Episode 122: In this episode of Critical Thinking - Bug Bounty Podcast your boys are MVH winners! First we’re joined by Zak, to discuss the Google LHE as well as surprising us with a bug of his own! Then, we sit down with Lupin and Monke for a winners roundtable and retrospective of the event.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Check out the CTBB Job Board: https://jobs.ctbb.show/

Today’s Guests:

Zak Bennett : https://www.linkedin.com/in/zak-bennett/

Ciarán Cotter: https://x.com/monkehack

Roni Carta: https://x.com/0xLupin

====== Resources ======

We hacked Google’s A.I Gemini and leaked its source code

https://www.landh.tech/blog/20250327-we-hacked-gemini-source-code

====== Timestamps ======

(00:00:00) Introduction

(00:03:02) An RCE via memory corruption

(00:07:45) Zach's role at Google and Google's AI LHE

(00:15:25) Different Components of AI Vulnerabilities

(00:24:58) MHV Winner Debrief

(01:08:47) Technical Takeaways And Team Strategies

(01:28:49) LHE Experience and Google VRP & Abuse VRP

Episode 120: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner welcomes Eugene to talk (aka fanboy) about his new book, 'From Day Zero to Zero Day.' We walk through what to expect in each chapter, including Binary Analysis, Source and Sink Discovery, and Fuzzing everything.Then we give listeners a special deal on the book.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor - ThreatLocker User Store

https://www.criticalthinkingpodcast.io

/tl-userstore

Today’s guest: https://x.com/spaceraccoonsec

====== Resources ======

Buy SpaceRaccoon's Book: From Day Zero to Zero Day

https://nostarch.com/zero-day

USE CODE 'ZERODAYDEAL' for 30% OFF

Pwning Millions of Smart Weighing Machines with API and Hardware Hacking

https://spaceraccoon.dev/pwning-millions-smart-weighing-machines-api-hardware-hacking/

====== Timestamps ======

(00:00:00) Introduction

(00:04:58) From Day Zero to Zero Day

(00:12:06) Mapping Code to Attack Surface

(00:17:59) Day Zero and Taint Analysis

(00:22:43) Automated Variant Analysis & Binary Taxonomy

(00:31:35) Source and Sink Discovery

(00:40:22) Hybrid Binary Analysis & Quick and Dirty Fuzzing

(00:56:00) Coverage-Guided Fuzzing, Fuzzing Everything, & Beyond Day Zero

(01:02:16) Bug bounty, Vuln research, & Governmental work

(01:10:23) Source Code Review & Pwning Millions of Smart Weighing Machines

Episode 119: In this episode of Critical Thinking - Bug Bounty Podcast Justin does a mini deep dive into the world of iframes, starting with why they’re significant, their attributes, and how to attack them.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Episode with JR0ch17

ctbb.show/61

Exacerbating Cross-Site Scripting: The Iframe Sandwich

https://coopergyoung.com/exacerbating-cross-site-scripting-the-iframe-sandwich/

====== Timestamps ======

(00:00:00) Introduction

(00:01:20) Why are Iframes useful

(00:05:11) Attributes of Iframes

(00:21:39) Iframe Attacks

(00:29:53) Iframe Fun Facts

Episode 118: In this episode of Critical Thinking - Bug Bounty Podcast we cover a host of news, including clientside tidbits, “Credentialless” iframes, prototype pollution, and what constitutes a polyglot in llms.txt.

Follow us on X

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow Rhynorater and Rez0 on X

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

You can also find some hacker swag!

====== Resources ======

p4fg passed 1 Million!

/reports/:id.json - $25K Crit

Hacking Crypto pt1

The art of payload obfuscation

Analyzing the Next.js Middleware Bypass

Nahamsec's Merch store

llms.txt polyglot prompt injection

React Router and the Remix’ed path

Pre-Authentication SQL Injection in Halo ITSM

Pwning Millions of Smart Weighing Machines

MCP Server Oauth

Cline

“Credentialless” iframes

Tiny XSS Payloads

Types of Pollution

====== Timestamps ======

(00:00:00) Introduction

(00:05:56) Next.js Middleware bypass & Polyglots in llms.txt

(00:16:35) CPDoS on React Router

(00:24:26) Loose Types Sink Ships & Pwning Smart Scales

(00:32:30) MCP Server Oauth & Cline

(00:39:40) Clientside Tidbits & Prototype Pollutions

Episode 117: In this episode of Critical Thinking - Bug Bounty Podcast Joseph introduces Vulus Ex Machina: A 3-part mini-series on hacking AI applications. In this part, he lays the groundwork and focuses on AI reconnaissance.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

====== Resources ======

Building Reliable Web Agents

https://x.com/pk_iv/status/1904178892723941777

17 security checks from VIBE to PRODUCTION

https://x.com/Kaamiiaar/status/1902342578185630000

How to Hack AI Agents and Applications

https://josephthacker.com/hacking/2025/02/25/how-to-hack-ai-apps.html

AI Crash Course Repo

https://github.com/henrythe9th/ai-crash-course

Deep Dive into LLMs like ChatGPT

https://www.youtube.com/watch?v=7xTGNNLPyMI

====== Timestamps ======

(00:00:00) Introduction

(00:01:54) AI News

(00:08:09) How to Hack AI Agents and Applications

(00:14:26) The Recon Process

(00:25:06) Initial Probing & Steering

Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger’s SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to YTCracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control

====== Resources ======

SAML roulette: the hacker always wins

https://portswigger.net/research/saml-roulette-the-hacker-always-wins

Loophole of getting Google Form associated with Google Spreadsheet with no editor/owner access

https://bughunters.google.com/reports/vrp/yBeFmSrJi

Loophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access)

https://bughunters.google.com/reports/vrp/7EhAw2hur

Cloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissions

https://bughunters.google.com/reports/vrp/F8GFYGv4g

Next.js, cache, and chains: the stale elixir

https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir

Next.js and the corrupt middleware: the authorizing artifact

https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

====== Timestamps ======

(00:00:00) Introduction

(00:02:59) SAML roulette

(00:13:08) Google bugs

(00:20:16) Next.js and the corrupt middleware

Episode 115: In this episode of Critical Thinking - Bug Bounty Podcast Justin and So Sakaguchi sit down to walk through some recent bugs, before having a live mentorship session. They also talk about Reflector, and finish up by doing a bonus podcast segment in Japanese!

Follow us on twitter at: https://x.com/ctbbpodcast

Got any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.io

Shoutout to https://x.com/realytcracker for the awesome intro music!

====== Links ======

Follow your hosts Rhynorater and Rez0 on Twitter:

https://x.com/Rhynorater

https://x.com/rez0__

====== Ways to Support CTBBPodcast ======

Hop on the CTBB Discord at https://ctbb.show/discord!

We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.

You can also find some hacker swag at https://ctbb.show/merch!

Today’s Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control

Today’s Guest: https://x.com/Mokusou4

====== Resources ======

So's last appearance in episode 40

ctbb.show/40

====== Timestamps ======

(00:00:00) Introduction

(00:04:11) So's Facebook Bug

(00:14:37) So and Justin's Google Bug

(00:33:39) Live Mentorship Session

(00:56:29) Reflector

(01:13:22) Bonus - Podcast in Japanese