I read this last week: WC 24 September 2018

By | October 1, 2018

Here’s a few of the interesting and useful articles and tools that I’ve come across last week.

Articles and news:

Thick client: The attacking databases the fun/easy way

I was recently looking at a desktop application of a large security firm which manages the security of various large buildings around the UK……

50 Million Facebook accounts breached

Bugs in 2 features enabled mass harvest of single sign on tokens

UK Conservative party conference app leaks MP’s details

From the party that is pushing for back doors to encryption…

Security researchers spot first ever UEFI rootkit in the wild

Cybersecurity researchers at ESET have unveiled what they claim to be the first-ever UEFI rootkit being used in the wild, allowing hackers to implant persistent malware on the targeted computers that could survive a complete hard-drive wipe

Don’t put your .env files on the internet

This tweet by @svblxyz highlights a google dork that exposes numerous .env files that are leaking credentials

Tools and tech:

Bug bounty target data

This repo contains dumps of Hackerone and Bugcrowd scopes (i.e. the domains that are eligible for bug bounty reports)

Windows privilige escalation guide

Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for.

Hacking with Git: Git-enum metasploit module released

This is release two of three tools from Secarma’s talk “Hacking with git” which was delivered at Glasgow BSides in 2018.


Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.