MonkeHacks #06

This week, I graduated from university, which thankfully went smoothly. I helped to staff Zero Days CTF in Croke Park, Dublin, run by Zero Days, the main CTF organisation in Ireland and the people who send the Irish team for the European Cybersecurity Challenge. I went bowling with my friends in Cork on Sunday and found a HTML injection in the player name.

Tomorrow I’m flying to Seoul to do some travel. I’m looking forward to visiting Korea - I have a tour booked that will take me to the Korean Demilitarized Zone (DMZ), all the way to the viewing point that looks into North Korea!

100-Hour Challenge Updates

Here are this week’s statistics:

Finally, after 16 days, the report was reviewed by HackerOne’s triagers and validated and rewarded. Reaching this point was a very frustrating experience. The vulnerability was, in my opinion, hugely underpaid - I believe that it was a high-end High issue if not a Critical finding at minimum, so I am currently disputing this respectfully with the team. Amount aside, it marks a significant milestone in my 100-hour challenge. I’m taking another brief break from hacking on this target as it is emotionally draining to deal with this situation.

All of my hacking for this challenge has been done with Caido, with no plugins except EvenBetter for UI customisation. I do not use recon tools anymore and my process is entirely manual. I do not run automation, although I have been working on code for an automation system for quite a while now.

Weekly Ideas / Notes 

• I created three CTF challenges and helped to staff Zero Days CTF in Dublin.

  • The first challenge was a case of reverse-engineering hardcoded client-side encryption and Javascript obfuscation. This is something I see occasionally in the wild and I’ve witnessed some hackers get very hefty bounties from it. It’s a very useful skill to have. I left a prompt injection in the challenge comments to disrupt people who tried to use ChatGPT to solve it.

  • The second challenge abused OpenAI’s sanitisation of Invisible Prompt Injection to hide the flag inside unicode tag characters. This resulted in a challenge where the flag was in plain sight, but trying to use AI to solve it would be useless because OpenAI themselves would strip the Unicode tags from the input for security reasons.

• I rarely use tools, but when I do, these are the ones I use.

  • Historical URL discovery using gau or waymore.

  • Google dorking for pages that are visited often.

  • Burpsuite only for HTTP attacks like the single-packet attack or request smuggling, or for testing websockets.

  • Caido as my main proxy.

  • Subfinder for subdomain discovery.

  • Cookiemonster for quickly testing JWTs.

• You can use the Wifi Settings on MacOS to proxy HTTP traffic from desktop applications.

• The best advice I’ve acted on this year is: hack the areas that the companies value the most, and hack the areas where lower severity bugs are unlikely to occur. This, to me, means testing features such as authentication or server-side interaction more. The end result of this has been less bugs but better bounties and cooler findings.

Resources 

• Making desync attacks easy with TRACE - Portswigger Labs

• Caido releases Findings - you can now raise alerts when certain conditions are met in requests, which is effectively a custom passive scanner.