#general

And so

BECAUSE IT IS SHIT

Posh

loool

Petition for Scotland english to be called scottish cause that aint english

It’s not

@wooden python

better then the american-alternative

You’re blind

Lots of DFLs here

Have you been to Peak District

There’s so much people down south

Little further East and price goes down some

getting stabbed in london or getting in a car accident in egypt, choose your fate

...until you hit Rye

Just a wee bit

Going to uk and joining a gang would be a side quest

Then you're in old person territory and high rent again

Bought a house over here on east

And fking hell

main quest: consume 100 greggs weiners

It’s like double the price

Love peak

Egypts traffic is something else man

Exactly!

You’re blind

It’s actually easier to not join a uk gang

They’re unemployment final bosses

Thats why its not a quest

U from Egypt?

car accident cooler more instant

Tescos started stocking greggs sausage rolls in frozen packs

Hang outside houses

Close

NOT WVEN REMOTELY

WDYM CLOSE

So you are from which gang

I tried to do Tescos bug bounty program

i should visit a UK Costco next time i go lol

I burned myself on a frozen greggs pastie…. Twice….

In the same spot….

Pastie?

wolo what about oscp

Theyre so good

How did that go

So lightning DOES strike twice

I wanna try and see whats that hype about jacket potatoes in UK

I wanna eat first

That makes no sense

but I'm sticking with it

If you come UK get yourselves a nandos

Anyone planning to become a bug hunter here?

THEN EAT THE FOOD BRO

Looks pretty good on vids

They ain’t cheaper no more

STOP YAPPING

they have nandos in other countries too

It’s not about the potatoes it’s the vibe

We had a Nandos for like... 2 months

You see

But nandos is good

Then it closed because it was crap

We’re cold

And

Oh fuck acc?

Then there is something warm

ngl, best chicken is jolibee

And starchy

I was! But I wasn’t good at web back then

Why tho

😭😭

And buttery

yes

Ahh fairs

Well nvm

Come here to get Greggs

No I mean.. if they did the food well it'd be good

...but they didn't

So the taste is mid according to you ?

And a chance to get stabbed 🤠

no tag

But the environment influences it a lot

If you’re lucky even robbed

Ffs 🤦‍♂️

avg london experience

Jacket potatoes are generally mid… but when youre cold theyre like a belly warmer that is fluffy

Yes

We should delete London

@cedar fable This is g0blin my good friend and cofounder of HackTheBox.

And brum

Or have you met

Such vast empire and still no spices

I know g0blin 🙂

Interesting, u from London?

which london

Nyope

london, or city of london

He’s helped me out to get a job

I am not from that cesspool

Anywhere in UK ?

anor londo

Everything

Yes

I am a southerner

Who moved up north

Dont troll

And now wants to go back down south

Good choice

Literally

Yeah dont troll literally

TERRIBLE CHOICE THERE IS NOTHING HERE

Only good thing down here is: you could sell your house for a higher price

I found out about those potatoes from that one brother yt channel

And this is Golam. @scenic maple, JavaScript nut and web dev extrodianare

Which is sort off good

IT TAKES ME FOUR HOURS

TO GET TO LONDON

That garlic butter was good ngl

You don’t understand

UNO DOS TRES FOURRRRR

Do you

day-trip distance

I am not trolling bro my router shuts itself off

just drive

You doing uni or something

No

I think running might get u better stats

I missed

The train back

Hii golam

Twice

wolo is a professional unemployed friend

imagine having trains

^^

just drive

Why would u ddos someone thats mega stupid

get a pickup truck

😭😭

Trains are lifesavers

Henlo

Uhh for specific reasons

Some people distro hop, wolo cert hop

Golam is actually better at web than me! But he doesn’t like to admit it.

Trains are kidney stealers

OKAY OH MY GOD ILL GONSTUDY

Damnnn

Wombat moment

What?

Def for them old hags

https://www.youtube.com/watch?v=giE5-sKMa4Q&list=PLB7ZcpBcwdC5V7encRbWQdst2keI78jyL 👀

That one hurt my soul a little piece of me died when you said that.

