MonkeHacks #46

Happy New Year! Welcome to MonkeHacks 46. We’re getting closer to MonkeHacks 52 (one year!) and I’ll definitely do some kind of giveaway when we reach that milestone.

I had a really productive week. I wanted to improve my automation game - I have a lot of code written but it wasn’t ever really good enough to be competitive, so this time I’m taking it upon myself to see this project through to fruition. I made a lot of design changes to my automation this time, but I’ll discuss that further down in this issue.

I also did a lot of manual hacking - I’ve been working on a really, really cool chain, but it’s still a work in progress. In essence, I’ve just been reverse-engineering a lot of obfuscated Javascript.

Finally, I’ve been working on a pentest, but I can’t talk about that. It’s just kept me busy.

Weekly Ideas / Notes 

• This is the first issue of 2025, so let’s start off with a bang - I’m happy to share that I’m one of the members of the Critical Thinking Research Lab! Essentially, any research I do in the future will be published under the CTBB research lab brand - naturally I’ll still link everything in the newsletter, but CTBB Research Lab where it’ll be written up and discussed.

• I’ve been working on my automation, but I’d like to share some of my rationale around this, and in particular, discuss some of the design decisions I had to make in the process of developing this.

  • It goes without saying that the modern automation landscape is incredibly competitive. This, in turn, means that it’s necessary to study cloud engineering properly to have any chance of reasonable success. It’s never too late to join the automation game, but you need to be prepared.

  • A bit about my infrastructure: I use MongoDB as my primary database. This is because fundamentally, I believe that bug bounty data needs to be flexible, and SQL-based databases are more rigid than NoSQL, so MongoDB seems to be a better choice overall. This is a personal choice, though, and you’ll do just fine if you pick Postgres or something too.

  • With distributed workloads, a message queue is needed, and I use RabbitMQ for this. That said, I’ve not put much thought into this decision - if someone has a better suggestion, I’d love to hear it!

  • I use Go for my programming language. Go is excellent for concurrency, it’s very fast, and it has an extensive ecosystem of existing bug bounty tools. My initial renditions of automation were in Python, but Python can be a bit slow sometimes.

    • Three Dots Labs have some good blog posts on writing good Go.

  • The specific upgrades I’m implementing at the moment are mostly around how I interact with my database - using things like indexing, bulk-writing, and efficiently pulling and pushing information from MongoDB. I also rewrote some code to better fit a design pattern. I mostly use Cursor with Claude 3.5 Sonnet.

• Shift is now officially launched! Great work, rez0 and Rhynorater. I think someone misunderstood previously and thought that I was one of the developers of this. Just to be clear - it was built and launched by rez0 and Rhynorater.

• My friend Hacktus is now a full-time bug bounty hunter! Congratulations hacktus! Fun fact, I’m the one who came up with his username while I was visiting him in Istanbul.

• Here are some of my goals for 2025:

  • To generate $100k in pre-tax revenue in my company between bug bounty and other side projects.

  • To give a talk or workshop at a conference.

  • To reach 5,000 reputation points on HackerOne (I’m at ~3,700 right now).

  • To attend an in-person LHE on any platform.

  • To launch a startup/side gig of some kind alongside my bug bounty work, so I can split my time between coding and hacking.

  • To adopt cats! This is in my January-February plans.

Resources

• Learning Salesforce: The great hacker ngalog is learning Salesforce and is posting about his learning progress each day on Twitter/X. His disclosed reports on HackerOne back in 2020-2021 were really motivational for me when I was first getting into hacking, and I don’t think he remembers it but I’ve briefly met him before at a LHE (I think it was the Tokyo event in 2023?). Either way - good luck ngalog!