Sponsored by

The 5 Hacking NewsLetter 27

Posted in Newsletter on November 12, 2018

The 5 Hacking NewsLetter 27

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 02 to 09 of November.

Our favorite 5 hacking items

1. Conference of the week

Wild West Hackin’ Fest 2018, especially:

Wild West Hackin’ Fest is a relatively new security conference by Black Hills Security, a company known for its penetration testing services.I’ve already shared with you many of their high-quality webcasts on penetration testing.

This time, it’s no different. These 3 talks present pentesting tips, tricks, and traps. They could help if you’re considering becoming a professional pentester.

2. Writeup of the week

Evernote For Windows Read Local File and Command Execute Vulnerabilities

This is a write-up for a stored XSS affecting the Evernote desktop app (version 6.14). The bug itself is simple:

  • Create a note & add a picture to it
  • Rename the picture to: " onclick="alert(1)">.jpg
  • The JS payload will execute every time you open the note
  • Share the note with other Evernote users (This isn’t a self-XSS)

Since the JavaScript runs in the context of a desktop app, it can retrieve local files (LFI) and execute commands (RCE).

An XSS leading to RCE is unusual since it is a client-side vulnerability. I think it’s really cool!

3. Resource of the week

Getting started in Bug Bounty

This is one of the best guides to get started in bug bounty I’ve seen out there! It lists many Twitter & Github accounts to follow, blogs, books, etc.

In addition to technical references, it also encompasses essential non technical advice like:

No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others. “Do not expect someone will spoon feed you everything.”

This can’t be overstated…

4. Non technical item of the week

On Empathy in Security

This is a nice piece on security & empathy.

It particularly resonated with me because one of the first things I learned as an IT security auditor was the right posture to adopt with a client or auditee: Never make fun of their bugs or lack of security on their products. Never make them feel inferior just because they didn’t know how to properly secure an asset. Explaining bugs, risks and mitigation is what will help them improve their overall security, not a bad attitude.

So empathy in security actully makes a lot of sense.

Empathy towards attackers too, though it might seem weird. I’m reminded of an article I’ve read recently (but can’t find anymore) on cryptocurrency theft. Someone was contacted by a young blackhat. They talked for hours and the victim managed to get back all his money just by talking with and showing genuine empathy to the hacker. He was just a young guy in a bad situation.

5. Tip of the week

Passive DNS for the Bad

This is a simple yet effective trick. It’s for when you find IP addresses with open Web ports (80, 443, 8080…), that can’t be accessed directly. If the server uses a reverse proxy and blocks access by IP, you will have to find the right hostnames resolving to the IP you have.

Passive DNS databases (like DNSDB) are a good resource to get hostnames from IPs and maybe access endpoints that other hunters/pentesters might have missed.

Other amazing things we stumbled upon this week


Conference Slides


Medium to advanced

Beginners corner


Pentest & Responsible disclosure writeups

Bug bounty writeups

See more writeups on The list of bug bounty writeups.


If you don’t have time

  • GetJS: a tool to extract all the javascript files from a set of given urls
  • Arecibo & Tutorial: An Out-of-Band Exfiltration tool (DNS & HTTP)
  • portscan (the tool’s source is in this page’s source code) & explanation: JavaScript port scanner
  • Fofa: Another chinese Shodan
  • Onyphe & Tutorial: Similar to Shodan. Also does automatic fingerprinting of malware on servers and IoT devices.

More tools, if you have time

Misc. pentest & bug bounty resources

Our community provides us with research, which we automate into our scanner and we reward the ethical hacker responsible for submitting the vulnerability every time it is found by our scanner.


  • myHouse7: Vulnerable Virtual Machine with multiple docker images to practice pivoting across 4 different networks with 7 different machines
  • OWASP Juice Shop v8.0.0


The API has been designed to aggressively inform users about the latest available updates and give them a smooth in-app installation experience without closing the app or opening the Google Play Store.

A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom firms for finding/reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data

The researchers’ findings undermine the conventional wisdom that hardware-based encryption offers superior protection than software-based encryption. Business and consumers are advised not to rely on hardware encryption alone and to add software encryption, such as the free and open source VeraCrypt software package or similar alternatives, in order to safeguard their data.

Non technical

Tweeted this week

We created a collection of our favorite pentest & bug bounty related tweets shared this past week. You’re welcome to read them directly on Twitter: Tweets from 11/02/2018 to 11/09/2018

Have a nice week folks!

If you enjoyed reading this, please consider sharing it, leaving a comment, suggestions, questions…