It would be fun to see what suspicious files or processes there are running. Or if i can find the keyloggers programs.

I'm working my way through the PNPT cert and on the web portion it covers the basics of XSS attacks (reflected, stored, DOM), then it shows you how to do a few examples.

I'm trying to build a methodology but it's a bit challenging. Most resources online either just tell you about XSS attacks and how to prevent them, how to solve very specific examples, or their methodologies are for more advanced situations beyond the scope of the course (i.e. filter and WAF bypassing).

I have a decent understanding on how each type works, but when faced with a challenge, my mind blanks out on how or where to start. Any tips on this?

Someone I know claims they got bored and hacked into a university they were waiting around in. The security found them and talked to them. Over the course of the conversation, they laid out all their system's flaws, and the security offered them a job. They declined, since they don't live nearby but was planning to move soon, but they were told a job would be waiting for them when they eventually moved nearer. They say this is fairly common in this line of work.

I think this is a bunch of BS. Here is my reasoning:

• They admitted to and were caught in the process of committing a crime, and were... offered a job? No company I know will hire you because they "like your moxie" cos you did something brave, like it's the 1950s.
• They declined the job and still got no reprimand for blatantly breaking the law? Surely the alternative to working for the uni is going to jail? Like you're clearly a threat to them.
• The uni caught them with facial recognition cameras according to this person? Idea is they knew this person wasn't a student. No-one else there has had their out-of-campus friends flagged by these cameras, which I've never heard of any uni having, especially not a struggling uni in debt, like this one.
• No job I've ever had, applied for, or heard of, will hold a job placement for you. If you decline, they'll find someone else who lives nearer, they'll outsource, or they'll just not hire someone. No company likes you that much, unless you know the owners, or it's a small town business.
• White-Hats surely aren't hired by... committing crimes? Then they're not a White-Hat, right? This can't be that common in the industry and sounds more like a film cliché: "We know you're in prison for hacking Shady Corpo TM and giving the money back to their clients, and we're willing to wipe the slate clean if you do this one job."
• This uni has been laying off staff left, right, and centre, due to the aforementioned debt. I personally don't think a cybersecurity specialist or white-hat hacker is extremely necessary when they can't even afford enough lecturers.
• What does "breaking into their system" actually mean? In my extremely limited experience (in that I have none) people who say this mean they guessed a password, found a PC that was already logged in, or tricked someone into giving them a password. Doesn't sound too "white-hat" to me...

Please tell me if I'm being paranoid, or if my instincts are right on this. To me it sounds like an impressive tall tale made to impress, and conveniently doesn't have any consequences.

Hey guys,

Hope everyone's been well. Been away from this community for quite a while and really looking to get back on the horse- guess that happens to all of us with life and work, right?

Anyway, as the title reads, I'm looking to find some affordable VPS servers and proxies. something that takes crypto would be nice but is not necessary for this use case.

For the proxies im sure the lists ive had previously are long dead.

Just looking for an idea of what most of you are using now or how you all are finding things now. Thanks!

So I accidentally typed the wrong website, just a different letter, and landed on a sketchy website which I closed immediately.

As far as I understand that unless it downloaded something and explicitly ran it then it shouldn't be able to run any code on my machine.

However, is it possible that it will somehow infect my browser (I'm using Brave, also my OS is Fedora if it matters) so that when I open a different website it can still listen to what I'm doing and get credentials I might enter there?

Why proxies don't work on windows? I am getting err_connection_reset error in my chrome and firefox browsers. I took proxy from free proxy list, ip:port socks4/socks5 without password. Checked the proxies for validity with a proxy checker. Selected only valid proxies. Checked with several checkers. And on all these proxies connection reset error in the browser, what is it connected with?

Hi,

I've trained in IT and cybersecurity and currently work in IT at a school. I'm always fascinated by how things work and how they're implemented. In my spare time, I often explore how systems can be used in unintended ways—ethically, of course.

Lately, I've been looking into RATs and how they can capture screenshots or recordings of a victim's device without detection. I'm curious about how this happens without triggering antivirus or alerting the user. My goal isn't to create or spread a RAT but to understand the mechanics behind it—both how it works and how it might be detected.

Asking for a friend that doesn't have reddit

Is there a console-based hex viewer like xxd that works well on streams?

The problem with xxd and most (all?) the other hex viewers is that when they're used in hex + ascii mode, they need a full line of data (usually 16 bytes) before they can produce any output. So if you're dumping a stream and the stream pauses, you will never see the last data that was received unless it paused at exactly a 16-byte boundary.

