MonkeHacks #92
Welcome back to MonkeHacks!
Most significantly this week, I launched Starstrike with Busfactor. I’ll talk a bit more about that below. It’s been an interesting week again. I was invited to a LHE in Tokyo that takes place in around two weeks, so I’ll be in Tokyo from Feb 10th to Feb 20th. I was already planning on going on my own dime from March 5, so you’ll hopefully see a lot of Japan in the upcoming issues.
I got a Fujifilm XE5 camera for a new project I’m working on this year, that I won’t be announcing yet. The immediate effect of this decision is that the photos you’ll see in each issue will drastically improve in quality. No more iPhone photos!
I took the Fujifilm XE5 out for a test run in Edinburgh.
Weekly Ideas / Notes
This week, I launched Starstrike with Busfactor. We also have a blog, although it’s empty for now. In the coming days, we’ll be publishing the first of our writeups. Our plan, roughly, is this:
We’ll pentest AI apps.
We’ll actively conduct research on frontier models to publish to our blog and spread awareness around AI security.
We’re working on a product suite to help secure AI systems.
We have a few articles to publish, so we’ll be dropping one a week for the next few weeks. We’re looking forward to sharing these findings!
I’m going to my first LHE of the year in two weeks in Tokyo. I decided to fly with JAL this time to see how their economy seats are. My personal opinion is: British Airways kinda sucks, but the movie selection is good. Air France is okay in every regard. KLM is okay overall, although the food sucks. Finn Air is good in all regards. Etihad is good, but the movie selection sucks. Unfortunately, on the way back I have to fly back via Charles De Gaulle airport in France, which is one of my least favourite airports in the world. You win some, you lose some.
I’ve spent most of my week just doing a lot of writing, working on the 2026 methodology post as well as drafting up the research articles for Starstrike and fixing bugs in the site and blog. I did some hacking, but the next two to three weeks will be much more hacking-intensive, and I’m looking forward to it - there’s a satisfaction to getting your teeth into some good technical hacking.
I set up OpenClaw; then I uninstalled OpenClaw. It’s incredibly insecure out of the box (like, you are one good prompt injection away from OpenClaw RCEing itself). I’m writing my own version for personal use that does something similar, but only has the features that I’ll actually use. OpenClaw is a glimpse into the future of prompt injections, I think.
I went to the UK HackerOne Ambassador meetup in Manchester last week, and by some stroke of coincidence, James Kettle was there! I had a nice chat with him, and speaking with him has motivated me to do some research. I spoke with some more awesome people like XNL and stealthcopter too. All-round good vibes.
The Disclosed newsletter compiled a resources document for beginners. You can find it here. It’s a nice, concise summary of what to follow in the sea of noise.
Reading List
Title | Pages | Author |
|---|---|---|
The Night Circus | 130/512 | Erin Morgenstern |
Solenoid | 130/600 | Mircea Cărtărescu |
A Random Walk Down Wall Street | 150/300 | Burton Malkiel |
How The World Made The West | 265/400 | Josephine Crawley Quinn |
Founders At Work | 221/472 | Jessica Livingston |
Resources
Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882): Need I say it? More good Watchtowr research.
Ticket Tricking OpenSSL.org with Google Groups: Old tricks still work! SpaceRaccoon is one of the OGs.
GatewayToHeaven (CVE-2025-13292): A superb writeup on a cloud vulnerability in GCP. I am a big fan of these types of bugs.
One-click RCE on Clawd/Moltbot in under 2 hours with Hackian: Ethiack’s hackbot hacked Clawd/Openclaw. We’re inching closer to sci-fi hackbots, I think.
LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem): Liv Matan is a regular Google hacker and an excellent researcher. This is his latest work.