cc added preliminary AWS support for axiom: (git branch: aws-port).

2. David Bombal announces channel changes.

3. Subnets and Subnet Masks: by TomNomNom.

4. Hakrawler v2.1: Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.

5. Osmedeus v4.1.2: A Workflow Engine for Offensive Security.

📅 Events

1. BSides Buffalo - June 4th: Hacking is for everyone!

2. Hardwear.io Security Trainings and Conference USA 2022: Hardwear.io USA 2022 returns as a physical conference in Santa Clara, CA.

🎉 Celebrate

1. Mohsin shares their inspirational bug bounty story: Looking forward to what you do next!

2. ca$s:e had a wonderful first week at her new job: Love to hear it!

3. Nick passed the AWS SCS-C01 Security Speciality cert: Woohoo!

💰 Career Corner

1. Andreas on doing work that has "real" user impact: "When I first came to Apple, I would regularly dump whole days into [...]"

2. Accidental CISO on delegating: "One if the most important things I have learned so far about starting a business is how important it is to hire things out that I’m not good at. [...]"

3. Before you quit your job, consider TWO things: Over the course of his colorful career in tech, Sheng worked in 7 companies across the globe from giants like Google to small startups with just 10 people.

4. Creating Content HELPS the JOB HUNT (w/ shenetworks).

5. How to Pass Any SANS / GIAC Certification on Your First Try.

⚡️ From the Community

1. Corben Leo asks for the go-to shirt printer/designer.

2. Teamwork makes the dream work: Sam picked up @0xteknogeek, @sshell_, and @ret2jazzy from the airport and they immediately found a Tesla vulnerability playing around with the screen in the back seat.

3. shubs's observations on iterations in app sec: "i’m surrounded by people specifically in the source code review and bug bounty space that are innovating, learning and adapting constantly [...]"

4. STÖK's love hate relationship with swag.

📰 Articles & Tweets

1. How Cas 'accidentally' hacked a four-story display: ft. pry0cc?

2. Eight years of the GitHub Security Bug Bounty program: GitHub celebrated yet another record breaking year for their Security Bug Bounty Program in 2021.

3. N64 ROM Reverse Engineering (NorthSec 2022).

📚 Resources

1. Evan shares an example of using Turbo Intruder's "listen and attack" mode.

2. Bug Bounty FIRE Goals: Using bug bounty along side full-time employment is a solid means to attain FIRE (Financial Independence/Retire Early).

3. Cybersecurity & Cyber Warfare book humble bundle by Packt.

🎥 Videos

1. Ippsec takes on HackTheBox - AdmirerToo.

2. Recon Fundamentals Expanded (Nahamcon 2022 Talk): In this video codingo further expands on recon fundamentals with some tool examples, and a quick overview of tools to watch in 2022 (Trufflehog, Caido, and SecurityTrails SurfaceBrowser).

3. Dark Web - The Other Side: This talk will explore the world of dark nets and "the dark web".

4. Bug Bounty 101 #19 - Android Mobile App Testing with Burpsuite: In this bug bounty video, Z-Wink discusses how to use Nox Android emulator to send traffic to Burpsuite so that apps can be tested like websites.

5. Heap BINARY EXPLOITATION w/ Matt E.

🎵 Audio

1. Stealing Google Drive Tokens, a GitLab Bug, and macOS "Powerdir" Vulnerability: Kicking off the week with some discussion about DOJ's policy change before getting into some vulnerabilities: "powerdir" a macOS TCC bypass, an integer overflow on the web, and another attack against HelloSign and their Google Drive integration.

2. Human Factor Security #180 - Social Engineering Community at DEF CON 2022: On this special episode Jenny chats with Snow and JC about the new Social Engineering Community that will be at DEF CON 2022, held in Las Vegas this August.

3. The Privacy, Security, & OSINT Show #263 - Proton Changes & New Breach Lessons: This week they discuss the latest Proton changes and some new breach data privacy concerns (and investigation benefits).

4. Smashing Security #276 - Webcam extortion, Michael Fish, and food foul-ups: A browser extension bug let malicious websites spy on webcams, hackers threaten the global food supply chain, and Michael Fish (not that one...) hacked into his female classmates' online accounts, hunting for nude photos and videos.

Get $100 to try DigitalOcean - The go-to VPS for bug bounty hunters. I use it for all of my own recon and automation needs, plus it also doubles as a VPN. They have every cloud resource you need at an affordable price.

Subscribe to Premium to read the rest.