r00tdaddy

@I_Am_Jakoby Look at the image @I_Am_Jakoby, this wasn’t a leak.. pops doesn’t know how autofill works 😆. There’s at best, a handful of numbers left in that scroll bar…

Lol remember that ISP I just told you guys about? I got: Addresses, phone numbers, account numbers, account and service information, etc And a couple of days ago I achieved write access as well. As in I can change the above values on people's accounts 😏

@thedawgyg @Azx7af Private stream, then make everyone a collaborator.

@Azx7af i may do some of this, but its tricky, because i cant share my screen while i do. so i could only be on camera and talking to everyone. live hacking while sharing screen would violate the RoE since it would disclose anything i found to people against policy before its fixed

So as some noticed, I am now doing alot of fuzzing. (11 0days found in the last 8 days between 3 major tools/libraries). Currently working on getting a UAF RCE triaged now. Would people find it helpful/useful if I were to blog about how I found them? #hacking #hacker #bugbounty

@CaverhillTravis @The_Cyber_News So patching means no more SQLI/XSS?!

@The_Cyber_News I think it is hilarious that people say how this is irrelevant because it was released 2 years ago... Not everyone does patch management, if they did, SQL Injections and XSS attacks would no longer exist.

🚨 PoC Exploit Released For Outlook 0-Click Remote Code Execution Vulnerability Source: cybersecuritynews.com/outlook-remote… A Proof-of-Concept (PoC) exploit code has been released for a critical remote code execution (RCE) vulnerability in Microsoft Outlook, identified as CVE-2024-21413. Dubbed “MonikerLink,” this flaw allows attackers to bypass Outlook’s security mechanisms, specifically the “Protected View,” to execute malicious code or steal credentials. The release of this PoC highlights the continued risk posed by this vulnerability and serves as a training tool for security professionals to understand the attack vector.​ #cybersecuritynews #vulnerability

@vxunderground @cyberwarfarelab

Giveaway time. Our friends at @cyberwarfarelab have gifted us AIO (All In One) Access to ALL of their courses for TWO PEOPLE You'll have access to the following courses (including labs). It is a lot. You're not expected to complete everything. This is valued at over $11,000. If you're gifted this you're expected to actually do something and not be a bum. This is a life changing giveaway. If you win this giveaway, bucked up, and lock in, you could be big brain real fast. Don't squander this. How to enter: - Leave a comment - ??? - I like cats Red Teaming: - Web Red Team Analyst [Web-RTA] - Active Directory Red Team Specialist [AD-RTS] - Enterprise Lateral Movement Specialist [CELMS] - Red Team Analyst [CRTA] - Red Team Specialist [CRTS V2] - Red Team Infra Dev [CRT-ID] - Stealth Cyber Operator [CSCO] Blue Teaming: - Blue Team Fundamentals [BTF] - Cyber Defence Analyst [CCDA] Purple Teaming: - Purple Teaming Fundamentals-C-Edition - Process Injection Analyst [CPIA] - Purple Team Analyst [CPTA V2] Cloud Security: - Multi-Cloud Red Team Analyst [MCRTA] - Hybrid Multi-Cloud Red Team Specialist [CHMRTS] - Google Cloud Red Team Specialist [CGRTS] - AWS Cloud Red Team Specialist [CARTS] - Multi-Cloud Blue Team Analyst [MCBTA] Ethical Hacking (Introduction courses): - Cyber Security Analyst [C3SA] - Certified Cyber Security Engineer [CCSE] Evasion & Exploitation: - Red Team – CredOps Infiltrator [CRT-COI] - Enterprise Sec. Controls Attack Specialist [CESC-AS] - Windows Internals Red Team Operator [CWI-RTO] - Certified Exploit Development Professional [CEDP] DevOps: - Certified DevOps Red Team Analyst (DO-RTA) Kubernetes Security: - K8s Red Team Analyst (K8s-RTA)

@GreatbabyGb @Dghost_Ninja Client id is not secret. What can you do with it?

