MonkeHacks #72

This week, I went to see two films in the cinema. It’s been a rainy week, so I’ve had to stick to indoor activities. I saw F1: The Movie which was alright (maybe a 6.5/10) and Superman which was a solid 8/10. The new Superman is a real classic Superman film. My friend invited me to watch 28 Years Later today as well, so that’s a strange week for me of going to the cinema 3 times.

Unrelated to that, I designed some stickers for Def Con. One sticker is simply of my logo (Simian Security) and the other is a slightly goofier design that I think you’ll like. If you can find me in Vegas, both of these stickers are yours - I plan on bringing 100 of each with me, so my supply will be limited. They arrived in the post pretty quickly and the quality is decent, so I might order some meme stickers this week too to top it all off.

I’m looking forward to seeing some familiar faces in Vegas - I have my ESTA authorization, so fingers crossed that there’s no issues with entry. I’ll be there from Aug 5 to Aug 11. I’ve also got another slightly unexpected trip to Japan coming up - one of my good friends is going, so I’m tagging along. That’ll be happening from the last week of August to mid-September. I had a Manchester United game planned during that time, but I’ve changed that plan; instead I’ll be going in December with one of my best friends to watch them play West Ham instead.

I had a quiet week this week; I opted to de-clutter my physical belongings and my digital workspace rather than taking on more work. Sometimes you need to trim the noise to focus on what really matters. Next week will be much busier, with the Google LHE kicking off towards the end of the week, and a pentest in the few days before that.

Weekly Ideas / Notes 

• Continuing my adventures in taking back control of my data, I decided to run Immich. Immich is a self-hosted piece of software that basically just replaces Google Photos. I have quite a lot of photos so I bought a 1TB SSD to use with my Raspberry Pi 4 to run Immich. I expect to get more SSDs for other projects soon, such as backing up my data outside of Proton Drive.

  • Naturally, any inclination towards self-hosting also inclines you towards the homelab hobby. I have a SATA hat on the way (SATA, not Santa; it’s like a physical interface layer for mini-computers like Pis to interact more naturally with HDDs and SSDs) and a small server rack to be able to hold several Pis. For now, I only have one Pi 4 with 8GB RAM, but I do intend on expanding that in the next few months with some Pi 5s, depending on my needs.

• Caido acquired Shift - a pretty interesting acquisition, and a clear move towards adopting AI into the platform to get a competitive advantage.

• Mostly, I was coding this week. I got some personal plugins working, and I made progress on my SAMLRaider implementation in Caido. I think I’ll have a v1 ready in August as this is a side-project for me, rather than my main focus. I did a little bit of bug bounty this week as well to get back into the flow of things, but I have no findings from that effort yet.

• My sleep schedule is woefully bad at the moment, so I’m making an effort to fix it by waking up earlier. The downside of that is that on the days I wake up early, I’m super tired. I’ve been using a magnesium chloride spray, which helps with sleep, and so I’ve been sleeping more deeply. I’m not too partial to supplements; I just take the magnesium spray in the evenings, and creatine and protein powder in my breakfast protein shake in the mornings. It’s the combination that rez0 recommended before and I agree with his recommendation. It’s a good balance.

• Unfortunately I didn’t get around to reading very much this week. Most of my reading time comes from days where I have to commute a little bit.

Reading List

• Currently:

  • Fiction: Solenoid by Mircea Cărtărescu (80/600 pages)

  • Non-Fiction: A Random Walk Down Wall Street by Burton Malkiel (150/300 pages)

• Next on the list:

  • Fiction: TBD

  • Non-Fiction: Day Zero to Zero Day by Eugene Lim (SpaceRaccoon)

Resources

• Would you like an IDOR with that? Leaking 64 million McDonald’s job applications: Ian Carroll and Sam Curry logged into the McDonalds hiring system administration interface with the credentials 123456:123456 and popped a nice IDOR to leak PII. Great work, as usual.

• How I found a bypass in Google's big anti-adblock update: A nice article on an ancient piece of code in Google’s chrome extension codebase, and what it could do.

• XBOW battles Ninja Tables: Who’s the Real Ninja?: Information from the XBOW team on a file read vulnerability.

• RCE in the Most Popular Survey Software You’ve Never Heard Of: A nice, relatively simple template injection to RCE chain. Nice work again from Searchlight, formerly Assetnote.

• NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266): A subtle issue in NVIDIA Container Toolkit’s configuration caused a pretty serious vulnerability.

• Intigriti July XSS Challenge (0725): I gave this challenge a shot. I did not solve it. The intended solution is ridiculously impressive.