- MonkeHacks
- Posts
- MonkeHacks #07
MonkeHacks #07
Monke
April 01, 2024
MonkeHacks #07
I am currently in Seoul, South Korea. On Friday I visited the Korean Demilitarised Zone, which was a surreal experience. I visited the Dora Observatory, where there are high-power binoculars that you can use to see the North Korean people in distant villages. South Korea is an awesome country and I highly recommend visiting it. On Wednesday I’ll be flying to Tokyo for the next phase of my travels. Mokusou is the Tokyo Ambassador on HackerOne, so reach out to him if you’re based in Japan.
In hacking news, I’ve had a relatively unproductive week, just like the mighty Zseano, so it’s a short issue this week. I used too much brainpower trying to navigate Korea for the first time. Japan should be easier since I can speak Japanese and I know how Japan works, having spent a large portion of my childhood summers there.
100-Hour Challenge Updates
Here are this week’s statistics:
⌛️ Hours This Week | 0 |
⏳️ Hours Left | 63 |
🗞️ Total Reports (All-Time) | 2 |
✅ Total Triages (All-Time) | 2 |
✨ New Triages (This Week) | 0 |
💸 Bounties | $13550 |
After further back-and-forth discussion with the program, they awarded another $5k. However, the CVSS assessment is still not correct (and this isn’t just me being picky - it’s an incorrect assessment of the Privileges Required metric, an age-old problem), so I’m still discussing this with the program. I’ll resume hacking on this program once this report is resolved satisfactorily. This 100-hour challenge has already far exceeded my expectations.
Weekly Ideas / Notes
Not many ideas this week (brain slow), so instead I’ll share a few stories.
I once found a bug… by doing nothing! You might be wondering how the hell that happens. Well, HackerOne had just launched a new program, a VDP. This was when I was just starting my bug bounty career, so I gave the program a poke (don’t do this! Don’t hack on VDPs!). I logged into the demo environment and started clicking buttons. All was well until I noticed that my username was different to the one I had set. What the hell? I had no idea what happened, but I was in another user’s account. So, doing what anyone would do, I submitted a report. The team accepted my report (it was a really bad report. How did they accept it? I don’t know) and provided me with an explanation. They had misconfigured their Varnish cache, and the caching system had cached the entire page of another user’s session and served it to me. Wow. Sometimes, the bugs come to you.
This is about the most expensive night of sleep of my life. I think anyone who’s been in the bug bounty scene before December 2021 will remember the Log4j bug bounty frenzy. When Log4j dropped, all hell broke loose. I was incredibly lucky, and incredibly stupid. I saw the original Log4j post about 4-5 hours after it was released. Unfortunately, I was an idiot and I went to sleep that night instead of spamming the payload everywhere and reporting vulnerabilities. I was only a year into my bug bounty journey and I simply did not see the opportunity for what it was. I think I missed out on five figures in bounties from going to sleep that night. Somehow, I managed to report one vulnerability and was awarded $2k for it, but that was very very lucky. Since that day, I’ve taken every zero-day that drops a hell of a lot more seriously. You live and you learn.
The post-live-hacking-event high is real. I’ve had a lot of success hacking directly after live hacking events. The reason for this is that, when you attend a live hacking event, you’re exposed to the methodologies and mindsets of dozens of other hackers. You see show-and-tell presentations of incredible vulnerabilities from amazing hackers. As a result, you leave the event with a ton of motivation and new ideas. Due to this, I’ve never lost money from attending a live hacking event. Even in cases where I’ve had to pay for my stay in expensive hotels to attend, I’ve always made that money back from hacking during the event or after it. Now, don’t get the wrong impression. Show-and-tell bugs don’t contain “secret tricks” or anything. They're just incredibly creative and inspirational findings. This inspirational feeling carries over into your hacking. Now, my self-assessment for a cool bug is “Would this finding be worthy of a show-and-tell presentation at a live hacking event?”.
Resources
Hello Lucee! Let us hack Apple again? - RCE in Apple’s production servers built on Adobe Coldfusion.
Caido Plugin Starter Kit - if you want to leave your mark in the Caido ecosystem, this is your starting point.