Recap:
💥 Use $sleep 5 to confirm blind RCE
💥 Use curl with webhook[.]site to exfiltrate output
💥 webhook[.]site acts as a temporary listener
💥 Great for demos, PoCs, and beginner-friendly workflows
English
HackingHub
3.3K posts
HackingHub
@hackinghub_io
Educating the next generation of ethical hackers.
United Kingdom Bergabung Nisan 2019
14 Mengikuti12.7K Pengikut
4️⃣ Verify the output at webhook[.]site
Visit your unique webhook[.]site URL and you’ll see a new request with the POST body: user=www-data
That confirms the command output was exfiltrated successfully.
English
How to test and confirm RCE 🧑💻
…then exfiltrate data (no firewall).
English
Watch the full video and try this FREE hub here👇
hhub.io/HospitalHub
English
How to HUNT for MFA bypass.
Here’s a practical guide + SOLID hacking tips 👇
English
NahamSec made $30,000 USD with a single bug, and we turned it into a new practice hub. ⚔️
HospitalHub is a deliberately vulnerable staff portal. You sign in as a front-desk receptionist with zero patient privileges.
Your goal? Chain two Broken Access Control vulnerabilities to compromise the system.
Try to solve it now 👇
hhub.io/HospitalHub
@NahamSec
English
Want to HUNT for broken access control (BAC)?
@NahamSec has some hacking advice for you 😎
Let’s hear it. 👇
English
Why does swapping GET 🔁 POST/PUT/PATCH work?
Because it forces the server to walk code paths it never expected, some things to try:
➡️ Try GET on every POST/PUT/PATCH endpoint.
➡️ Try POST/PUT on GET endpoints, especially the one returning 403.
➡️ Add X-HTTP-Method-Override: DELETE (or PUT) on GET requests.
➡️ Append ?_method=DELETE (or PUT, PATCH) to any URL.
➡️ If CSRF token is present, remove it and flip POST→GET.
English
Someone: "I don't know where to learn to hack REAL targets."
Me:
English
Content Discovery Explained
app.hackinghub.io/hubs/nahamsec-…
English
Easily fuzz log files using a wordlist of dates 🗓️
Here’s how:
1️⃣ Use ffuf to find an active log directory
2️⃣ Grab a wordlist of dates
3️⃣ Run ffuf -w dates.txt -u /log/FUZZ.log -ac -mc 200
Want to try this technique out?
Hack our Content Discovery Hub now! Link in comment 🔗
English
Proud to be sponsoring @p3rf3ctr00t again this year :)
p3rf3ctr00t@p3rf3ctr00t
Please join us in welcoming @hackinghub_io as an Official Sponsor of the East Africa Intervarsity CTF 2026. Built by hackers, for hackers, HackingHub provides practical training, realistic environments, and hands-on challenges designed to help learners develop skills. #CTF
English
Does this look robust? You think you can BYPASS it? 😎
Send your payloads. 🚀
English
Get the most out of your reverse engineering with GDB plugin, GEF (GDB Enhanced Features).
Run this command to install:
wget -O ~/.gdbinit-gef.py -q gef.blah.cat/py && echo source ~/.gdbinit-gef.py >> ~/.gdbinit
English