MonkeHacks #30

The 30th post! Woohoo! It was a busy week again. I spoke with an accountant to get my company stuff up and running, and I’ve been powering on at full speed for H1-0131. I took 3-4 days off over the weekend as my friends from university were visiting me here in Edinburgh. It was a break I really needed - I was burning out a bit from the LHE hacking. We are approximately halfway through the dupe period. This week I’m back to 100% energy levels, and I’ve already found some bugs to show for it! I’m really looking forward to the in-person event.

The temperature has been dropping here in Edinburgh. I’m expecting some cold-ish mornings soon. Maybe during the LHE, even.

Gadget of the Week

This week’s gadget is a neat one I read in Huli’s blog. It covers a way to bruteforce window names:

“As mentioned earlier, if a named window is opened and a window with the same name already exists, it will not open a new window but will redirect to the existing one. We can use this difference to detect whether a window with a certain name exists, and we can also use the iframe sandbox mentioned earlier to prevent opening new windows.”

I’m not sure how practical this is in the wild, but it’s a very neat idea. Refer to the main blog to read about it! Huli’s blog is an excellent resource.

Weekly Ideas / Notes 

• Your number one strength is creativity. So, when you’re hacking, push yourself into situations that require you to be creative, and you’ll find more. I feel like I’ve said this before but there’s no harm in repeating it.

• Don’t count your chickens before they’re hatched - that is, don’t count your bounties until they’re paid. Also, don’t publish bugs that aren’t fixed, even if you redact them first. Celebrate after the money is in your account!

• Not sure if it works - haven’t tested it myself - but Zseano tweeted that %uff1csvg/onload=alert()%uff1e works as an XSS filter bypass on ASP.NET apps. As someone who occasionally gets stuck on .NET apps, this is super useful!

• My first week in the local WeWork concluded and my conclusion is that signing up was a very good idea. I had a very productive week and that was largely due to the good wifi, good atmosphere and good coffee.

• Next week will be the end of the dupe period. Fingers crossed! I’ve had my best LHE performance yet so far but there’s another week to go.

Resources

• URL Validation Bypass Cheatsheet - updated guide from Portswigger.

• We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI: Absolutely insane research from watchTowr Labs.

• idekCTF 2024 Writeup - Advanced iframe Magic: I can only describe this as client side wizardry.