Sponsored by

The 5 Hacking NewsLetter 24

Posted in Newsletter on October 21, 2018

The 5 Hacking NewsLetter 24

Hey hackers! Here are our favorite resources for pentesters and bug hunters discovered last week.

This issue covers the week from 12 to 19 of October.

Our favorite 5 hacking items

1. Tutorial & Tool of the week

Embedding Meterpreter in Android APK by Black Hills Information Security AndroidEmbedIT

This is a great tutorial on how to embed a Metasploit payload into a legitimate Android app. It is accompanied by AndroidEmbedIT, a tool to automate the process, but you’ll find the most value in the tutorial.

Even if you’re not planning on tricking all your friends or deploying the next Android malware botnet, you could still learn a lot from it: decompiling APKs, integrating Metasploit payloads, adding permissions, recompiling and signing APKs…

2. Writeup of the week

h1-202 leaderboard photo discloses local wifi password

I usually prefer technical writings that’ll help me improve my skills whether they are writeups, news or tutorials. This bug is not technical at all but it is the best!

$500 for a medium severity bug found on Hackerone. What is it? The local wifi password found just by watching photos of a Hackerone event!
Hahaha (Can’t stop laughing everytime I read it!)

3. Video of the week

How to Differentiate Yourself as a Bug Bounty Hunter by @avlidienbrunn (OWASP Stockholm)

This is a short but sweet talk on how to differentiate yourself, a question that every bug hunter asks himself several times a day.

Mathias gives very specific tips, a mathematic formula to calculate bounty effectiveness and a pretty funny goose picture. But I’m not gonna spoil it, just watch the talk!

4. Challenge of the week

Curious how Facebook got hacked? Try it out for yourself! by Adversary

This is a simulation of Facebook’s latest data breach. It is a great opportunity to understand and exploit a real-life bug with critical impact in a controlled environment. And if you’re stuck, steps and hints are provided too.

5. Resource of the week

Security Assessment Mindset by @dsopas

The Security Mindmap which has been around for some time has been updated. It’s a huge mindmap to use when doing pentest, bug bounty or red-team assessments.

Many types of tests are included: Web, network, physical, IoT and OSINT. But Wifi and mobile tests haven’t been added yet. So you can use the mindmap as it is or as a basis for a more complete personal testing checklist.

Other amazing things we stumbled upon this week

Videos, Conferences & Podcasts


Conferences & Webinars



Medium to advanced

Beginners corner



  • StaCoAn: a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile apps
  • HASSH: a profiling method for SSH clients and servers
  • JTB Investigator: A tool to speed up the process of doing the same simple IP/Domain Name lookups over and over again
  • Autocon
  • SSRFMap: Automatic SSRF fuzzer and exploitation tool
  • A2SV *
  • cve-2018-10933: libssh authentication bypass
  • Zen: Find emails of Github users

Misc. pentest & bug bounty resources

Non technical


Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 10/12/2018 to 10/19/2018

* Oldies but goodies

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…