It's alive! Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths, and I look forward to learning together with y'all. github.com/hotnops/apeman

Amazing swag from Bug Bounty Village 🔥

Meeting the Hack The Box team with krkn Chevalier Franck and @Ego985176282786 at DEF CON 🔥

Literally the best talk I have seen at DEF CON this year 🔥

Je vends une place tarif étudiant pour la Barbhack DM si vous êtes intéressé 🙂

First place in Adversary Village’s CTF at DEF CON with PHREAKS 2600 🇫🇷 Thanks to ecole2600 for the opportunity ❤️

Bonjour citoyens de l'InfoSec, Je suis très heureux de vous annoncer ma nouvelle aventure : OffenSkill ! offenskill.com youtube.com/watch?v=g5KP9C… Suite à mon départ de ManoMano (miss you guys 💌), je me mets -enfin ?- à plein temps en tant que travailleur indépendant !

Latest episode is live! This time around Lupin and I discuss our experience with Google's BugSwat LHE and the takeaways from that experience. It's a chill and short episode - a lot going on in Vegas this past week. Sit back and enjoy! ctbb.show/84

Hey folks 🚨 AWESOME NEWS 🚨 Our second winner is very generous and offers to give away his prize, the "Learn Fundamentals" by OffSec 🤩 Two rules: 🔔 Follow us 🔔 RT We will do a random draw on 08/30 (Remember, prizes will be distributed during the #GreHack24 CTF)

Running out of attack vectors while hunting is annoying. So here are 6 ways to generate more attack vectors on web apps:

The past year has been amazing. From marriage, to Pwn2Own to a Pwnie Award, I'm so grateful. I'm using the money I've won from hacking competitions, bounties, & RB for two ppl to travel & attend Hexacon, the premier offensive security con in Paris, France. forms.gle/zt9RaR7EEvTxWG…

I just completed the "Dojo #35 - Chatroom" challenge on @YesWeHack! 🚀 Can you do it?: dojo-yeswehack.com/challenge/play… #ChallengeCompleted #YesWeRHackers #YesWeHackDojo

Wow, a ton of crazy research dropped at DEFCON this year. This week, ya bois got you covered with practical takeaways on integrating all those gems into your workflow. Feat: the PortSwigger Research team's research hat trick, and a bit from Orange Tsai 🍊. ctbb.show/85

In the past year I've seen SO many weird permissions granted to the "Domain Computers" group in environments. Always check outbound control from this group! See below for how to gain "Domain Computers" permissions, for later exploitation (with many links from Charlie Bromberg « Shutdown »):

See you there GreHack 👀

Critical Roundcube XSS technical details: Desanitization, unsafe Content-Types, CSS exfiltration, and a Service Worker come together to persistently leak emails from a victim's browser. Read about it here: sonarsource.com/blog/governmen… (CVE-2024-42008, CVE-2024-42009, CVE-2024-42010)

🇫🇷🎙️Nouvel épisode du podcast Hack'n Speak avec David B. & vdehors triple vainqueurs de la Pwn2Own 🏆🏆🏆 Au programme, un retour d'expérience sur le hacking de Tesla et des anecdotes croustillantes 🚗 Bonne écoute à toutes et à tous 🎶 podcasters.spotify.com/pod/show/hackn…

Operator Fabric is an open source platform built by the LF Energy for use in electricity, water and other utility operations Last May we did a security audit sponsored by OSTIF Official🙏 Read a summary of our findings and find the full report here: blog.quarkslab.com/audit-of-opera…

Hop hop hop, c'est dans un mois et il reste 2 places ! 🌹 J'en re-profite pour quelques infos : - Les étudiants hors alternance ont 50% de réduction 💌💌 - Les alternants et nouveaux reconvertis en sécu ont 25% également 💌 Si cela vous tente -> la suite (code promo) en DM !

Chamilo is an open source e-Learning platform written in PHP and used worldwide. During a red team engagement Quarkslab's engineer Mathieu Farrell learned how to exploit it for Remote Code Execution. Now you can too: blog.quarkslab.com/exploiting-cha…