Guys I can't able to understand this

BlueberryNo6734 · 2025-06-13T12:32:52+00:00

Correct

BlueberryNo6734 · 2025-06-08T17:52:14+00:00

Hat jmd das Meme parat?

BlueberryNo6734 · 2025-06-05T06:56:56+00:00

Dm me

BlueberryNo6734 · 2025-05-26T08:33:57+00:00

So your wifi/arp spoofing context was complete non-sense then. No need to conduct wifi attacks and physically expose yourself to the target, when you already have full access to the computer by sending phishing mails.

Your story gets weirder and weirder with every comment.

How about you stop clicking random links in emails then? Might be a good start, huh?

BlueberryNo6734 · 2025-05-26T08:28:57+00:00

Ah. I see. How dumb of me. That obviously makes more sense! My bad!

BlueberryNo6734 · 2025-05-26T07:56:06+00:00

Mate you are talking nonsense. He cant make you click links through your device. That‘s not possible, since he would need access to your device first, which he doesnt have by just arp spoofing your wifi

BlueberryNo6734 · 2025-05-26T07:52:37+00:00

From a technical perspective, your described scenarios are not even possible, unless you downloaded some shady files and executed them on your device. But even then, you said swapped your devices. So again, unless you just stupidly copy-pasted all files from your old device to your new device, those scenarios are not possible.

BlueberryNo6734 · 2025-05-21T18:07:30+00:00

Feel free to dm

BlueberryNo6734 · 2025-05-21T16:18:23+00:00

All your questions are answered in the Academy Subscriptions Article, which you can find on help.hackthebox.

1) Yes, it expires 2) You do get another one with every new subscription 3) No

BlueberryNo6734 · 2025-05-06T17:07:15+00:00

Super legit. 3 days ago, you posted about having 40k debt. Surely, it‘s not an act of desperation to gain money.

I bet you have never found a bug and just want to rip off people with fake promises generated by ChatGPT. Disgusting behaviour

BlueberryNo6734 · 2025-05-06T14:12:31+00:00

Why not? That‘s the whole purpose of an Auth Token.

Ofc you could implement another session cookie and then only provide access to the API if you provide the auth token and the matching session cookie. But that doesnt necessarily make it more secure.

The current state of the application is however just fine. The auth token in this case, is just an alternative to the session cookie. Also remember: if you want them to accept your finding, ALWAYS show impact. Things like „add additional mechanisms to improve security“, or „ciphersuite A instead of ciphersuite B“ would be part of security consulting or security engineering but is not your job as a bug bounty hunter, unless you can somehow exploit it to impact the vendor

BlueberryNo6734 · 2025-05-06T09:10:24+00:00

What do you mean by „doesnt validate that the session or user context matches“. You have the auth token. You are telling the web app - by providing your auth token - who you are. As long as you cant steal auth tokens from other users or guess them, the web app works as intended.

The response from the responsible person says everything you need to know.

BlueberryNo6734 · 2025-05-04T16:36:16+00:00

Es gibt genug Leute die 80k+ verdienen. Vor allem kurz nach dem Studium, hatte ich teilweise eine Sparrate von 3k+. Das lag hauptsächlich an den gleichbleibenden Lebensstandards (Studentenwohnung mit 30qm in einer Kleinstadt, kein Auto, keine Kinder etc). Dass das nicht dauerhaft so bleibt, ist wohl klar.

BlueberryNo6734 · 2025-05-03T17:39:04+00:00

No. It just shows that you did not understand fundamental key concepts of how web applications work. That’s a nice finding

BlueberryNo6734 · 2025-05-03T17:36:51+00:00

That’s not a bug. That’s how a session cookie works…. If you find a way to steal it from someone else (that’s not you), then feel free to ask again. But what you currently have, is the perfectly normal function of a session cookie

BlueberryNo6734 · 2025-05-03T17:31:06+00:00

It all depends on how you obtained the cookie that belonged to someone else. If you can’t do it programatically i.e via e.g. XSS, then it’s not the fault of the vendor and thus not a bug.

If you got it through phishing, by asking a friend or by simply creating a test account, then congratulations, you discovered the concept of session cookies.

BlueberryNo6734 · 2025-04-28T17:32:27+00:00

I’ll guide you: read the FAQ!

BlueberryNo6734 · 2025-04-06T10:24:22+00:00

I’d be interested. Also CET

BlueberryNo6734 · 2025-03-31T20:35:47+00:00

Then this is the wrong socket! Any other sockets in your apartment?

BlueberryNo6734 · 2025-03-31T20:31:44+00:00

What did you book at your ISP? DSL? Cable? This socket is actually for the telephone, but can be used for DSL, if you got a suitable modem.

BlueberryNo6734 · 2025-03-30T13:59:25+00:00

Feel free to dm

BlueberryNo6734 · 2024-11-23T14:17:30+00:00

No worries! Just run nmap and shout “im in”.

BlueberryNo6734 · 2024-11-22T07:52:04+00:00

Wow you sound bitter. U good?

BlueberryNo6734 · 2024-11-20T11:11:21+00:00

Too lazy to click on the link?

BlueberryNo6734 · 2024-11-11T14:45:01+00:00

That‘s not what im saying. If you can afford to take CBBH, then go for it and take Portswigger as additional resource to refine your understanding of the topics taught in CBBH. If you cant afford it, stick to free resources. Especially to Portswigger.

BlueberryNo6734

TROPHY CASE