MonkeHacks #16

After a busy week, I’m now back in Cork, Ireland. After being away for two months, I saw my family again. Another reason for my return is that I’ve decided to leave The Hague (nothing personal, my Dutch friends, but the Netherlands wasn’t the right place for me long-term). As such, last week, I was busy tying up all of the loose ends around moving out.

Where to next? I’ll meet my friends here in Cork over the next two weeks and get some good hacking done. After that, I’ll try to move to Edinburgh, Scotland. I have a hostel booked there for a week so that I can attend viewings and such.

Make sure you get enough exercise every day, especially if you’re working a desk job or if you’re at your computer all the time. Future you will be thankful.

And lastly… I am turning 23 this week! I will celebrate with my family and friends and try to ask for a birthday bonus if I report anything.

100-Hour Challenge Updates

Here are this week’s statistics:

I did some manual recon to find more leads on my challenge target, but it turned up nothing at all. I need to spend some time thinking to try and identify more attack surface here.

I also hacked on the AWC scope for a few hours this week, although I didn’t find anything. I reported two bugs on other programs. I’m feeling the ups and downs of full-time bug bounty a bit more now, but I’m committed to making June one of my best months yet.

Weekly Ideas / Notes 

• Gareth Hayes is presenting his research on email parsers at Blackhat. This one is gonna be good. As bug bounty hunters, we’re spoiled for good research this year.

• Take some time each month to write down what you could do better. Ask yourself what’s stopping you from becoming a better hacker. Then, write some objectives for the next month that address your identified limitations. Be honest with yourself - what could you do better?

  • Along a similar line of thought, what is the smallest set of tools you need to execute your methodology? Where are you spending the most time, and how can you reduce the time you spend on this? Simplicity is key. Clutter in your workspace will clutter your mind.

• A few months ago, I paid for the Critical Thinkers tier in the Critical Thinking Discord server, and it’s easily one of my best investments in the bug bounty space this year. And no, nobody has paid me to say this. It’s quick access to some of the community’s top experts, some masterclasses on topics that public resources don’t explain too well, and just a good bunch of people. Highly recommended. If Jason Haddix’s community gives you access to a wealth of wide recon knowledge, then conversely, Critical Thinking gives you access to the deep recon knowledge.

• The Ambassador World Cup has started on HackerOne. Good luck to everyone competing! I’m on Team Netherlands.

• I have asked my HSM about the process of writing blog posts for some of my cool bugs on private programs. Hopefully I can anonymise the details and just provide technical information, but it’s best to get any relevant posts reviewed by the programs in question first.

• As I was hacking this week, I saw this really weird payload that I’d never seen before in one of the features I was hacking on: {{=TreatAsContent(HTTPGet(… with some more payload data. So I thought to myself, what the hell is this? Turns out it’s AMPScript! AMPScript is designed specifically for Salesforce Marketing Cloud. But, to see this payload in the wild… does this mean that AMPScript injection is possible? Huhhhhhh? I couldn’t find any resources about it online except this, which was an entirely different situation. If anyone has answers, please contact me! I think this is super interesting.

Resources 

• If you’re a heavy Burp user, Portswigger published a useful blog post on their favourite Bambdas.

• Talkback.sh is a great content aggregator for infosec news.

• Hacking Millions of Modems (and Investigating Who Hacked My Modem) - Sam Curry on getting hacked to finding a chain of vulnerabilities affecting millions of modems.