MonkeHacks #58

This week has been one of the busiest weeks of the year so far for me. I had a friend visiting me from Monday to Friday. We climbed the Salisbury Crags at 5:30am on Tuesday to watch the sunrise - it was a magnificent view. I went to the cat cafe here again, which was awesome of course, and discovered some good vintage shops. I also went for drinks with my good friend from Ireland who was here on his first business trip.

I had a pretty successful week of hacking - I have to do some pentesting this week, so that’s eaten up my time. I also reported two decent vulnerabilities, and completed a bunch of retests for my previous bugs. It’s been relentless and with the LHE happening quite soon, I have no time to rest at all.

I’m completely exhausted, but it’s one of those weeks where I just need to push through and get the work done. This is the counterbalance to the chill weeks I had in February. And I know that this will be worth it once I see it through - I just need to keep going, one step at a time.

Weekly Ideas / Notes 

• On Friday, I gave a talk on bug bounty to RITSEC - the cybersecurity club in Rochester Institute of Technology in New York. I gave the talk virtually, and the recording will be available next week so I’ll link it when I have it.

• Between pentesting, bug bounty, and just general life stuff, it’s been a real handful of a week. These weeks don’t happen very often so I’ll be just fine - it’s just not fun to be in the middle of it. I’m just waiting for this to pass so I can relax in Japan with my favourite Japanese foods and hang out with my hacker buddies.

• I read High Agency In 30 Minutes, which is a pretty accurate summary of my perspective on things. I highly recommend it. It’s up there with The Tail End.

• That’s all for this week - I have a lot of work to do. I might record a vlog or something in Japan with Lupin and the others. We shall see.

Resources

• Next.js and the corrupt middleware: the authorizing artifact: A pretty widely impactful bug in Next.js, that’s caused a stir in the community.

• IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX: Another dramatic finding, this one from Wiz, who were recently acquired by Google.

• High Agency Hacking: A nice brief article from rez0 about being proactive in bug bounty.

• We hacked Google’s A.I Gemini and leaked its source code (at least some part): A really cool article from Lupin and Rhynorater about the Google Runtime Environment (gVisor).