Rayton Li, Linux security expert who demos sudo misconfigurations and quick root tricks. David Smith, Windows specialist showing Alternate Data Streams for hiding executables. Jacob Meyer, researcher revealing LNK shortcut hijacks and LinkItUp. Kenneth Walker, red team operator abusing Steam profiles as C2. Alex Benton, practitioner demonstrating the Sticky Keys rename exploit and defenses.
36:49
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
volunteer_activism ADVICE
Use Recovery Mode To Replace Sticky Keys For Admin Shell
Replace system accessibility executables with safe backups to regain access when locked out.
Alex Benton demonstrated renaming utilman.exe (Sticky Keys) and replacing it with cmd.exe in WinRE to spawn an admin shell without a password.
insights INSIGHT
Hiding C2 Traffic In Legitimate Steam Profiles
Public platforms can act as resilient, innocuous C2 channels that blend into normal traffic.
Kenneth Walker showed a PowerShell agent polling a Steam profile for commands and returning output to a Netcat listener for persistent control.
insights INSIGHT
Shortcut Files Can Hide A Different Hidden Target
LNK files separate visible target text from embedded execution metadata, enabling stealthy backdoors.
Jacob Meyer used LinkItUp to edit LNK binary fields so the shortcut shows Firefox while actually launching a PowerShell reverse shell.
Get the Snipd Podcast app to discover more snips from this episode
Big thank you to ThreatLocker for sponsoring my trip to ZTW26 and also for sponsoring this video. To start your free trial with ThreatLocker please use the following link: https://www.threatlocker.com/davidbombal
Forget hot glue and paper clips. Here are 7 REAL 5-minute cybersecurity hacks everyone should know in 2026. Recorded live at Zero Trust World (ZTW26), David Bombal and a team of hackers demonstrate actual cyber attacks and how quickly your systems can be compromised.
From forcing AI prompt injections to steal credentials, to hiding C2 servers
in plain sight on a Steam profile, these are the real-world exploits threat actors are using right now. We're diving into the technical weeds to show you Windows LNK shortcut hijacking, Linux privilege escalation via sudo misconfigurations, and how to protect yourself from these exact attacks.
// Guests’ SOCIAL //
Alex Benton: Rename StickyKeys / alex-benton-b805065
Kenneth Walker: Everthing is a C2 / kenneth-walker-527595109
Jacob Meyer: Shortcut Hijack / jacob-meyer-165b8359
David Smith: Alternate Data Streams / david-smith-sudo-wrestler
Karla Abarca: The validity of an application before execution / karlaabarcacyber
Ramsey Shaban: Prompt Injection / ramsey-shaban-390335205
Tillman Hall Powershell Fake Logon / tillmanhall
Rayton Li: Rooting Around Linux: Privilege Escalations / rayton-li
Kieran Human: Network Hash Stealing / kieran-human-5495ab170
// ThreatLocker’s SOCIAL //
LinkedIn: https://www.linkedin.com/company/thre...
X: https://x.com/threatlocker
Instagram: / threatlocker
Website: https://www.threatlocker.com/
// David's SOCIAL //
Discord: discord.com/invite/usKSyzb
Twitter: www.twitter.com/davidbombal
Instagram: www.instagram.com/davidbombal
LinkedIn: www.linkedin.com/in/davidbombal
Facebook: www.facebook.com/davidbombal.co
TikTok: tiktok.com/@davidbombal
YouTube: / @davidbombal
Spotify: open.spotify.com/show/3f6k6gE...
SoundCloud: / davidbombal
Apple Podcast: podcasts.apple.com/us/podcast...
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// MENU //
0:00 - Coming Up
0:59 - Intro
01:20 - ThreatLocker Sponsor
01:36 - Demo 1: Sticky Keys
04:20 - Demo 2: Steam-Based C2 Attack
09:25 - Demo 3: Shortcut Hijacking
13:32 - Demo 4: Hidden Malware in Alternate Data Streams
20:18 - Demo 5: Safe App Validation (3-Step Check)
24:39 - AI Prompt Injection Attack
28:45 - Demo 6: Linux Privilege Escalation (Sudo Abuse)
34:10 - Demo 7: Credential Theft & Hash Cracking
36:38 - Conclusion
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#5minutehacks #hacking #redteaming
David Bombal