If u ask again u will loose access here

Why?

is a crime

as soon as I saw the reaction I thought "g0blin's emoji xd"

Cause its illegal

we dont do crimes

Die

what the hellie

I know but its my friends minecraft server so i can have some fun huh?

No

Inb4 ban

generally no actually, since its probably running on someone elses server

https://giphy.com/gifs/Ra1bmpxpsppNC

or atleast someone elses ISP

Back in my days trolls used be creative

On his pc

Sounds like owlsec already 🤠🤠

#agent47

they deleted my message, they're trying to censor me

What that mean?

still could cause issues to other ISP clients

Youre an idiot

Like

🥛

Yeah thst true

Do you think youre the only person coming in

Asking that

Pretending it’s someone you know

Let people say what they say

We dont like illegal stuff

So just shoo

Yeah but except we don’t have an egotiscal maniac who doesn’t actually do anything with his time as a server owner

Man it's not even Friday

Alright buddy

That’s so true

can someone teach me how to hack wolo

Gosh that was a phase of mine

Embarrassing moment 💔💔

Try sending him a totally legit .exe file

Fact that this was related to agent shows how creative he was

Ill hack you lil bro

@austere sinew check dms

Doesnt wolo fall for phishing links

not if you keep yapping

Wait I have a funnt story

You’re here now! So that’s already a start. Now, here’s the low down. #modules is where you go to get help with academy.

When I had an interview with someone recently

They spoke about phishing links

Ur age?

And then like 5 mins

After

Uh huh

That interview

wolo and interviews, biggest lie ever

I got an email offering me 200 dollars to talk if I had an interview with

A big tech company

Bro had an interview with agent47

And I hovered over the link was dodgy af no less

Thats very convincable

I can say who in DMs

Its def agent47

Nah, MI6

Day 23 of asking Golam if I should take a Node js class

Do rust

Nah thats ISIS shit

Lmao

you don't take a nodejs class a nodejs class takes you

Is c better than python?

It depends

Like what?

They both have a purpose and a place and different advantages

any yappin' today?

It depenss

hella yappin today

Like what?

It's ramping up

I wouls say php first

Don’t you mean hacking?

C for lower level, speed sensitive stuff.
Python for an easier DX, and more libraries to do stuff etc

I have written a new article

rust for mentally ill people

Yeah i know python very well but i literally know just how to make a calc in c

Node for that rush every time you install deps as to whether you get owned or not

Doing stuff in C takes way longer, so python is better when you don’t need the benefits of it

it's in #community-content I dont want to turbo spam it

Bro just skip everything and do dart

read the C programming language

book

Whihc book?

bruh

(jk I love node, but lool did you see the compromise that shipped that ai agent with some package recently)

Dart on top

Owned or not is a good npm package idea

I mean send me book cover or send pdf

I can’t wait for the AI bubble to burst

Thats the book name

Search on google

Ohh

My

God

https://www.endorlabs.com/learn/supply-chain-attack-targeting-cline-installs-openclaw

Super sigma

Thx bro/sis

Ow that bot

insane aura

Everywhere i gp

Go

I see his face

Yup, someone added as an install dep for cline after obtaining a token for the repo

is the blackhat python book any good?

best is htb academy

Maybe

valuable opinion bro

👍

htb academy + portswigger labs + developing some projects to learn code

the python module?

I would say is amazing for web stuff

I did cbbh and cwee path

its amazing

academy in general

Man I so need to actually start one of the paths, keep saying I will, then just.. not

academy?

