2phi

Current scoreboard after 6 hours 🔥 #INS25 #CTF

BREAKING: BYBIT $1 BILLION HACK BOUNTY SOLVED BY ZACHXBT At 19:09 UTC today, @zachxbt submitted definitive proof that this attack on Bybit was performed by the LAZARUS GROUP. His submission included a detailed analysis of test transactions and connected wallets used ahead of the exploit, as well as multiple forensics graphs and timing analyses. The submission has been shared with the Bybit team in support of their investigation. We wish them all the best.

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips gist.github.com/hackermondev/6…

The wayback machine has been compromised. See you all in HIBP!

How to fix the Crowdstrike thing: 1. Boot Windows into safe mode 2. Go to C:\Windows\System32\drivers\CrowdStrike 3. Delete C-00000291*.sys 4. Repeat for every host in your enterprise network including remote workers 5. If you're using BitLocker jump off a bridge

1/ How Lazarus Group laundered $200M from 25+ crypto hacks to fiat from 2020 - 2023 zachxbt.mirror.xyz/B0-UJtxN41cJhp…

There's still a load of potential for further research and discoveries in HTTP request smuggling. This massive-impact finding from @deadvolvo exploiting Akamai/F5 is a great example: blog.malicious.group/from-akamai-to…

1/ It’s unfortunate I have to make this thread but I am being sued by MachiBigBrother for an article I published in June 2022. Today Machi filed the defamation lawsuit. The lawsuit is baseless and an attempt to chill free speech. I intend to fight back & defend free speech.

Discover how we compromise systems through misconfigured WSUS (Windows Updates) - Remote Command Execution as #SYSTEM immunit.ch/en/blog/2023/0… #pentest #windows #wsus #injection #rce

Did you enjoy the latest blogpost on PHP filter chains? Well, our ninja @_remsio_ strikes again with a new article detailing how you can abuse them to leak files from the targeted system, as well as a freshly developed tool to exploit it! synacktiv.com/publications/p…

Loyalist: $4m stolen from over 400 victims zachxbt.mirror.xyz/chj355oHn5PcRI…

Was a lot of fun to collab with you on this one.

Very nice little article. Bug hunting is more accessible than you might think; although it does obviously require some technical skills you don't have to be a seasoned veteran to find issues. blog.chain.link/smart-contract…

It’s time for Atlas to pick up a new set of skills and get hands on.

Aurelien the founder charged today by the DOJ in the $2.9m rug pull of Mutant Ape Planet also happens to be the co-founder of another $1.6m rug pull I did a thread on called Crazy Camel Club (attached below)

📑 Root cause analysis from past DeFi incidents. Hope this stuff can help devs to avoid the same mistakes as much as possible. Now covered 95 incidents. wooded-meter-1d8.notion.site/0e85e02c5ed34d… #DeFi #Web3

The Dedaub team has disclosed a Critical vulnerability to the Uniswap team! Funds are safe - Uniswap addressed the issue and redeployed the Universal Router smart contracts on all its chains 👏 The vulnerability allows re-entertrancy to drain the user's funds, mid-tx. 🧵

1/ Six hours ago an account messaged me and sent over a db with api keys of 3Commas users. I began working to verify its validity and quickly shared the info with exchanges.

Wrote down my experience with MEV research, and the people who drove it to maturity @Prestwich/mev-c417d9a5eb3d" target="_blank" rel="nofollow noopener">medium.com/@Prestwich/mev…

@nobock_fr @SNCF Cher monsieur, vous m'ôtez les mots de la bouche. Merci d'avoir été assez vulgaire pour deux :)

@SNCF ALLEZ VOUS FAIRE COPIEUSEMENT ENCULER BANDE DE GROS FILS DE PUTE. MON TRAIN A ÉTÉ ANNULE ET PLUS DE DISPONIBLE JE NE PEUT DONC PLUS PASSER NOËL AVEC MA FAMILLE. BANDE DE GROS FILS DE PUTE !

ℹ️ Mouvement social : la circulation des trains sera perturbée du jeudi 22 décembre 20h au lundi 26 décembre 8h sur certaines lignes opérées par SNCF Voyageurs. En moyenne, 2 TGV sur 3 circuleront vendredi 23. La situation devrait être similaire samedi 24 et dimanche 25.