- MonkeHacks
- Posts
- MonkeHacks #09
MonkeHacks #09
Monke
April 15, 2024
MonkeHacks #09
I’m currently in Sapporo, Japan. Life is nice and slow, and I can finally take a break… which means, of course, that instead of taking a break, I’ve been working on more projects. On the bug bounty side, I had 1 duplicate and 1 High triaged from my two bugs last week. Considering the low time investment, I’m really happy with that result. I spent my past week in Sendai, Japan, where my grandmother lives.
100-Hour Challenge Updates
Here are this week’s statistics:
⌛️ Hours This Week | 1 |
⏳️ Hours Left | 59 |
🗞️ Total Reports (All-Time) | 2 |
✅ Total Triages (All-Time) | 2 |
✨ New Triages (This Week) | 0 |
💸 Bounties | $13550 |
I spent a lot of time writing code and working this week, so I didn’t get much hacking done.
Weekly Ideas / Notes
This week, I wrote several extensions for Caido. Personally, I love customising my workspaces. It makes my work a hell of a lot more fun. Expect more plugins soon! I’ll be packaging my plugins into one big plugin, but I have yet to decide a name for it. I’ll release the big plugin sometime in the next week or two, once the mighty Bebiks releases his next version of EvenBetter with a plugin manager.
I wrote Caido Pets and a settings UI for my suite of plugins.
I wrote a convert workflow called Caido Nerd Sniper to send HTTP requests directly to your friends via Discord webhooks! I’ll add some configuration options for this within my UI tab, and release this alongside Caido Pets.
I have some more plugins in the works, but I’ll discuss those at a later date.
If you haven’t used Raycast before, I’d recommend it. Securibee wrote a custom extension for it to navigate to bug bounty programs quickly. I have hotkeys configured for opening Caido and opening ChatGPT.
I was invited to Airchat and secured the usernames “monke” and “cybersecurity”.
Inspired by a conversation I had with Roll4Combat: what does it mean to “learn” something in bug bounty?
In my opinion, you need to follow the principle of Richard Feynman to “learn” in bug bounty. Do you understand the true concept of what you’re learning? Could you teach it to someone else? Without this level of understanding about a topic, you won’t be able to use it as a gadget in bug bounty.
People often ask, “how do the manual guys at the top find the really cool stuff?” and the answer is, they have such a fantastic intuitive and conceptual understanding of so many topics, that they can construct gadgets out of anything. If you can’t explain it to someone, you definitely won’t be able to use it in a chain while you’re hacking.
Studies show that boredom is beneficial for creativity. By developing this conceptual grasp of advanced topics, you can effectively “hack things while you’re away from your computer” to a much more flexible extent. Go for a walk, but don’t wear headphones. Let your brain wander. Let the ideas come to you.
Take that a step further. Identify how you learn best, be it audio or visually. Learn with intention. It helps to identify the best places that aggregate knowledge - Hive Five, Critical Thinking and custom Twitter Lists can really help to filter out the noise. Both of the linked resources provide information in multiple mediums to suit your learning requirements.
Resources
BatBadBut - another absolutely insane piece of security research from Ryotak. This time, it affects many programming languages.
Hacking Google AI for $50,000 - Lupin hacked Google with rez0 and Rhynorater.
New Caido Workflows from Ryotak.