Guys you know when i was a newbie in puthon ,i used crypto instead of pycryptodome and i always kept getting errors so i dont know how much time it took for me to relize that pycryptodome existed

same

Try wifi

This happens

CAPE 🔛 🔝

try Modern Web Exploitation Techniques and when you get to DNS rebinding I hope you can give them some feedback because that part it's a bit difficult, even knowing how it works and having done that attack before

I couldn't make it work

That technique is fun

heck yeah

I remember using /feedback

If u dont know php in lfi/file upload module ur cooked

xd

Learn php for cwes guys

dont tell me what to do bro

😾

i came here to hack, not learn PHP

😼

gets stuck in skills assessment

any php enjoyers in the chat

Dont look at me

PHP = PreHackingPreparation

dont be shy

this is a safe space

No i dont like

But i used to hate it

Not anymore tho

yes.

turbo

I shall soon be going to a career fair and an interview later today

I remember i used todo crazy math
Now I need calculator if addition isn't multiple of 10s 💀

name 10 integrals you solved

I skipped integration and differentiation
Cuz i skipped 1st year of graduation, got into 2nd year directly and they teach that shit in 1st yeat

They also do it in junior college, which i skipped too
So i had to learn less about math and stuff
More about technical stuff (electronics)

fym skipped

here you can skip 1 subject per year and carry it into next year

If u do diploma, you can skip a year in graduation

Automatic S (9+ grade) in 1st year

oh thats whatsup

Cuz i just have to do like 2 exams?
C and some stupid thing

so you dodged a wholeahh math class??'

Yep

amazing

My highest level math is from 10th class

Matrix ig

bro barely knows addition

Well guess how much i suffer from it

I was good in electronics labs cuz

Other spent time on math and physics chem etc
When i was fw electronicz

and i barely know jack shit in electronics, but i wish i knew more

i know how to tinker around arduino and such

but dont ask me how current works in some circuit

You forget about it if u don't touch it for half decade tho

@supple plume time to lock in

Let’s get out there and lay claim to those bugs

you know what

I'll do that now

any program that you would recommend? my strongest skill is probably code review

For code review specifically? You can run the tool bbscope and it will scrape all your public/private programs, then grep for github

Otherwise there are executable programs, like Epic Game's fornite you could probably reverse and read

Or look outside of BB platforms like google/apple/microsoft, I think each of those has OSS in scope

Thats mega big brain

I should probably work on that htmli

Yeah msft has open sourced stuff in scope here https://www.microsoft.com/en-us/msrc/opensourcebountyprogram, i know google does. Not actually sure about apple's scope

Is this the VDP one?

It still takes a click
I am trying to find out if i can leak the cookies in GET with img tag

Yeah

They accepted 2nd xss

Not in scope cause release was delayd but a bug is a bug they marked it no applicable so that it doesnt harm my profile

I dunno if thats even possible cause domain wont match

Just HTMLi with no JS?

I have to look for programs that have that domain list things thats super helpful than just bruting all domains

Yes

Can do all other things

Except js

Probs something todo with execution window

any htb staff here i can DM?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

its not quite support

Dunno then

its complicated

Yeah then it wont be able to access document.cookie, maybe if there is a token in the URL it could be leaked via referer, but otherwise not having JS limits you

Tbh

Hmmm still worth looking into ig

relationship advice? Health advice?

https://tenor.com/view/sad-cat-cat-in-front-of-sea-gif-16930437336998530733

nuh uh

What is stopping the HTMLi from becoming XSS? Does it remove on* events?

mr brewer do you recommend intigrity?

If you need to speak to someone from HTB, then honestly support is your best place to start. If it's not support, can you just ask here? If you can't ask here, then again.. I'd recommend support tbh @willow storm

I've heard good things about them, but I personally have not does anything on that platform

do you recommend any platform specifically?

I personally like bugcrowd, although I have heard that H1 has better triage. Synack used to be good but has gone downhill in the last few years. Otherwise those are the only 3 I have worked on

At the end of the day most platforms function the same

A lot of people think "oh I havent had success on H1/BC, I should apply to SRT", but if you havent had success on one platform, switching wont immediately change that. That is to say the platform is less important, your time/dedication is more important

thanks for the advices and info

😄

Ask Claude code to find a bug in a repo
It says it found a flaw, It creates poc.js, False positive
It says it found another flaw.... in poc.js

Such advanced

webkit? 👀

yeah

Decided to give it a go to see how claude handles it

Nice, I read over the apple scope yesterday

Is the second one a false positive?

