Hey Hunter's,
DarkShadow is here back again!
RCE in tcp connection (rocketMQ protocol)
You guys are always hunt vulnerabilities in HTTP/HTTPS connections right?
Try different:
1. Find your target in scope all ip address
2. Enumerate all service
3. Grep all ip address which are using any tcp connection service's.
4. Note all ip, ports and service versions.
5. Start to read the service official documentation that how it's works.
6. Use tool ncat, socat or python script for sending request to testing.
Now come back to the POC:
1. Make a .bin file where save the payload.
2. Use ncat to send the request.
3. In burp collaborator the user-agent is curl means clear blind RCE.
#bugbountytips #rce
DarkShadow is here back again!
RCE in tcp connection (rocketMQ protocol)
You guys are always hunt vulnerabilities in HTTP/HTTPS connections right?
Try different:
1. Find your target in scope all ip address
2. Enumerate all service
3. Grep all ip address which are using any tcp connection service's.
4. Note all ip, ports and service versions.
5. Start to read the service official documentation that how it's works.
6. Use tool ncat, socat or python script for sending request to testing.
Now come back to the POC:
1. Make a .bin file where save the payload.
2. Use ncat to send the request.
3. In burp collaborator the user-agent is curl means clear blind RCE.
Guy's make 300 reaction in this post then I'll made my next post that how you find bugs in tcp connection more deeply.
#bugbountytips #rce
❤20👍3
⚡️ExecSentry — Arbitrary Binary Execution Vulnerability Scanner.
🔆https://github.com/errorfiathck/execsentry
🔆https://github.com/errorfiathck/execsentry
GitHub
GitHub - errorfiathck/execsentry: ExecSentry — Arbitrary Binary Execution Vulnerability Scanner
ExecSentry — Arbitrary Binary Execution Vulnerability Scanner - errorfiathck/execsentry
❤6
A fresh Web Pentesting batch with a Bug Bounty approach is starting January Mid 2026.
📱 If you're interested DM on whatsapp- wa.link/brutsecurity
📱 If you're interested DM on whatsapp- wa.link/brutsecurity
WhatsApp.com
Brut Security
Business Account
❤2😁1
H 01001000
a 01100001
p 01110000
p 01110000
y 01111001
N 01001110
e 01100101
w 01110111
Y 01011001
e 01100101
a 01100001
r 01110010
a 01100001
p 01110000
p 01110000
y 01111001
N 01001110
e 01100101
w 01110111
Y 01011001
e 01100101
a 01100001
r 01110010
10❤22🔥3👍1
Hey Hunter's,
DarkShadow is here back again!
I’m really curious to hear how you all generate revenue in this field. Whether you're earning through bug bounties, consulting, or other methods, I’d love to hear about your experiences.
Feel free to drop a comment and share your journey! Let’s learn from each other.
Drop your comments in this group: @brutsec
#discussion
DarkShadow is here back again!
I’m really curious to hear how you all generate revenue in this field. Whether you're earning through bug bounties, consulting, or other methods, I’d love to hear about your experiences.
Feel free to drop a comment and share your journey! Let’s learn from each other.
Drop your comments in this group: @brutsec
#discussion
❤8👍2
🚨 HackWithIndia 2026 🚨
🇮🇳 India’s Biggest LIVE Web Hacking Event
📅 17 January 2026 | 🌐 Online
💯 FREE ENTRY | Legal | Authorized
Here’s the thing: this is not theory, not CTF guesswork.
You get real web targets, real vulnerabilities, and live scoring.
🔥 Why you should care
• Live web app hacking
• Real-world vulnerabilities
• Compete with 10,000+ hackers
• Network with top security folks
• Certificate for all participants
🏆 Prizes worth ₹17L+
🥇 OSCP Voucher ($1749)
🥈 CEH Voucher
🥉 ASCP, CRTP, CASA, ACP vouchers
🎽 Exclusive hoodies for Top 10
🎁 VIP access, credits & more till Top 100+
📌 Who can join?
Students | Bug bounty hunters | Pentesters | Devs | Security researchers
No fees. No tricks. Just skills.
👉 Register FREE now:
🌐 https://hackwithindia.com/
If you’re serious about web hacking in 2026, you shouldn’t miss this.
🇮🇳 India’s Biggest LIVE Web Hacking Event
📅 17 January 2026 | 🌐 Online
💯 FREE ENTRY | Legal | Authorized
Here’s the thing: this is not theory, not CTF guesswork.
You get real web targets, real vulnerabilities, and live scoring.
🔥 Why you should care
• Live web app hacking
• Real-world vulnerabilities
• Compete with 10,000+ hackers
• Network with top security folks
• Certificate for all participants
🏆 Prizes worth ₹17L+
🥇 OSCP Voucher ($1749)
🥈 CEH Voucher
🥉 ASCP, CRTP, CASA, ACP vouchers
🎽 Exclusive hoodies for Top 10
🎁 VIP access, credits & more till Top 100+
📌 Who can join?
Students | Bug bounty hunters | Pentesters | Devs | Security researchers
No fees. No tricks. Just skills.
👉 Register FREE now:
🌐 https://hackwithindia.com/
If you’re serious about web hacking in 2026, you shouldn’t miss this.
