Stanford has just leaked this free class that explains how claude and chatgpt work from the inside
The majority wastes 90% of its potential
Stanford teaches it to you in 1h50 minutes
Save this to favorites so you don’t lose it.
WingData from @hackthebox_eu features a null-byte Lua injection in Wing FTP Server for RCE, cracked password hashes for a pivot, and a Python tarfile extraction-filter bypass for arbitrary write to root.
https://t.co/fuS43FYvYz
Three ssh.exe -R reverse tunnels in MDE. Same binary, three different shapes.
1️⃣ -R 9090:127.0.0.1:8080: 1 IP, 1 port, 1 success, 0 failures. A fixed forward to one service.
2️⃣ -R 8888: 1 IP, 1 port, 1 success, 1 failure. SOCKS, but pointed at known hosts.
3️⃣ -R *:10400: 250 IPs, 5 ports, 6 successes, 296 failures. SOCKS proxying a subnet sweep.
The scanner never touches the command line. The IP and failure counts give it away.
You can now provision a whole Active Directory environment within Threat Hunting Labs Playground.
Use Atomic Red Team from the main console or get direct access to the provision resources to run your own tests and inspect the telemetry in the SIEM of your choice!
What if I told you that a seemingly secure endpoint returning 403 Forbidden could still expose another user's data?
In my latest video, I demonstrate a lesser-known IDOR bypass technique that can sometimes slip past authorization mitigations implemented by developers.
You'll see:
• A practical exploitation demo
• Why the mitigation fails
• A source code walkthrough
• The underlying security concepts behind the issue
• How developers can properly fix it
One of the biggest mistakes in web application security is assuming that a blocked request automatically means the underlying authorization logic is secure. This video shows why that's not always the case.
Watch here:
https://t.co/QP6lBOz8F8
WAF bypass + critical blind SQLi stacking up — this is what real bug bounty grind looks like. 🔥 Great work. The WAF is never as scary as people think once you understand how it actually parses input. 🐀
NanoCorp from @hackthebox_eu is a Windows AD box. A careers site extracts uploaded zips, so a .library-ms file leaks a Net-NTLMv2 hash. Then ACL abuse to reset a Protected Users account, and a Checkmk agent privesc to SYSTEM.
https://t.co/Cf4IxTPbIW
🐀 subScraper — Your Recon Command Center is here! 🔍
Full pipeline automation: Amass → Subfinder → ffuf → httpx → nuclei → nikto all in ONE go!
✅ Live web dashboard with real-time job tracking
✅ Stateful & resumable scans — pick up where you left off
✅ System resource monitoring (CPU, RAM, disk, network)
✅ Screenshot gallery, actionable reports & export to JSON/CSV
✅ Docker support (amd64, arm64, armv7)
✅ User auth, HTTPS, and auto-install helpers
Check it out & drop a ⭐ — 306 stars and counting!
👉 https://t.co/gpt9ovEdzg
#BugBounty #Recon #EthicalHacking #CyberSecurity #OpenSource
Subscraper - the one stop shop for all your subdomain needs https://t.co/fHiR4LAa2t
With it's built in workflow and FREE open source tech ... anyone can make this into anything you need/want
Interpreter from @hackthebox_eu features unauthenticated XStream deserialization in Mirth Connect for RCE, cracking a password hash from the Mirth database, and Python f-string injection through eval for root.
https://t.co/fRpWxJtyhk
MonitorsFour from @hackthebox_eu features PHP type juggling to dump users, CVE-2025-24367 for RCE in Cacti, and CVE-2025-9074 to abuse the Docker Desktop API and mount the Windows host drive for root. Beyond Root: a shell on Windows."
https://t.co/DtjU6qwqjB
IDOR is the bug that pays beginners their first bounty. Most hunters walk straight past it.
Run this on any target today:
1. Make 2 accounts — A and B. You need a victim to prove real impact.
2. As account A, log every request that carries an ID: /api/user/1043, ?invoice=88, /orders/55.
3. Swap in account B's ID. Test all four verbs: read, update, delete, create.
4. Don't stop at numbers. Decode base64 IDs (often just integers in a costume), reuse UUIDs you leaked elsewhere, and check IDs buried in JSON bodies — not only the URL.
5. Hit the boring endpoints: export, PDF download, "email me a copy", avatar upload. Devs forget access control on features nobody demos.
6. Always escalate. Reading a user's data = finding. Changing their password or reaching an admin object = CRITICAL. Same root cause, 10x bounty.
Why it pays: scanners can't catch it. They don't know A shouldn't see B's data. Only a human with 2 sessions does.
Go find one. 🐀