MonkeHacks #39

This week has been insanely, hellishly busy. I left Cork and arrived back in Scotland, and began moving my things to my new place. I am absolutely loving my new place - it has much better heating than my old place and it’s way more compact, which suits me just fine. I can’t drive (yet) so I was moving my belongings via Uber. But most of my time has been spent doing the administrative stuff like moving my bills. There is so much to do, and I haven’t even accumulated that much stuff.

Despite this busy few days, I still found some really interesting vulnerabilities. There’s a lot I cannot talk about, but I look forward to the day when I can.

I spent several hours practicing the difficult German “R” sound and I finally got it. It’s not a sound native to English or Japanese so I really struggled with it (if you’re French, then it’s the same as the French “r” - it’s a sound produced by the throat). I’m fine with most Arabic sounds because it has some weird ones in common with Irish pronounciations. Arabic has a few tricky ones though, so that’s next on my list.

Weekly Ideas / Notes 

• I tried to integrate Jswzl into my workflow this week and I enjoyed it so much that I went ahead and bought the full license for the year. This also gives me a way to provide feedback to improve the product (as with Caido, of course).

  • It works very well for me because of the type of hacking I do. It significantly speeds up my processes and workflows. However, if you’ve watched g0lden’s demo video and you don’t know what I mean by that, then this probably isn’t the tool for you. It is very expensive (over $1,000 per year!), so it only pays off for certain niches of hackers. I also anticipate that this product will grow over time to have even cooler features, so I’m betting on that as well.

• In the last 2 years, I’ve definitely noticed an uptick in full-time bug bounty hunters setting up side gigs. And honestly, I get it. Now that I’m here, it makes a lot of sense. I don’t really know what I want to do - I can develop reasonably well and pretty quickly in several programming languages, both backend and frontend, so the sky is the limit. I just don’t have an idea or vision yet that I really want to commit to beyond becoming a better hacker at the moment. Maybe it’s content! Maybe it’s a SaaS platform to make XYZ easier. Maybe it’s a premium hacking tool. I simply don’t know yet, but it’s something I’m going to think about in the next few months.

• I’m talking through that unfortunate incident that Mikey96 and I experienced with Bugcrowd support. Hopefully this will resolve in a satisfactory way.

• I’ve been budgeting heavily with YNAB. I cannot recommend YNAB enough if you’re trying to track your income and expenses and budget properly. And no, I have no sponsors on this newsletter, so everything I say is my unbiased opinion.

• Hive Five featured me in their Buzz and Boost! Although my hair is quite a bit longer now. I’m a longtime fan of Bee’s newsletter, and I think I mentioned this before but this publication was immensely helpful when I was getting into hacking - I’ve been a fan for over 4 years now. If you’re not a subscriber yet, go and subscribe - the quality every week is fantastic.

Resources

• Abusing Ubuntu 24.04 features for root privilege escalation: A very interesting technical writeup on a privilege escalation to root. A timeless bug and a great article.

• Predictable Patterns & PII Leakages: Using AI to mass leak data: A very clever demonstration of breaking a complex identifier using Claude.

• Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops: Unauthenticated RCE on Citrix Virtual Desktop via .NET deserialization. Great finding.

• 200K$ in 2 weeks : A clickbait title but (hopefully) valuable advice: Doomerhunter, a friend of mine, wrote this awesome blog post about the LHE experience.