Clément A.

I Breached a Hacker’s Platform by Reading Their Source Code kkonann.medium.com/i-breached-a-h… #bugbounty #bugbountytips #bugbountytip

Collecting ADCS data with NetExec🔥 Thanks to the addition of CertiHound, developed and implemented by 0x0Trace, we can now collect ADCS data using the --bloodhound collector of NetExec. As before, the data is exported as JSON files that can be imported directly into BloodHound.

I could rant about Rustscan for ages. Pentesters care about accuracy more than speed. Rustscan misses ports because it's too fast, it'll cause dropped packets. I've also never understood the "it's fast because rust!" argument. Nmap is C/C++, which are hardly slow languages. Also...it's a network scanner. Once the packet has been sent, it's network speed that matters more. They've also never explained (to my knowledge, and I've searched their github) the "Adaptive learning" portion. Also when they first released it, they had a "comparison" of Rustscan vs Nmap which was ridiculously biased. Running Nmap with all sorts of extra settings that caused it to take 17 minutes, then claiming Rustscan finished in 3s. Nmap can take 3s if you tweak the settings enough, but the point is why would you ever want that? Noisy. Inaccurate. Pointless.

Releasing PrivHound — Bloodhound collector to model Windows local Privilege Escalation as a graph. Still early — bugs and PRs welcome. github.com/dazzyddos/Priv…

One command. Full recon pipeline ➡️ enumerates subdomains from 7+ sources in parallel ➡️ resolves DNS, maps CNAME chains ➡️ detects takeover vulnerabilities ➡️ fingerprints the tech stack ➡️ auto-probes sensitive paths it discovers ➡️ tests auth bypasses on blocked endpoints ➡️ as of yesterday generates HackerOne-ready markdown reports (no Ai involved, programmatically generated) Each phase feeds the next. Not a wrapper. Not a script calling subfinder. Nuclei isnt even involved. Custom distributed architecture, built for bounty hunting. and I am continuing to upgrade it every single day If you have functionality you think I should add, drop suggestions below. I'm also looking for a few established bounty hunters to get early access and help me stress test it. DM me if you're interested. and again here is a REAL example output: github.com/Unit-259/subEn…

Writing shellcode into a remote process using only what's already there: existing RWX memory, ROP gadgets, and hijacked threads g3tsyst3m.com/lotp/Living-of… Credits @G3tSyst3m #infosec #Windows

Persistence: The Art of Staying In 0xdbgman.github.io/posts/persiste…

‼️ A threat actor is selling an initial access chain that uses DLL sideloading via a trusted Windows binary to execute payloads within Microsoft-signed processes, claiming to bypass EDR, MoTW, SmartScreen, and file-based detection. Each build is compiled uniquely with no shared IOCs, priced at $3,000 per build with custom modifications available separately.

Yo , a new blog post about persistence techniques Windows:Registry, Scheduled Tasks, WMI, DLL Hijacking Linux:cron, SSH Keys, LKM macOS: LaunchAgents, Dylib Hijacking Cloud: IAM Abuse, Kubernetes Inspired by Volt Typhoon, Lazarus Group, APT29. 0xdbgman.github.io/posts/persiste…

Yo , a new blog about all initial access teq Payload Dev | Phishing & MFA Bypass | Credential Attacks | App Exploitation | Social Engineering | Physical & Supply Chain Attacks 0xdbgman.github.io/posts/initial-… #RedTeam #Phishing #apt #InitialAccess #payloaddev

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…

AMSI bypass techniques - a 2025 update. A collection of various AMSI evasions, for both Powershell and .NET assemblies, with verification which ones still work and which shouldn't. As an extra one can find additional simple, yet clever tricks - make AmsiScanBuffer() buffer length argument to be permanently set to 0 or POP arguments from the stack and return INVALID ARG. A great post by Fabian Mosch (@ShitSecure). Post: r-tec.net/r-tec-blog-byp… #redteam #maldev #malwaredevelopment

THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free. Updated monthly. Try: curl ip.thc.org/1.1.1.1 Raw data (187GB): ip.thc.org/docs/bulk-data… (The fine work of messede 👌)

If understanding AD is still an issue, read this: #what-is-active-directory" target="_blank" rel="nofollow noopener">zer1t0.gitlab.io/posts/attackin… #ActiveDirectory

Hacking JWT keys checklist! 😎 #HackWithIntigriti #BugBountyTips

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:

