I'm happy to share my story on bug bounty journey. Thanks bugcrowd for choosing me to make inspire everyone in the community 🙏.Be patient, focus and keep ethical success will come to you 💯💪🔥.

RT @vxunderground: Dear Red Team nerds,. If you're curious what a successful and serious malware campaign looks like (if you want to make a….

RT @infosec_au: IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic thr….

RT @th3anatomist: 🚨 We got RCE on Solana 🚨.Finally revealing FULL details about the RCE vulnerability we found 2 years ago. Found it. Lost….

RT @sw33tLie: Do you think autonomous hackbots will significantly reduce your #bugbounty income within the next 5 years?.

RT @caseyjohnellis: I’ve been getting asked a tonne of questions about XBOW and bounty hunting. Von and I did a security flash last week af….

From there Red team make a request to api on ESB (Enterprise Service Bus) to make call to core banking with command to transfer money to attacker's account. All done with just 1 request from SSRF. What makes it so perfect? 👈🥷.

An interesting case of stealing money from a bank with unlimited amount and stealthily. With initial access as 0day SSRF on Exchnage which Microsoft said won't fix and a cool chain when combined with hardcoded machine key exploit in an internal application 💣💥.

From SSRF to RCE and transfer money in core banking. It is really cool red team case. A perfect combination of external and internal vulnerabilities for each other to bypass the monitoring and detection of the blue team. Present by my colleague @_q5ca.

Nowadays, AI has developed to an amazing level and applying them to find security vulns or analyze 1day vulnerabilities is no longer as difficult as before. I really feel that AI will replace these jobs but the hacker mindset will be something that AI cannot replace 👈.

Sometimes finding these vulnerabilities will require a bit of a Red Team approach. And I really love Red Team job 🔥.

They decided to put it in the interbal. The functionality of this product should not be exposed to the internet. I believe there are still many 0day vulnerabilities related to deserialization still exist in many commercial products written in .NET, Java 💣.

I think it is more difficult to get access to the installer or source code of a commercial software than to find a vulnerability in a large product like this. We found a serveral vulnerabilities including pre-auth RCE 2 years ago and reported them to Apple 😃

RT @clintgibler: 🔥 𝐀𝐈 𝐑𝐞𝐝 𝐓𝐞𝐚𝐦𝐢𝐧𝐠 𝐏𝐥𝐚𝐲𝐠𝐫𝐨𝐮𝐧𝐝 𝐋𝐚𝐛𝐬 from @Microsoft .12 free labs to up-level your hacking skills from the “AI Red Teaming in….

RT @stephenfewer: A new @rapid7 Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton 🔥 Affecting the Yii f….

RT @GodfatherOrwa: Video of my talking in #PHDays at @PTsecurity_EN . Hope you like it and enjoy it . #bugbounty #….

RT @thezdi: Outstanding! Nguyen Hoang Thach (@hi_im_d4rkn3ss) of STARLabs SG used a single integer overflow to exploit #VMware ESXi - a fir….

The world will burn again 🔥🔥🔥.

Amazing. Congrats my colleague 😍.

RT @_q5ca: Happy to share that my colleague @vudq16 and I will be speaking at PHDays in Moscow 🇷🇺 next week, May 24th. I’ll share a story f….

RT @thezdi: Boom! Viettel Cyber Security @vcslab was successful in demonstrating their attempt against NVIDIA Triton Inference Server - th….