The 5 Hacking NewsLetter 12

Hey hackers! These are our favorite pentest & bug bounty related resources for the week from 6 to 13 of July.

T5HN12.png

Our favorite 5 hacking items

1. Videos of the week

SteelCon 2018 - , particularly:

I would have loved to go to SteelCon 2018 and see all these talks live! They are not all technical but when I’m looking for something to watch/pass the time, I usually prefer watching conference videos like these to TV shows. They teach me new technical skills/information and help put me in a hacker’s mindset and motivate me for better bug hunting.

More …

Owasp Broken Web Apps - Owasp Bricks Challenge walkthrough

These are my solutions to the OWASP Bricks challenge. They can be considered easy and unrealistic Web challenges but they are a great place to start to practice manually finding and exploiting SQL injection and unrestricted file upload vulnerabilities.

owasp-bricks.png

I once had to train junior pentester colleagues, and gave them similar Web challenges. They skimmed through them, read the solutions without trying, seemed uninterested by the tedious task of solving these exercises one by one, and said that they already knew how to find such vulnerabilities. But when we were on real pentest engagements, they would miss many basic vulnerabilities and, even if given the vulnerable endpoint, were unable to exploit them manually.

So I really advise you to take the time to practice even the simplest challenges, take notes, improve your testing checklist/methodology, and profit from this controlled environment to explore new techniques: How to exploit SQL injections to read files on the remote system, how to go from a simple basic Webshell to a TTY shell or a Meterpreter shell, how to get the same kind of information sqlmap returns but manually…
Taking your time and notes is the best way to build solid knowledge and considerably improve your skills over time, challenge after challenge.

More …

The 5 Hacking NewsLetter 11

Hey hackers! Here are our favorite resources for penetration testers and bug bounty hunters for last week (June 29 to July 6).

T5HN11.png

Our favorite 5 hacking items

1. Podcast of the week

Web Hacking Pro Tips #16 with Bull by Peter Yaworski

I loved watching this podcast! The story of Bull (@v0sx9b) is impressive: he’s a self-taught full-time bug bounty hunter since only 2016 and already making a lot of money. So it’s good to listen to his hunting philosophy and tips.

For example, he focuses on big bugs and doesn’t report small ones, but rather keeps them to chain them and report higher impact bugs. This way, he reports 6/7 bugs a month on average but with high criticality & reward.

More …

Conference notes: Small Files And Big Bounties, Exploiting Sensitive Files (LevelUp 0x02 / 2018)

Hi, these are the notes I took while watching the “Small Files And Big Bounties, Exploiting Sensitive Files” talk given by Sebastian Neef and Tim Philipp Schäfers on LevelUp 0x02 / 2018.

small-files-and-big-bounties.png

About

This talk is about how to extract information from sensitive files like .DS_Store files and .git directories.

More …