What I'm looking for is an hex viewer (probably ncurses-based) that would update both the hex section and the ascii section of its output as soon a new byte is read, even if that doesn't result in a full line of output.

Does HackForums is cooperating with feds?

HackForums is probably the oldest "hacking" forum still active on the clear web.

Curiously, all others forums gets raided over the years. Also, some members were targeted through FBI operations over the last decade and some said on the web later that HF owner (Jesse) had cooperated with law enforcement by releasing infos/proofs on suspected users.

From what I can see, IMHO, Hackforums are definitely cooperating with the feds. Since 2007 they could have been taken down many times for various reasons but surprisingly still open.

This guy, Jesse is an asshole tbh, he was happy yesterday when Cracked and Nulled got taken down.

According to FBI press release available here; https://www.justice.gov/opa/pr/cracked-and-nulled-marketplaces-disrupted-international-cyber-operation

Nulled administrator is facing up to 30 years behind the bars.

How will the new UPI ID rule impact digital transactions starting February 1, 2025?

I'm dealing with a really toxic ex-boss (think manipulative, unethical, the works). His company's security is a joke – seriously, one could probably write a script to own their network in an afternoon. The temptation to use my 'skills' is strong, but I know it's a bad idea.

Anyone else ever been in a similar situation?

How do you resist the urge to unleash your inner unethical hacker when dealing with situations like this?

I am disgruntled lol but now I sort of see that many disgruntled employees, might in fact, be driven to lashing out.

I am looking for socks5 proxy that does not require authentication

My browser does not support socks5 proxy with authentication so make sure reccomend me one that will work without authentication

Might get access to it later through a summer program. Anyone have any experience with the platform? Would like to know what it is/any other info on it, doesn't seem to pop up on google a lot.

https://arstechnica.com/security/2025/01/backdoor-infecting-vpns-used-magic-packets-for-stealth-and-security/

FBI announced today the seizure of these following sites; nulled.io cracked.io sellix.io and starkrdp.io

There was an ongoing operation called Operation Talent.

Stay safe fellas.

Hey,

I imported a encrypted pdf from an ebook reader, output of `pdfinfo` says it's not a pdf file, probably it's encrypted by private key? is there a way to unlock it?

Hey there people, I am currently into this pentestring field.. I have learned some basics requiring to understand it. solved labs Portswigger, try hack me and gained some foundation knowledge specially in IDOR, XXE, SQLI, C, SSRF etc.. And yeah by learning this I Also able to find this vulnerabilities. but in random sites not actually in any bbp or vdp.. well here my question starts

unlike in labs or while you learning in somewhere in Portswigger labs those labs are too basic.. I hardly find to use them in real world scenarios.. am currently self learning all of this. any free sources you recommend for advancing those skills? Currently I am focusing on advance IDOR. Focusing on this particular vulnerability..

I don’t fucking understand if portswigger is teaching us all the same stuff wouldn’t that Mean these vulnerabilities are dead

I am relatively new to cyber secuerity, i just passed sec plus in July but ive been messing arond and learning for about a full year now. Forgive any ignorance I just love this and am eager to learn

In my home lab I wanted to try and create a reverse tcp payload using venom for an older android tablet i had (A8). I created several payload using both shikata ga nai (interesting tid bit in japanese this means "it cant be helped" or "to endure what you cant control"), base64, nothing and tried a few other encoders, the name of which escapes me at the moment.

I created a msf reverse handler and served it from a python simple http server on my local network. All ports and listener set up was correct. The tablet had google AV turned off for this exercise. I downloaded each payload to the device and when i attempted to install, only the non encoded payload would install, im assuming because of bad characters. The non encoded payload was installed and my multihandler confirmed this fact however the shell never spawned no matter how many times i tried to launch the app.

My question is, given the amount of devices that use ARM architecture why is there no specific arm encoder?

Am i lacking knowledge and is one of, for example, the XOR encoders used for this purpose?

What are your theories? Do you think the device has some sort of embedded securirty that stopped the shell spawning or was it most likely bad characters?

Is the solution what i think it is which is just to pull a list or ARM arc bad characters and manually exclude them from the encoder?

Looking to hear from some of the wizards I've seen in this sub.

Thank you

Like why create a payloads in pfp exe dll and other formats? And how do I decide what format to use?

Just curious.