MonkeHacks #54

Apologies for the late issue - it was an interesting, hectic week! I did some hacking this week, but I focused on resting and working on side projects instead to recuperate a bit. I climbed the Salisbury Crags here during the one day of sunny weather we had. This week my mom is visiting me from Ireland for a few days, so I will be relatively inactive; family comes first.

The next few weeks will be very busy between friends and family visiting me, some trips such as returning home to Ireland for a week, and keeping up bug bounty work, but it’s all good stuff, thankfully. As usual, I’ll write about what I’m up to.

Weekly Ideas / Notes 

• I’m on Critical Thinking this week! Big thanks to my friend rez0 as usual, we had an excellent chat. I hope the client-side explanations translate well across the audio medium. We also discussed AI hacking. Both rez0 and Jason Haddix have AI-related trainings at the moment - they’re both AI security visionaries so it’s worth taking a look.

• As we mentioned on the podcast episode - I’m taking part in the Google BugSWAT Live Hacking Event in Tokyo in April. I’m really looking forward to it! I’m taking the opportunity to visit my friends in Osaka/Kyoto, and grandmother in Sendai as well. I’ll be sure to write about the trip here.

• This week I was quite burned out, so I didn’t do much work, and instead caught up on the administrative side of things. Balancing everything is no easy task. I also watched some video series on Kubernetes to optimise my infrastructure. I like to maintain a healthy balance of education and practice.

• I’ve been working on a small company, Hack & Link, with my friend Link. Effectively, we want to connect hackers looking for work with companies looking for security talent. Email me at [email protected] to send in your CV if you’re interested, or if you’re a company looking to hire security folks.

• To take a break from bug bounty, I spent a day on a new fun project - building something like TARS from Interstellar. I was inspired by GPTars to build my own assistant robot. I created a system prompt for ChatGPT to make it behave like TARS. I connected that output to a custom voice I generated in ElevenLabs to sound like TARS (it took some engineering to achieve the right voice) and I passed the result through PyDub to lower the quality of the audio and make it sound like it came from a terrible microphone - the end result is as good as the GPTars demo. It genuinely sounds like an old, wise guy in a spacesuit. My next task is to write voice activation in Python, and get some components to build the actual physical form of this creature. I’ve used Arduinos for years so building a bot with hardware is nothing new to me. I’m also considering implementing this into a VR application for my Meta Quest 3 as well. Either way, it’s progressing well.

Resources

• Pressing Buttons with Popups: A nice read on abusing popups and events by manipulating focus and other gadgets.

• How to Hack AI Agents and Applications: Excellent guide from rez0, that definitively defines how to hack AI products. He’s also stated that he’s giving a (premium, so not free) masterclass on March 11th, so if you have some corporate training budget left over, it might be worth looking at!

• The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248): A very good post that nicely explains the thought process behind finding this vulnerability. I sighed as soon as I got to the part where they began decompiling JARs.

• Bypass Better-Auth trustedOrigins Protection leads to ATO: Castilho wrote a nice blog post on an ATO in Better-Auth.

• ClaudePlaysPokemon: Yes. Claude, trying to play Pokémon with tool calls. So cool.