🔄 Firebase developers rely on security rules to protect their applications. In practice, they often prove to be difficult to configure... making them prone to security misconfigurations 👀 We've documented several techniques to identify security misconfigurations in Firebase targets during bug bounty hunting 🤠 Link in next post! 👇

I just finished reading my signed early edition of Practical Purple Teaming: The Art of Collaborative Defense by @ajpc500 (Alfie Champion), and it was an excellent read. The book serves as a complete survey of the tactics, tools, and procedures involved in purple teaming. It introduces each concept clearly, then demonstrates it through practical, realistic examples. What stood out most is how balanced it is between the offensive and defensive perspectives. It covers detection strategies using tools like Splunk while also showing how to operate offensive C2 frameworks such as Mythic, exploring how both sides think and interact in a collaborative defense process. The book lays out the entire workflow for running a purple team exercise from scoping and execution to reporting. I appreciated that for each objective, multiple tools are introduced, including MITRE Caldera, Atomic Red Team, and VECTR and ticketing systems. This flexibility mirrors how real-world teams operate and reinforces that there is no single way to conduct a purple team engagement. The author’s experience shows throughout the book, blending technical knowledge with practical insights. Beyond frameworks like the Pyramid of Pain, Champion shares lessons on the human and organizational aspects of purple teaming, such as running workshops and demonstrating value to different stakeholders. The layout follows the familiar No Starch Press structure, divided into three main parts with twelve manageable chapters. Part one, How Purple Teaming Works, introduces the fundamentals, frameworks, and testing methodologies. Chapter one provides a clear overview for readers new to the concept, while later chapters explain the MITRE ATT&CK model, the Pyramid of Pain, and two primary testing approaches: the atomic methodology and the scenario-based methodology. Part two, Attack Emulation and the Detection Lab, is where the book truly shines. It walks the reader through building a Splunk Attack Range environment in AWS, collecting host-level telemetry like Windows Event Logs, and progressing into more advanced topics such as network traffic analysis, event tracing, and memory scanning with YARA and Sigma. Chapters eight through ten form the heart of the book, showing a short attack chain in a purple team context. “Living Off the Land with Atomic Red Team” demonstrates how to emulate LOLBIN techniques and initial access scenarios. “Active Directory Reconnaissance with MITRE Caldera” explores realistic AD enumeration and detection coverage. “Domain Compromise with Mythic” showcases how to perform realistic C2 operations, including techniques like DCSync and other domain compromise methods. Part three, Organizing an Exercise, focuses on the operational and reporting side. It covers how to manage engagements using tools like JIRA for tracking and VECTR for structured reporting. The final chapter, “Implementing a Purple Teaming Function,” dives into the business and cultural aspects of running a purple team, from facilitating workshops to building relationships across teams. It is full of thoughtful, experience-based advice that goes beyond technical execution. The book concludes with an appendix of helpful reference tables, including high-value Windows event IDs and system logs, making it a useful companion during actual exercises. Overall, Alfie Champion did a fantastic job with this book. It helped me mentally assemble my own purple team service offering and see exactly where I can bring unique value to clients. It also showed me which tools I plan to use next, particularly MITRE Caldera and VECTR, which seem ideal for delivering efficient, measurable results. Practical Purple Teaming was published by @nostarch Press in September 2025 and runs 352 pages. It is available directly from the publisher at nostarch.com/purple-teaming. You can purchase the Print Book and FREE Ebook for $59.99, or the Ebook (PDF, Mobi, and ePub) alone for $47.99. Go purple!

so someone said they got hacked via wifi using the Quatar airlines app.... so shall I learn how to do some android stuff??

#bugbountytips ❌ Stop Doing These 10 Bug Hunting Mistakes ... And revise your methodology if : 1. You spend 2 days or less per program 2. You run automated tools on each URL and wait for unique results 3. You don't scan servers' open ports 4. You don't register an account in the target website 5. You don't read JS files loaded, dynamically or statically 6. You don't care what kind of technologies used 7. You throw payloads blindly everywhere without knowing what could go wrong with the app 8. You don't monitor changes related to your target 9. You don't manually scan for hidden endpoints in all app exposed files 10. You blindly bruteforce directories and endpoints whatever the naming pattern used by the target app Remember, the app is developed by humans, they do mistakes and there is always a pattern of anything ... Ad: If you want to monitor your target scopes .. I am working on a platform called MapperPlus which offers many monitoring features for bug bounty hunters and security professionals .. you could join the waitlist at : mapperplus.com