No it just wrote bad code

lol. That checks out.

wasnt a vuln but didnt properly call a function right

Totally forgot about a session I left running with MiniMax M2.5 on that cube task.. dang it delivered.. https://asciinema.org/a/oKZXRAfmjrFImdfE

https://tenor.com/view/my-beloved-my-beloved-my-beloved-recursion-heart-locket-open-infinite-love-gif-214555301530938137

I'll prob reread the webkit code

manually

but pain

oh yeah doing things manual is pain in 2026

thats what we have becometh

It's how I found most of my bugs, ai hasnt been much help

Is your goal bugs in iOS or safari?

I just need 1 any apple bug

so i can add it to my roster

bro is collecting bugs like pokemons

reviewing jsc so safari would be likely target

https://tenor.com/view/my-beloved-programming-cpp-cxx-cplusplus-gif-16471392368870325135

I was looking at the safari scope yesterday, the pay range jumps like crazy between webcontent arbitrary read/write ($5k) and webcontent sanbox escape read/write ($125k). I feel like there should be a tier in between lol

Chrome's baseline starts higher, but doesnt go as high for code exec

Would you find and report bugs in my software and give me detailed instructions to fix them (I will not pay you)

Yeah i got a chrome CVE

only paid $5k

and was a high CVE

was able to use an image to steal NTLM hashes from the browser

memory corruption? Or what vuln class

Oh nice

let me see if i can find the video

Did they just call it info disclosure?

How do you find them that easily?

When I struggle to exploit a program that I know is vulnerable to buffer overflow

he's just goated tbh

I just read through the code

this one was specifically in the file system api

You have the source code for that?

Chrome is open source

Oh

And fat

"claude pls find me a browser exploit, make no mistakes"

Like.. PHat

At least if you are building it haha

Kernel is easy mode compared

ive seen some codex setups that go "solve this htb medium machine" and mf "bloods" it

I don't get it
I guess I'm both really bad at jokes and IT lol

🙂

Trolls..

I think he means chrome has a high PH

OHHHHHHHHHHHHHH

I get it

😄

No

Trolls

oh lol

https://youtu.be/VgUVPZ7ZgEc

I kind of want to poke at smart contracts

I heard web3 pays well

I need to get a GF and break up to start my arc

huh
must have forgot about this part of the movie

I mean I always thought of chrome as being acidic, no basic, but I suppose it could have a high PH

Hahah

yes

I thought that at first when you said it lol

Sounds like web3 will be your next target

I gotta get my $1m goal for this year

but i also downloaded WoW

Bro

Stop

as a fellow korean, please teach me your ways

I play WoW as well

Frospite is Korean?

Waiting for Midnight

part korean

Pizza. If you dont have that kimbap, galbi and kimchi

Hahah imported a basic car model (sans wheels) and that terminal renderer spat it out fine https://asciinema.org/a/YYQU4E8z3ssmdCUO

Are you Korean?

no please frosto it will just take ur energy and focus and you will immerse into it dont do it we were meant for great things.

speaking as ex pro dotes player

yes

I have all of them

I use to do pretty good in league was a plat and diamond

rookie

you gotta be #number in region

shaming my korean side with top 2% on season 5

😼

LOL

North or South Korean?

top 150 wow degen

guess lol

North

nyo

I was top mage on my realm for a few years

for pve

Ohhhhh

Ohhhhh

South?

yes

I did Light of Dawn in 3.3.5 server first with my guild, and had like a bunch of gladiator teams

Lmao I guessed it in 2 tries

and played arena tournament 3.3.5 against hydra and kalimist

The new wow xpac Midnight comes out next month

supposed to be huge

unlikely to find a south korean hacker that speaks english, speaks in discord, and is a teen lol

nice try diddy

Wait you speak English?

