Hey hackers! These are our favorite pentest & bug bounty related resources for the week from 6 to 13 of July.
Our favorite 5 hacking items
1. Videos of the week
SteelCon 2018 - , particularly:
I would have loved to go to SteelCon 2018 and see all these talks live! They are not all technical but when I’m looking for something to watch/pass the time, I usually prefer watching conference videos like these to TV shows. They teach me new technical skills/information and help put me in a hacker’s mindset and motivate me for better bug hunting.
Hi, these are the notes I took while watching the “Modern Pentest Tricks For Faster, Wider, Greater Engagements” talk given by Thomas Debize on both Area 41 & HITB 2018 conferences.
These are my solutions to the OWASP Bricks challenge. They can be considered easy and unrealistic Web challenges but they are a great place to start to practice manually finding and exploiting SQL injection and unrestricted file upload vulnerabilities.
I once had to train junior pentester colleagues, and gave them similar Web challenges. They skimmed through them, read the solutions without trying, seemed uninterested by the tedious task of solving these exercises one by one, and said that they already knew how to find such vulnerabilities. But when we were on real pentest engagements, they would miss many basic vulnerabilities and, even if given the vulnerable endpoint, were unable to exploit them manually.
So I really advise you to take the time to practice even the simplest challenges, take notes, improve your testing checklist/methodology, and profit from this controlled environment to explore new techniques: How to exploit SQL injections to read files on the remote system, how to go from a simple basic Webshell to a TTY shell or a Meterpreter shell, how to get the same kind of information sqlmap returns but manually…
Taking your time and notes is the best way to build solid knowledge and considerably improve your skills over time, challenge after challenge.
Hey hackers! Here are our favorite resources for penetration testers and bug bounty hunters for last week (June 29 to July 6).
Our favorite 5 hacking items
1. Podcast of the week
Web Hacking Pro Tips #16 with Bull by Peter Yaworski
I loved watching this podcast! The story of Bull (@v0sx9b) is impressive: he’s a self-taught full-time bug bounty hunter since only 2016 and already making a lot of money. So it’s good to listen to his hunting philosophy and tips.
For example, he focuses on big bugs and doesn’t report small ones, but rather keeps them to chain them and report higher impact bugs. This way, he reports 6/7 bugs a month on average but with high criticality & reward.
Hi, these are the notes I took while watching the “Small Files And Big Bounties, Exploiting Sensitive Files” talk given by Sebastian Neef and Tim Philipp Schäfers on LevelUp 0x02 / 2018.
This talk is about how to extract information from sensitive files like .DS_Store files and .git directories.