MonkeHacks #31

Differentials, Dupe Period Reflections, Plugin Update

MonkeHacks #31

Here’s to another week of MonkeHacks. Apologies for the late issue this week, it was a busy week! I’ll try to make the next issue somewhat special as it’ll be covering the LHE, so expect that around Wednesday. The dupe period of H1-0131 has just concluded, so I’m taking a well-earned break until the in-person event next week. I’m meeting some cool hackers for dinner on Friday, but aside from that, it’s relaxation time until Sunday evening. Funnily enough, I live within walking distance of the LHE welcome reception venue.

After the LHE, I’m flying back to Ireland for a few days to train for the upcoming European Cybersecurity Challenge in Turin, Italy in early October. This is my fourth year competing on Team Ireland. Let me know if you’re also competing!

View from my regular WeWork in the evening.

Gadget of the Week

This week’s gadget is cookie tossing. This gadget stems from the fact that a subdomain can set a cookie on another subdomain of the same domain by setting the Domain attribute of the cookie to .domain.com. This is quite powerful in cases where you have a cookie-based XSS, or you need to fixate sessions and such in some way. There’s a variant of this called cookie bombing that abuses this behaviour to elicit a denial-of-service.

Weekly Ideas / Notes 

  • As I was reading James Kettle’s blog, I noticed that he used the word “differential” occasionally. My first thought was that this was an excellent decomposition of what hacking actually is.

    • A differential - in the context of the hacking space - is a difference in behaviour between two or more systems. This isn’t always exploitable, but what it does present is a window of opportunity. The use of this opportunity, which we call a gadget, is context-dependent. Often, the same gadget can be abused in multiple different ways.

    • This is why it’s crucial to take good notes. Sometimes all you need is behavioural difference to pop some vulnerabilities.

  • Now that the dupe period is drawing to a close, here are my reflections.

    • I didn’t find many vulnerabilities in the dupe period (I have 4 on AWS) but the technical quality of my bugs was significantly higher than anything I’ve reported previously at a LHE. No criticals - not yet. I’m talking about the technical value of the bugs rather than the impact here. This alone is something I find to be very fulfilling.

    • Sometimes the stars just don’t line up in the right way and that’s exactly what I think happened here. I had many, many gadgets, but they just didn’t line up in a vulnerable configuration. It was not for a lack of effort on my part - I was putting in 8-10 hour workdays consistently. On at least two occasions I was one step away from a critical bug, but some particular configuration thwarted my efforts. I do applaud the security team over at Amazon for making it so difficult to pop stuff fully. I think on any other program I’d have 2 or 3 P1s at this stage.

    • Likewise, sometimes you just need to look on the right attack surface. At this level, it’s almost a necessity to dig deep into a particular piece of the scope, and you have no idea if it’ll be vulnerable or not before you start hacking. Making a mistake at this stage, right at the beginning, can make it significantly more difficult to put up a good performance in the event. You’ll always learn something no matter what you pick, of course, but that won’t always necessarily translate to financial gains.

  • After this event, I’m going to go back to working on my Caido plugin. I’ll have more to share soon! Caido has fleshed out their plugin store quite a bit.

Resources