March 2nd

I know I'm talking to myself, but wonder if I could take a more complex model and do some sort of decimation to reduce it to something that could be rendered in the terminal..

LOL

I do indeed

Oh

hi g0bbo

I just finished a beta build ❤️

Hey, sorry we didn't talk last week, it's been a bit shit

How're you?

all good im getting married tomorrow

lol

WOOOO

No

CONGRATS!!!!!!

thanks. 😄

No, I'm not talking to myself, or no I can't do it?

Because one is nice, and the other is a challenge

Yes

Ok

Well, I should've worded that better

Is this more 3d ascii cube stuff?

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb

Yeah, just left over from a job I had running last night I forgot about

Just a stupid little play thing, but fun

You're not vulnerable

yall play mc?

oh g0blin is still here, have you been yapping the whole day

I don't need to explain myself, I did that already

https://tenor.com/view/orangutan-hide-funny-grass-gif-12473035910100820179

nah it's ok, I've been irl yapping the whole day

Gotta get those yaps in

lost our supreme leader today, was his farewell party (the driest party ever, but anyways)

Is that ur gf in ur pfp?

his title actually roughly translates to supreme leader

I hesitate to ask but.. retired, or?

Congrats bro and best of luck

U might need it

he kind of levitated upwards, closer to where politics happens

Aha ok

Levitate

personally I try usually to avoid politicians, but my track record on that is not spotless anymore

Freakin house scene with occlusion culling 🤣 This is so dumb https://asciinema.org/a/pxwMuETRzf91jQm5

Ye and politics gives u power if u know how to play

where can i find these and import them into my term

It's just a little script I'm playing with, isn't anywhere atm

if I want power, I'll go to ceo route, not politics

Could chuck it in a repo if you really want

I'd make a nice tech bro ceo

Cep route is good if u want power in ur COMPANY and a bit of influence outside of it

first I need lasers. and rockets. and a huge AI farm.

Will the ceo pay for his employee's certs?

the rest will come together, trust me

💀

if that means I have absolutely the best talent, yes

it's one of the cheapest investments available

Can u hire me then?

will you pass the security clearance checks by the state secret police

Ye I should be able to

noice

Won't u?

What if someone fails

If no then it's just a skill issue

I have already passed, all 3 levels

Nice script, nice mental workout I bet. However how are you going to make your next billion

Next? Lemme work on the first first

Was mostly a workout for this 4bit quant of the MiniMax M2.5 model locally, to see how it performs

and it's done pretty nicely tbh

U should have at least 2 billion by the age of 50

Nice, I also tested some 4bit quants lately, but more for language tasks.

Nemotron fp16 is quite nice also

but m2.5 is a bit heavier, hence 4bit

Was funny running 30B parameter llm on pure CPU with okayish performance, without any real accelerator.

Advancements advance. Couple years from now things will look crazy

for sure

We've come a long way from Will Smith slurping his spaghetti

And the Indiana Jones movie where every scene with AI youngened Indy looked uncanny

Holy crap, that's actually pretty cool

Now I think it's time for some video games

Full vibe coded for fun, but learned quite a bit and reminded me of coding silly game engines ages ago 😄

(back then WITHOUT AI haha)

I'll add the prompt history later when I get back

@rose onyx thanks for letting us know. you know what 😉

Np

red role ping

I gathered

hello

😄

this is cool

dang now i'm craving Korean food

really? can you share a bit more about the setup?

Hello, sent you a dm regarding moderation 🙂

HUH

https://labs.hackthebox.com/achievement/challenge/151479/1147

FUCKING FINALLY

Looking forward to it

hmmmm, whatcha craving?

from what I heard, mods are chosen by current mods and staff if there is a need for mods and one is nominated as a potential mod

Ye

Can anyone pls help me make a group in telegram. It gives a message "Sorry, you are not allowed to do this."

?

I don't think anyone will help with that tbh

No

I need that for my studies 👨🏼‍🦯

Lol

I know everyone laughs but my homies only connect with telegram,😭

Just so u know, ur making it worse

You are telling me that you are not asking your so close 'homies' to make a channel but a complete stranger from a discord server to make it.