❤9
Forwarded from Bug Bounty POC's
Please open Telegram to view this post
VIEW IN TELEGRAM
❤14
CVE-2026-21858 + CVE-2025-68613: n8n Ni8mare - Full Chain Exploit
Unauthenticated to Root RCE:
- LFI via Content-Type confusion
- Read /proc/self/environ to find HOME
- Steal encryption key + database
- Forge admin JWT token
- Expression injection sandbox bypass
- RCE as root
CVSS 10.0
https://github.com/Chocapikk/CVE-2026-21858
Unauthenticated to Root RCE:
- LFI via Content-Type confusion
- Read /proc/self/environ to find HOME
- Steal encryption key + database
- Forge admin JWT token
- Expression injection sandbox bypass
- RCE as root
CVSS 10.0
https://github.com/Chocapikk/CVE-2026-21858
🔥9👍2
Hello everyone, DarkShadow is back.
I want to clarify one important thing:
Quality or Quantity?
In my opinion, quality always matters more than quantity.
I focus on sharing content that actually matters, even if it takes time.
Your understanding and support are always appreciated.❤️
I want to clarify one important thing:
Quality or Quantity?
In my opinion, quality always matters more than quantity.
I focus on sharing content that actually matters, even if it takes time.
Your understanding and support are always appreciated.❤️
❤11🗿6
Guy's check out my new post on our BugBounty POC channel 👇🏼
Bug: passive vertical privilege escalation
Severity: 9.8 (critical)
https://t.iss.one/brutsecurity_poc/220
Bug: passive vertical privilege escalation
Severity: 9.8 (critical)
https://t.iss.one/brutsecurity_poc/220
❤10
Please open Telegram to view this post
VIEW IN TELEGRAM
👍5❤1🔥1
Hey Hunter's,
Do you guys want to learn about how "Google Authenticator" actually works? And how we can bypass it...
If you guys are interested I'll share a detail write-up about the work flow and the bypass method of Google Authenticator 2FA.
Share Your opinion here @brutsec
~DarkShadow
Do you guys want to learn about how "Google Authenticator" actually works? And how we can bypass it...
If you guys are interested I'll share a detail write-up about the work flow and the bypass method of Google Authenticator 2FA.
Share Your opinion here @brutsec
~DarkShadow
👍35🔥12🗿7
🚨 Brut Security | Feb 2026 – Enrollments Open 🚨
Ready to step into cybersecurity the right way?
🔥 Courses Available
• Ethical Hacking
• Web Penetration Testing
• Bug Bounty Hunting
• SOC / SIEM (Blue Team)
💻 Live training + practical labs
🧠 Real-world attack & defense mindset
🎯 Limited seats only
📅 Batch Starts: February 2026
If you’re serious about skills, not certificates — this is for you.
📩 DM Brut Security to enroll
Ready to step into cybersecurity the right way?
🔥 Courses Available
• Ethical Hacking
• Web Penetration Testing
• Bug Bounty Hunting
• SOC / SIEM (Blue Team)
💻 Live training + practical labs
🧠 Real-world attack & defense mindset
🎯 Limited seats only
📅 Batch Starts: February 2026
If you’re serious about skills, not certificates — this is for you.
📩 DM Brut Security to enroll
WhatsApp.com
Brut Security
Business Account
Brut Security pinned «🚨 Brut Security | Feb 2026 – Enrollments Open 🚨 Ready to step into cybersecurity the right way? 🔥 Courses Available • Ethical Hacking • Web Penetration Testing • Bug Bounty Hunting • SOC / SIEM (Blue Team) 💻 Live training + practical labs 🧠 Real-world attack…»
Argus: A Python-based toolkit for Information Gathering & Reconnaissance #OSINT
GitHub: github.com/jasonxtn/Argus
GitHub: github.com/jasonxtn/Argus
❤5👍1
This media is not supported in your browser
VIEW IN TELEGRAM
🚨 CVE-2026-22794: Critical Appsmith Flaw Allows Account Takeover.
🔥PoC -https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv
🔥PoC -https://github.com/appsmithorg/appsmith/security/advisories/GHSA-7hf5-mc28-xmcv
❤3
Hey Hunter's,
DarkShadow is here back again!
hunting backup is a underestimate vulnerability which missed by many bug bounty hunters.
Find API endpoints via reading js or api documentation (if available). Then play with various request methods (e g. GET, POST)
also you might use my this provided simple and effective Wordlist:
Guys I'll soon upload a detailed write-up about "Google Authenticator" workflow fundamentals and chain reaction for bypass it. Until show your love ❤️
#bugbountytips #missconfig
DarkShadow is here back again!
hunting backup is a underestimate vulnerability which missed by many bug bounty hunters.
Find API endpoints via reading js or api documentation (if available). Then play with various request methods (e g. GET, POST)
also you might use my this provided simple and effective Wordlist:
/api/v1/backup/create
/api/v1/backup/export
/api/v1/backup/download/{id}
/api/v1/backup/restore
/api/v1/backup/schedule
/api/v1/backup/config
/api/setup/backup
/api/admin/system/backup/run
/api/manage/backup/snapshot
/api/settings/maintenance/backup
/api/system/export-data
/api/db/backup/start
/api/db/dump
/api/v1/database/snapshot
/api/v1/sql/backup
/api/v1/storage/archive
/api/v1/sync/backup
/api/v1/volumes/{id}/snapshot
/api/v1/backups/checkpoints
Guys I'll soon upload a detailed write-up about "Google Authenticator" workflow fundamentals and chain reaction for bypass it. Until show your love ❤️
#bugbountytips #missconfig
🔥6👍2