MonkeHacks #25

RTLO Characters, The Sheep, and Challenge Completion

Author

Monke
August 05, 2024

MonkeHacks #25

I have about 3 days worth of research to chat about, but fortunately I am a workaholic.

I had a busy few days. I found a cool CSTI and escalated it with another interesting client-side chain. I also spent an hour or two hanging out with my old friend Bludger, who was in the Edinburgh area by chance. I found an amazing bookshop in Edinburgh - a dozen rooms of quaint shelves of books with those old bookshop ladders in the picture below, with complimentary tea and coffee for people browsing books.

I bought a potted plant for my home, and I discovered that the nearby cinema was screening My Neighbour Totoro so I put aside some time to go and see that - I loved that film as a kid, and seeing it on the big screen with reclining seats was very, very cool.

The amazing bookshop.

100-Hour Challenge Updates

Here are this week’s statistics:

⌛️ Hours This Week

6

⏳️ Hours Left

0

🗞️ Total Reports (All-Time)

3

✅ Total Triages (All-Time)

3

✨ New Triages (This Week)

0

💸 Bounties 

$25533

Well, the challenge concludes with 3 findings and over $25,000 in bounties. I need to spend some time writing about the 3 findings, and getting permission from the correct people. You’ve probably guessed this by now, but the target was Grammarly! It was a very difficult target but the tally is: 1 High, 1 Medium, and 1 Low. The High and the Low were quite technically interesting.

I’ll definitely consider taking on another challenge of some kind to keep this section of the newsletter consistent.

Weekly Ideas / Notes 

  • After a chat with an1msh, I revived an old prank I did on LinkedIn to catch bot recruiters. How it works is as follows:

    • I wrote my full name backwards (surname where my first name should be, and vice versa).

    • Then, I strategically added RTLO characters to make my name look normal to humans. RTLO is the character used to reverse text order, which is required for rendering Arabic script on our computers.

    • The end result is that my name looks completely normal to humans, but bots will message me with my last name first! Not only that, but anyone who views a notification with my name in it will see the notification all jumbled and written backwards. Hehehe. At this point I go ahead and like a bunch of posts, and watch the chaos unfold.

  • XBow has seemingly reached a point of rivalling human pentesters. Start worrying, hehehe. I predict that this will have a similar effect to what happened to coding. Junior positions are slowly moving towards becoming obsolete. If this is widely applicable, then junior pentesting is on its last legs.

  • I found a really fun CSTI in AngularJS, with some interesting chaining required to escalate it to ATO. More on this once it’s fixed! Tip; if you ever encounter a problem with absolute redirects in a CSTI due to some kind of AngularJS sandbox limitation, you can bypass it by constructing the destination URL manually like ‘https:/' + '/example.com'.

  • While I’m not attending H1-702… I saw that my acquaintance f6x was inducted into the H1-Elite! There’s a fun story behind the sheep - we’re about to dive into some bug bounty lore.

    • Some of you may remember that I took part in H1-702 in 2022. It was my first HackerOne Live Hacking Event. I’d gotten to know f6x on the event’s Slack channel at some point, and we were chatting.

    • He explained to me that he was unable to attend the event in-person - so, on my way to Las Vegas, I paid a visit to the duty-free shopping area of Cork Airport to buy a sheep plush, to represent f6x at H1-702. Once I arrived in Las Vegas, I slapped a HackerOne sticker on it.

    • A bunch of hackers ended up taking photos with this sheep! Eric, a.k.a todayisnew, rez0, and more - I have the photos, of course, but I won’t post them here without their permission. However, here’s a picture of just the sheep from this event:

      The sheep at H1-702 in 2022!

    • At some point, f6x made this sheep his profile picture on HackerOne - and he even rose to 1st place at one point in the event, and that sheep’s face was vacantly staring down at us from the top of the leaderboard.

    • Towards the end of the event, he won one of the awards, and the sheep graciously went up on stage to receive the award on his behalf.

    • I met f6x at another LHE after that, and was able to give him the sheep - the sheep is now hopefully in its rightful home in Brazil.

    • And now - to conclude this story - this sheep has made it into the H1-Elite poster! And that, my friends, is the backstory of the f6x sheep. There’s more lore to this story that I can’t share due to confidentiality agreements, unrelated to H1-702.

      The iconic sheep on f6x’s awesome H1-Elite poster.

Resources

  • Agarri’s training has a freebies section with some awesome resources for advanced Burpsuite usage.

  • With all of the upcoming talks and such, hopefully this section will be HUGE in the next issue.