- MonkeHacks
- Posts
- MonkeHacks #10
MonkeHacks #10
The Primate Pack, Full Time Bug Bounty, and 100 Hour Challenge Updates
Monke
April 23, 2024
MonkeHacks #10
I spent the past week in a place called Shikotsu Lake. I stayed in a hot spring hotel in the mountains of Hokkaido in northern Japan. The lake is absolutely idyllic. I spent my week eating fresh grilled trout, and having coffee in this small log cabin cafe called Log Bear, run by an old guy wearing a funny hat. So I was doing my security work from that place for most of the week. The view from the lake was spectacular.
I’m also happy to announce that I’m moving to full-time bug bounty! At least, to try it out. This will hopefully translate to more newsletter content as well. Lake Shikotsu was the perfect place for me to think about things and make this decision.
Sorry for the thin issue this week - I had a lot on my plate. Next week, I’ll try to make up for it.
A photo I took of Shikotsu Lake a few days ago.
100-Hour Challenge Updates
Here are this week’s statistics:
⌛️ Hours This Week | 10 |
⏳️ Hours Left | 49 |
🗞️ Total Reports (All-Time) | 2 |
✅ Total Triages (All-Time) | 2 |
✨ New Triages (This Week) | 0 |
💸 Bounties | $13550 |
At the moment, I am working on my third finding with Rhynorater. I found the lead in about two hours, and spent the other 8 hours trying to escalate it. It’s really frustrating because I know that there’s a path forward here that I’m missing. This marks the halfway point of this challenge.
Weekly Ideas / Notes
The debate on VDPs and BBPs continues. Nagli posted an excellent tweet outlining the various problems with VDPs at the moment. The best solution is probably to implement a rolling change and remove reputation points for VDP programs as the program contracts expire in the next few years.
I released The Primate Pack - this is where I’ll be releasing any future plugins for Caido. Since it’s installed using bebiks’ EvenBetterExtensions system, it should be updated automatically. Caido Pets is included in The Primate Pack.
I accidentally deleted the Caido Nerd Sniper script. It’s pretty easy to reconstruct, so I’m going to take this as an opportunity to integrate it with The Primate Pack. Sorry!
Ariel is running the Bug Bounty Village at Defcon this year. This is going to be really, really cool. I’ll probably be at Defcon this year, so reach out to me if you want to meet up!
The HackerOne Ambassador World Cup teams are being assembled right now. Reach out to your local ambassador and see if they have spots left on their teams - if you’re in the Netherlands, reach out to Jupiter.
Resources
Game-related Bugs - my friend Hacktus outlines some bugs in game APIs.
Bypassing AWS WAF - nice post from the team over at Sysdig.