Avid Capture the Flag (CTF) player, part-time bug bounty hunter, pentester, and master in software engineering, @manoelt is a jack of all trades in security! He has won three HackerOne Capture the Flag events including h1-5411, h1-702, and h1-415, securing him spots to hack at the corresponding flagship live hacking events in Buenos Aires, Las Vegas, and San Francisco. He once stayed up for 24 hours to finish a CTF, all while maintaining a full-time job and caring for his family!
In his free time, he produces security-related video content in Portuguese for the Brazillian community on his YouTube channel. When he’s not spending countless hours solving puzzles and participating in CTFs, he’s playing with his daughters, reading books, watching movies, and traveling (when allowed). We connected with Manoel to hear his story and how he’s progressed in this growing industry. Read on to learn about his progression.
How did you come up with your HackerOne username?
It is just my name with the first letter of my surname.
How did you discover hacking?
Mainly from IRC channels and IRC clients (scripts). I wanted to know how it was possible to drop someone else's connection. Also, taking control of another computer using the Internet was so crazy that I needed to know how to do it.
In 2002, I was doing a technical course about web development. One day, my teacher came to show a new web application that he had built for the local authorities. So I asked him if I could test it for something that I had learned, it was SQL Injection, and ‘or’1’=’1 did work on the login page. That feeling of gaining admin privileges out of nowhere and making my teacher going crazy is unforgettable. (He called the infrastructure and put the system down for maintenance.)
What motivates you to hack and why do you hack for good through bug bounties?
For the challenge and the money. I feel the desire to know as much as I can about web vulnerabilities and how I was not able to find something that someone else did. We are all so curious to know every vulnerability.
As a hacker in Latin America, what are the benefits of hacking through bug bounties?
As for today, one dollar is equivalent to five times the Brazilian real. The difference is even more for other countries in Latin America. So, doing bounties can make a huge difference in the monetary aspect. Further, the possibility to report vulnerabilities without the fear of being misunderstood because we are foreign citizens is a relevant aspect of bug bounties.
What makes a program an exciting target?
The most relevant aspect is communication: to be open to talking with the hunters, to make a clear policy, and always explain the open points and the reasons that guided the program’s decisions in a report. Further, an open scope is always a good opportunity to find bugs.
What keeps you engaged in a program?
When the program has good communication, as I explained above. Also, when I understand how everything works in the backend it keeps me more engaged because I can imagine a whole set of attack scenarios.
What makes you lose interest in a program?
When I observe that my work is not being respected. Lack of communication, when I am not getting a response in the reports, unfair bounties based on a CVSS that I do not agree with, and when the program takes a long period to fix vulnerabilities, generating more duplicates.
Do you recommend hacking on multiple programs or focusing only on one and why?
Focus your attention and creativity on one program and run your automation on multiple programs. When you focus on one program you will gain more confidence about how the thing works and so it will be easier to create attack scenarios that are not detected by scan mechanisms.
Do you focus on only one vulnerability attack scenario or do you focus on multiple types of vulnerabilities when you hack on an asset?
Multiple types of vulnerabilities, but mainly server-side issues.
What are the top three websites, blog posts, accounts, articles, or other resources you follow to learn new vulnerability trends?
Hacktivity, PentesterLand newsletter, and some security researcher's Twitter accounts
What do you recommend new companies starting a bug bounty program should do?
To be prepared to receive and fix vulnerabilities in a reasonable period, which demands an appropriate team and a software development life cycle designed to accommodate the bug bounty reports. Also, having someone to manage and communicate with the hunters will increase the chance of a successful program. Further, doing a penetration test before beginning with bug bounties is highly recommended.
How important do you think collaboration is in bug bounties and what do you recommend hackers and platforms do about this?
Collaboration in bug bounties is a hunter’s decision. If you feel comfortable doing a collaboration with another hunter, go ahead; the possibilities of finding new vulnerabilities can be increased. But choose wisely with whom you collaborate. Friends in a CTF team could be a great opportunity for collaboration. On the other hand, if you feel that collaboration is not for you, it is still possible to find vulnerabilities. Although I must mention that in live hacking events collaboration can be the key to a successful event.
Platforms can develop a feature to create teams and allow reports to be written by them. Also, the invitation system can work for the whole team.
Do you have a mentor or someone in the community, globally and locally, who has inspired you?
I don't have a mentor but I have to thank all my friends from my CTF Team (Epic Leet Team) and also friends in Brazilian community.
What educational hacking resources would you recommend to others?
Doing CTF as a team working for me to keep studying and updated. Take a look at CTFTime for a new CTF to come. Today, we have a lot of educational platforms focused on challenges, like Hackthebox, Try Hack Me, and Portswigger Web Academy. Also, recently I gave a training in Portuguese language focused on modern web exploitation.
What advice would you give to the next generation of hackers?
Take advantage of all the freely available security resources available today.