Updated with the prompt history, and clear statement about how the code was developed

No bro 👎🏻 I don't need your help 😔

I wish more tools made with AI would include their prompt history and such a statement tbh

Helps everyone learn

hmmmmmm

that would be nice

Suppose I could add the script which parsed the raw prompt history markdowns in to that end file too

Yo mods can you guys help me 😅

So true

No, only Telegram can help you.

If it says you're not allowed to create a group, then for some reason you are not allowed. Google for why that might be.

Otherwise reach out to Telegram support (good luck)

I'm reported but no response for many weeks

We can't help you, sorry.

Goooood mornin

Anyway thanks. Good response

It's good night now

Timezones ✨

Hmm

I'm pretty new to AI and stuffs and just knows the basics

But what type of learning did u use?

Supervised?

The local model was out of the box, 4 bit quant from the minimax-m2.5

hello cloud 🙂
any news on CDSA?

Some was done with opus 4.6

It says that in the readme

😉

I'll get the retake taken care of this weekend, shouldn't be too bad

😄

I use Kilo Code currently for the prompting personas

wait, results came out?

Ya

Oh ok

ah

Damn cloud

you'll crush it

How are u

Hallo I'm good

I'm watching tv and trying to wake up

What's up with tht pfp? Where's the majestic cat ?

I like fallout

I've added the script used to extract prompt information and generate the prompt history markdown file too now @bronze lion 🙂

More than persona and exp 33?

Oh damn , thanks a lot mate;

Is a man not allowed to like things without ranking them lol

cutieeeeeeeee

No

It needs updating if you use it as it has some static sections but yeah

can't update it from my phone 🤣 🤣

can a person not like two things at once lol

Well I don't know how to use it 😃 . Im gonna use it to understand more abt it

hi chat

I feel like I'd find a way to get family guy episodes on my pipboy

Y'all got games on your pipboy?

Well, essentially I extracted the prompt history from my three sessions in Kilo Code (VS Code), then you add them to the file list at the top. There's a section describing the project a bit further down that is static. You then just run the Python script and it'll extract and construct a prompt history markdown file like on that repo

What

Oh ok

I'm terrible at using the reply feature..

U deleted it suddenly lol

He replied to the wrong person

So he fixed it

I didn't reply to anyone

so I fixed it

Ohh

😄

I'm enjoying C++ more then go

hi 🙂
how's your day going

Still decently early, but alright so far

Oh ok got it

yo yo

Easier than I thought

Thnks

I laid in bed last night

Slightly not sober

And my last thought before I drifted off to sleep

Was

Taco Bell

Man, I'd kill for some raisin bran rn

Was..

💀

I like cereal

There is no need to kill someone for ht

Where's the fun in that?

True lol

Found a 2FA bypass in a plugin

It's storming

lets goooo

time to do the rain dance

https://klipy.com/gifs/minka-madebyminka-36

Why rain dance it's already raining

When will we get 4FA

if 2FA is so good, why is there no 3FA??

Cuz odd number

Because this implies 2fa is used properly

Reeeee

https://tenor.com/view/sad-cat-car-silly-cat-sad-scary-gif-12889095585962936860

@scenic maple what are you typing lol

4 is unlucky, haven't u seen jojo?

I am mot entirely sure based on my testing it removes stuff like script tags and args such as onload etc

It might be that js lib used to sanitize stuff but i checked with a latest bypass but doesbt seem to work it could be that its a whitelist

ramadan mubarak

I did , the beginning seasons

Did you run through all on* events? Yeah it may be using a library that removes event handlers

The anime entirely is peak

ramadan mubarak for all muslim hacker :3

Yeah i pretty much tried ecerything on xss payload all the things

Oh it's tday?

yes

Best i can do is a link or other html

Ramadhan mubarak to Everyone

Ramadan lasts for a while haha

Did you fuzz with all of portswigger xss event list?