@Dghost_Ninja They just closed it as P5 informational as i couldn't exploit the finding further

I found/reported my first ever bug on a vdp program, really happy cause it was a boost on my confidence. Found a dev page that was open to the public, didn't find anything at first until i proxy the http request to that site and found an api endpoint exposing client id

@techspence Only deny logon locally for workstations? What about the various other logon methods that cache credentials.

More sysadmins need to know this… User logon restrictions are free. Create a GPO and call it “DC Logon Restrictions - Domain Admins Only” Configure User Rights Assignment for DA accounts to log on locally on domain controllers and deny log on locally on end-user workstations.

@bytehx343 Nice work!

Qualified for final round of #SPIRITCYBER2025

@CryptoChronicX Yes pls

Who wants a free jar of our brand new 90u Small Batch Live Rosin Hash?! Leave a Comment ⭐️ We will randomly generate winner to receive some free jars of our brand new 90u Rosin Ends Soon ⏳️

@rez0__ This has been making its rounds for at least 3 months now.

🚨 BE CAREFUL OUT THERE This is a new scam tactic. It looks like they properly spoofed a third party X app. If you authorize the app, they can do basically anything on your account.

@0xHun73r No impact

i reported pure open redirect and he closed it as n/a lol

@techspence Your missing a whole lot here @techspence Deny access to this computer from the network Deny log on as a batch job Deny log on as a service What about all the other T0 builtin groups? EA,Account Operators,administrators, dnsadmins,dcom, cert publishers etc.

Domain Admin shouldn’t logon to workstations. Here’s one way to restrict DA logins to workstations: Create a GPO… Computer Config → Windows Settings → Security Settings → Local Policies → User Rights Assignment → ‘Deny log on locally’ & ‘Deny log on through RDP’ → add Domain Admins Apply to workstations Done. Did I miss anything?

@InsiderPhD Can someone say infostealer?

@wadgamaraldeen I’m saying you didn’t try hard enough. Is there another gadget to chain it with at this moment? Maybe, maybe not. That’s what’s notes and JavaScript monitoring is for. Come back to it later. Reporting an open redirect on any bbp today will likely yield similar results.

@rootd4ddy Who said i didn't try to escalate it and increase impact Tried XSS and many other bugs before reporting it And there is no 0AUTH implementation to try theft token's Open redirect itself without Escalation is rated as low/medium severity It varies from program to another

@wadgamaraldeen But it did have zero impact to the company. You’re presenting a hypothetical. The quicker you understand that the quicker you will find real bugs. You should have kept that open redirect in your notes. Combined with an xss on another page would be an ato.

@rootd4ddy I want to clarify something: I was never upset about not receiving a bounty, or about the decision to treat the vulnerability as low impact — even though calling it "zero impact" is a bit of a stretch, especially when it was acknowledged, fixed, and impacted authenticated users.

@atomiczsec @PerplexityComet Can I get an invite pls @atomiczsec

just got access to @PerplexityComet, lets see what this can do for security research : ) I have some invites if people want to try it out 🔥

@Bugcrowd and @FISGlobal are scamming together on bugcrowd. That is all :) #BugBounty

@7h3h4ckv157 @PinkDraconian Or they won’t and bugcrowd mediation will side with their paying customers…

@PinkDraconian Chill bro. You can escalate They’ll triage. It happens Open a blocker

Please help me understand how the @Bugcrowd triage works. I've provided - Video PoC - Python file that spins up an attacker server to showcase the exploit Does @Bugcrowd have some requirement for me to host the exploit server? 1/2

@NorthstarCharts @RemindMe_OfThis in 30 days

BITCOIN - It may turn out differently this time, but I don't want to ignore this entirely...

@StockOptions888 $1k

I AM OFFICIALLY RESTARTING THE $1,000 TO $1,000,000 $SPY CHALLENGE NEXT MONDAY! 💸 I’M GOING TO RESTART AND LET EVERYONE FOLLOW MY EXACT TRADES FOR COMPLETELY FREE IN A PRIVATE X GROUP CHAT! 🦅 LIKE, REPOST, & COMMENT “$1K” TO BE ADDED! ❤️‍🔥 YOU MUST BE FOLLOWING ME TO JOIN! ☢️