From CTF Champ to H1-202 MVH. André applied the creativity of CTFs to find and escalate bugs in the wild and hack his way to to a Championship Belt less than a month after finding his first bug.
Tell us a bit about yourself.
I completed my MSc in Information Security last year and I’m currently the captain of a CTF team. I’ve been teaching classes at my University and I’m currently a security researcher. I love binary exploitation and reverse engineering.
Now it seems that I’m a bug bounty hunter as well. Honestly, this is all HackerOne’s fault because they started building CTFs.
How did you first get interested in computers and hacking?
I was 11 years old and I found a book in my father’s cabinet about programming. I learned programming fundamentals and after that, I started wondering how it would be possible to hack computers. In the bug bounty context, solid programming skills are really important to understand how software is built and how to break it.
Did you have a mentor who encouraged your interest?
I’ve been following the work of well-known people in this field since I started my journey. All those blog posts and talks inspired me a lot.
You are very involved in the CTF community, how does that impact your bug hunting skills?
I learned a lot through Capture the Flag competitions and reading write-ups. I believe that I wouldn’t be able to find high severity bugs otherwise. CTFs are very different from bug bounties. In a CTF challenge, we are usually given a small piece of software and we know that the vulnerability is right there but it can be very hard to exploit. On the other hand, a bug bounty hunter needs to know how to hunt vulnerabilities in real-world software. In my opinion, these two fields complement each other. I think that doing both is great to improve hacking skills. Those sleepless CTF weekends made me a persistent person and I have found some cool bugs because of it.
You got invited to your first live hacking event, H1-702, after beating the CTF you went on to become the Most Valuable Hacker at H1-202. Can you tell us about that experience and what attending a live hacking event means to you?
I was invited for H1-702 last year, after winning the H1-702 CTF (you can read my writeups here). I went there with no experience in bug bounties and I found nothing. However, I finished the H1-202 CTF this year and got a new invite. I was disappointed with my previous performance in H1-702, so I pushed myself to the limit: I started practicing, reading all the reports that I could find and watching talks. The result: I ended up receiving my first bounty in February 27th and I became the H1-202 MVH! It was crazy.
Live hacking events are freaking awesome, but the targets are tough. They encourage knowledge sharing and friendship. Sometimes people hack together and chain bugs. The payouts are live, lots of swag... What more could you ask for?
What motivates you to do this type of work?
Security is rapidly evolving. A good way to update ourselves as security improves is to do bug bounties since hacking big targets is very challenging and mitigations are widely used. The desire to learn something new every day and to be a better hacker are my greatest motivations.
What types of bugs do you like to hunt?
I love to hunt vulnerabilities with high impact, such as RCE. My favorite vulnerability is SSRF since sometimes it’s possible to escalate it. SSRFs were the initial attack vectors of my two biggest bounties so far.
You recently found a Critical SSRF on Shopify that paid out $25,000. What type of recon goes into searching for a bug like this? Can you tell us the decisions you made that led to finding it?
I started looking into all the assets and trying to understand what services and features they offer. I wasn’t looking just for SSRFs, I was trying to find other vulnerabilities, such as LFI and IDOR. Then, I discovered the screenshot feature and for two months I had no idea what could be done with that. I decided to take a break. Suddenly, I found a feasible way and spent a weekend escalating privileges in their cloud infrastructure. Some people told me that they would have reported it after reaching Google Cloud metadata, but I didn’t quit and found other misconfigurations. The feeling of getting a root shell in a target like Shopify was surreal, but I was very careful in all the steps in order to do no harm. Shopify is one of the best programs on HackerOne, they always request public disclosure so that we can all learn something new from these reports. It is a pleasure to work with them.
Which hackers do you follow closely and admire?
My favorite HackerOne 1337s: Frans Rosén, because he always finds crazy bugs in live hacking events, no matter what. And many others, such as yaworsk, gerben_javado, edoverflow, cablej, intidc, avlidienbrunn, dawgyg and teknogeek. I almost forgot Ted, from HackerOne, he is 1338.
Tavis for showering and finding 0days. My friend Federico Bento, for winning a Pwnie Award last year. Orange Tsai, Angelboy, Mario, osxreverser and balgan.
What advice would you give to others looking to get into hacking?
If you want to be a hacker, you need to learn how to teach yourself. That’s the core of the hacker mindset. Read books, such as Web Hacking 101, reports and write-ups, watch talks, attend security conferences and try to play CTFs or wargames. Challenge yourself and build your own tools. I’ve been using Hacker101 to teach students, it’s also a good start. Always make sure that what you are doing is completely legal. I started with basic pentest tutorials and then I started doing CTFs with friends. But be careful, CTFs can be very addictive!
What’s the biggest bounty you’ve received?
The Shopify SSRF/RCE. But I’m not done with Shopify yet ?
What’s the best piece of swag you’ve received?
My HackerOne thermos, it keeps my coffee warm all day long!