I should try iframe ig

https://tenor.com/view/spider-dance-ilp-gif-10968519049859801761

ty my brother

Hmmm no i will try today ig

ramadan mubarak

btw, golam, how's the problem going

Just start with fuzzing the events once you get a valid HTML tag, so like <tag §event§=asdf> and fuzz through onerror, onmouseover, onrawpointerup, etc etc

I found out the math formula bruteforce wont help with O(n) since it becomes 1x10^18

Math : 👁️

uhhh

What's the problem

https://tenor.com/view/cat-blink-plink-black-cat-silly-cat-gif-5790979146903536700

don't think that hard lol

I wanna try it too

10 with 18 zeroes

Is how that is read

Btw

yes

1000000000000000000

I'm bad at math

Do Challenges progress towards ur Rank too or is it only machines?

active machines and challenges

so yes

I'm good at math

Active challenges and boxes brotha

Yes alright

How does it know if its posituve or not? Cause i found that img tag works
Also fuzzing would be a pain cause it takes around 7 seconds to load
I tried those payloads manually or by xsstrike

I know its a stupid math formula but the thing is you need to know it beforehand i guess i will look it up

I have to join my boss on a client call today

its not a formula lol

Just plop them in burp intruder, then see if the event is reflected in the response, if it is you can build out the payload further (that is why I dont include alert() or anything while fuzzing, just <event>=)

its simple maths ig

Formula is a formula

want me to tell you the solution, give a hint, or tell nothing

https://tenor.com/view/math-is-math-incredibles-the-incredibles2-i-dont-know-that-way-why-would-they-change-math-gif-15024041

Tell nothing

cool

gl

Thanks G

Wait but wont i need a js execution window for it to work

Cause intruder only sends http right

Without a console how do i see js being run

Right now you are only in the HTML context, so this is just building out your payload to see if you can get any JS. But the XSS payload will fully appear in the HTTP response

General XSS fuzzing is like:

1. find allowed HTML tag with portswiggers tag list
2. find allowed event handler with portswiggers event list
3. build out JS payload (alert() or similar)

This is Very interesting

Saving that to my notes to dig deeper later

xss is such a memed vulnerability class but then you look at people who are good at xss and they pull out some ninja shit

The payload gets cleaned by client side js

So if intruder can help here my mind willbe blown

I am digging into this next thing tomorrow morning

https://hacker.g0bl.in

Bro wrote the math formula

It was C1ouds idea

I think?

Or he gave me the idea

I dunno

Where do i get my user id please?

you did? or am I missing another joke

XSS is so underrated. If you are good at recon of the target and writing payloads, they are absolute fire

Click top right on labs, hit profile

https://g0blin.co.uk/xss-and-wordpress-the-aftermath/

Go to link

LOL

he really did

Bro bullying wordpress since day 1

hi brewer I got fumbled by the BBs

Nice blog, a fun interview question is "what is the impact of XSS with the httponly flag set" (or unauthenticated XSS)

Wordpress is developed in PHP so there’s no bigger insult than that

the answer is

Shots fired

PHP with Octane as the interpreter is fast as fuck boiiiii

technucally speaking you should still be able to make actions the user does from the console

very impact

Much impact

p5 and marked as duplicate

and out of scope

what if it's unauthenticated (you'd be surprised how many people get stumped by this)

Not replicable

well if its unauth you could still run js on the users browser and mine crypto

or phish them ig

but its not real impact

p5

what would you have answered?

unauth XSS is higher impact by bugcrowd VRT

what why

https://tenor.com/view/writing-too-fire-fire-writing-writing-fire-friendcord-gif-7801118907023267493

oh i see now

cause it impacts everyone(not just loggedin)?

Big show

Miss him

😄

Heya frost

😅

its just a good question to see how people think. Basic thinking is like "steal cookie", but thats why the question specifies httponly or unauth. Mid level answer is "xss can perform any action in the users browser", but again people focus on authenticated xss. So anything from fake login page, driveby download, etc show a little creativity

Hes fbi look