HackerOne held its first-ever Hacker-powered Security Conference — H@cktivitycon 2020 — as a digital, virtual-only online event on Friday, July 31st, and Saturday, August 1st. The face-to-face event in Vegas was cancelled amid pandemic concerns but that didn’t stop us from making the best of it. H@cktivitycon is a conference created for the community, by the community, intended to empower participants to do amazing things and share knowledge on a wide variety of cybersecurity topics.
The12,000 registrants heard from 20 speakers from all over the world sharing their tips, tricks and resources with the community. An impressive lineup of hackers and industry experts covered topics such as pentesting, recon, IoT hacking, and more. Attendees tuned in globally on the HackerOneTV Twitch stream and chatted away on the Hacker101 Discord. If you were not able to join, we’ve got your back with the top news and sessions you won’t want to miss out on. Check out the links below to access all the talks for free!
Alongside H@cktivitycon, HackerOne hosted a multi-level CTF with over 95 levels including binary exploitation, cryptography, forensics, IoT, mobile, OSINT, scripting, steganography, web and a scavenger hunt! In just 48 hours, the event attracted 10,000+ unique CTF players and 3,500+ CTF teams registered. We closed out the CTF awarding the top three teams over $5,000 in cash prizes. Without further ado, here are the winners:
- 1st Place: Redpwn
- 2nd Place: Corruptedpwnis
- 3rd Place: OpenToAll
On Friday, July 31st, we kicked off H@cktivitycon with a Women in Security career panel in partnership with Detectify. Experienced female hackers walked the audience through their journey in hacking and their careers. The panel featured Aspen Lindblom (@urazeebo), Katie Paxton-Fear (@insiderphd), Chrissy Morgan (@5w0rdfish) and Alyssa Herrera (@alyssa_herrera), and was moderated by Carolin Solskär, Community Manager at Detectify.
These women leaders inspired and invigorated the audience by engaging in lively discussions about the next generation of hackers, especially women trying to get into cyber security and tech.
Later that day, we had a lot more up our sleeve with highlights from Jason Haddix (@0x0G) and his sought-after workshop: The Bug Hunter's Methodology v4: Recon Edition. If you aren’t familiar with the But Hunter's Methodology, it is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. In this session, Jason explored both common and lesser-known techniques of finding a target's main seed domains, subdomains, IP space, as well as cutting edge tools and automation.
On Saturday, H@cktivitycon opened with a keynote from Georgia Weidman — a serial entrepreneur, penetration tester, security researcher, speaker, trainer, mentor, and a budding author. Her work in smartphone exploitation received a DARPA Cyber Fast Track grant and has been featured internationally in print and on television. Georgia is the author of the popular book “Penetration Testing: A Hands-On Introduction to Hacking”. She's captivated audiences around the world at many events including Blackhat / DEFCON, RSA, NSA, and West Point.
Georgia’s story ignites hope for others that anything is possible when you persevere and boldly reach for your dream of hacking for good. She embarked on an epic journey of defying the odds with her resilient and tenacious attitude, transforming herself from a 14-year-old high school dropout to an industry expert, interviewed alongside Tim Cook on the national news. Today, Georgia has many coveted titles attached to her name, but she is as humble as ever, sharing how she walked into a glass door on her first day at a startup accelerator, and learned about startups from the Facebook movie. She also won a government research grant, but had to first learn what an invoice is in order to get the money. At a local hacker meeting, everyone thought Georgia was another member’s girlfriend until she gave her first talk at Shmoocon and filled the room by offering free beer at 9 a.m. from a little red wagon.
In addition to Georgia’s talk, we heard from Phillip Wylie (@r0ckm4n) on getting started in pentesting. Chloe Messdaghi (@Anonymous) walked us through how to manage and deal with burnout. Justin Gardner (@rhynorator) shared his insights on graphing out internal networks with CVE-2020-13379 (Unauthed Grafana SSRF) - the first time this talk has ever been done before! Fredrik Alexandersson (@Stok) talked about his experience in the industry starting from scratch -- without knowing a single line of Python! Ian Tabor (@mintynet) gave some tips and tricks on how not to break your car. CTF winners, Robert and Phillip taught the audience about WAF bypass, and the infamous Heath Adams (@m4v3r1ck- or The Cyber Mentor) shared his favorite pentesting stories from the past year.
We also learned how to leverage recon from Jasmin Landry (@jr0ch17) and how a low-code server endangered over 64,000,000 users from Ben Heald (@healdb). Speakers Seyed Ali Mirheidari and Sajjad “JJ” Arshad talked about web cached deception and Boik Su led us through discovering vulnerabilities through CodeCL. Inti De Ceukelaire (@intidc) gave us a peek of his live hacking event show and tell presentations with his talk, “You’ve got Pwnd: Exploiting Email Systems.” From one the most upvoted reports on HackerOne hacktivity by William Bowling (@vakzz), he walked us through the journey of finding and exploiting a bug in GitLab. There was so much great content and all of the talks can be found on the HackerOne YouTube channel under the h@cktiivtycon playlist!
Throughout the event, we had our partners at IoT Village conducting free virtual hands-on labs to help hackers get started with IoT hacking! Attendees also had access to the Career Corner where they could seek career advice and have their resumes reviewed by industry professionals. IoT Village is organized by security consulting and research firm, Independent Security Evaluators (ISE), and the non-profit organization, Village Idiot Labs (VIL). Follow both ISE (@ISEsecurity) and IoT Village (@IoTvillage) on Twitter!
The HackerOne team surprised the audience by throwing a challenge hosted on Twitter. The first five hackers who solved it were awarded with a HackerOne hoodie.
Later that day, we sprung a second challenge on the audience - but this was a little more difficult. We added multiple steps to solve it, starting with an announcement on Twitter hinting to pay attention to the Twitch stream chat, and then taking them to the Hacker101 discord for the final part, where a crypto challenge was waiting for them.
We got a lot of hackers participating, and our DMs were exploding with people trying to provide the correct answer. To validate their answer, we asked for a short write-up and awarded 10 more HackerOne hoodies. Congratulations to @Y_sodha, @pirateducky, @_leFevre_, @Cr0wn_Gh0ul, @aroughneckbko, @lbherrera_, @lumi_nougat, @itsUnreleased, @sipos_david, @zonduu1, @thezoomerhacker, @reefbr, @NINO0531, @Eauxfolles and @netzero10 for being the first ones to solve these challenges, and thanks to everyone who participated on these!
To break up the day, @billylane took the virtual stage playing live from Sacramento.
This year’s H@cktivitycon was a premier educational and thought leadership event for anyone interested in cyber security and we thank all who participated. If you weren't able to join and want to learn more about the speakers and the sessions, check out the h@cktivitycon page!