shmoul

@ArchAngelDDay Congrats! Best of luck, although I'm certain you'll do great

After almost 6 years in #bugbounty, I am VERY excited to announce that starting tomorrow, I will be doing Bug Bounty / Consulting FULL TIME! That's right, today is my last day at Elastic. I am super grateful for everything I accomplished while working at Elastic, but being entirely self-employed has been my dream for years. After a very successful LHE in Miami earlier this year, and reading the incredible Courage is Calling by Ryan Holiday, I knew 2024 was the year to make the jump. Bug Bounty has been an incredible blessing in my life, drastically altering my life trajectory and giving me the opportunity to create a life for my kids/family that may not have been possible otherwise. It bought my house, my car, and my wife’s van. It let me secure some of the biggest companies in the world, and make some of the best friends I have. This was all possible with just 10-15 hrs/week over the last 6 years. How much more bountiful will it be when I'm able to devote 3x the time? Only time will tell 😎. Of course, there is the fear of uncertainty, the fear of failure, and the fear of financial instability. But I figure those pale in comparison to the pain of never actually getting off my butt and trying. Thanks @rez0__, @triviatroy, @luhkoh, @hacker_, @ajxchapman, @nahamsec, and @rhynorater for the encouragement to give it a shot. Thanks @hacker0x01 & @bugcrowd for giving us hackers a platform to change our lives. Thanks @noahkagan for your interviews with Cal Newport and @artofmanliness. Both of which gave me hope that I’d do alright. Thanks @ryanholiday for Courage is Calling. It made me certain I was making the right decision. And thank YOU all for being part of this journey with me. Let’s Hack the Planet together. Gloria Deo #bugbounty #togetherwehitharder #ittakesacrowd

@renniepak Shouldn't have mentioned SMB in the earlier reply 😅 It's not really a good way to go unless you're stealing NTLM creds

@renniepak Use a webdav server instead. SMB is such a pain and so inconsistent outside a local network.

@renniepak You should be able to RCE by hosting a webdav / SMB server and using an url like file://host-ip/share/path/to/file.exe Windows does however prompt the user about running an external program, but if the user has e.g java installed you can use a .jar file with no warnings.

@NahamSec Full time on bug bounty here

I’m working on a video. If you consider yourself a bug bounty hunter or pay your bills from bug bounties can you reply to this tweet?

@Oddvarmoe Also this may not be exactly on topic but you can also specify the streams in the directory and file: c:\temp:$I30:$INDEX_ALLOCATION\file.exe::$DATA

@Oddvarmoe c|/test/file.exe (works in file URIs and somewhere else I think? not sure so maybe not a proper path) \??\c:\temp\file.exe \??\UNC\localhost\c$\temp\file.exe (UNC thing also works with \\?\ and \\.\)

Valid paths to a binary in c:\temp on Windows (without ftp/webdav server or similar). Do you know more paths? c:\temp\file.exe \\127.0.0.1\c$\temp\file.exe (or localhost) \\.\c:\temp\file.exe \\?\Volume{GUID of drive}\temp\file.exe

@NahamSec @Hacker0x01 @alicanact60 @ajxchapman Thanks for the shout out! Let's find some more crazy bugs in Vegas

Lessons Learned From @Hacker0x01's Live Hacking Event (h1-4420)! Shout outs to @alicanact60, @shm0ul and @ajxchapman for all their help throughout the event! 🎥👉🏼 youtu.be/R3lsiENY5v8

Recently had the pleasure of participating in my second @Hacker0x01 LHE, #h14420. We actually ended up winning the bonus for the best desktop bug on Zoom with @NahamSec and @ajxchapman! Huge thanks to them and everyone else involved with the event!