MonkeHacks #42

I hope you had a great week. This week was immense - I found a new client-side technique again. I’ve returned to working from the WeWork in Edinburgh, and the difference in productivity has been huge for me - I’m putting in consistent hours again and it’s really paying off. I need to do some more research on a few topics, but I’m looking forward to writing about them soon. I’m at a bit of an unlucky roadblock when it comes to actually finding bugs, but I’m definitely putting in the time properly now, so the next bug is a finite number of my work hours away.

Remember that growth comes from putting yourself in challenging situations, so go out there and tackle that difficult problem you’ve been facing headfirst!

Weekly Ideas / Notes 

• I think that we, as hackers, take too much of what companies say at face value. Let me put it this way; just because they say that they’re secure, and the company has a lot of money - does that mean that they’re secure? Of course not! Just because you see a 5-figure bounty on X, does that mean that the bug itself was complex? No! We need to think more critically. And no, this is not a CTBB reference, I quite literally mean that to hack effectively, you need to think more critically. In security, you need to learn from what you observe, not from what you’re told.

• rez0 and Rhynorater launched Shift - an AI addition to Caido that allows you to do things in Caido using natural language. You can tell it to change something about a request in your history and resend it in Replay, and it will do that. You can tell it to create Match and Replace rules, create HTTPQL filters for your history, and even generate contextual wordlists. It’s definitely a big step towards whatever the next generation of hacking tooling will look like.

• Just for fun, I got a Stream Deck Neo as my Christmas present to myself. I spent some time setting it up with my most commonly used hacking applications, my devtools shortcuts, and more. It’s not a huge productivity gain but it’s fun to have, and fun to use. You can configure multiple hotkeys in sequence with delays and stuff. I’ve set mine up such that I can step through Javascript functions and switch tabs (i.e to DomLogger++) with ease.

  • Just to demonstrate - here’s a demo of me using Shift and speech-to-text, to tell Caido what to hack for me automatically!

    • I set up three hotkeys here: one to open Shift itself, one to trigger dictation on my Mac, and another to automatically hit Enter after a few seconds. The end result is like something out of sci-fi. One step closer to a hacker Jarvis.

• I’d like to congratulate my friends over at Critical Thinking for reaching 100 episodes! They’ve produced some of the best content that the security space has seen in recent times, and very consistently. Thank you to Joel for your hard work as well, and wishing you the best in your endeavours. Be sure to thank the people you look up to, because security education is usually a thankless effort. It costs nothing to take a few seconds to send a message or post acknowledging their hard work. So, in spirit of this, thank you to the team over at CTBB and keep up the good work!

• We’re into December already, so I might start planning some surprises for the end of the year. We shall see, but stay tuned. Christmas is a great time to be in infosec.

Resources

• Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day: WatchTowr researchers show that Java applications are plagued with the same issues, time and time again.

• Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection: Ryotak is inevitable.

• Ep 100 - 8 Fav Bugs of 2024, Farewell Joel, Hello Shift - Cursor of Hacking: Insanely valuable episode. I listen to everything on 1.3x speed for efficiency.