Skip to main content
HacktivityCon 2021
HacktivityCon 2021

A conference built for the community by the community

September 18, 2021

About h@cktivitycon

h@cktivitycon is a HackerOne hosted hacker conference built by the community for the community. After a successful inaugural h@cktivitycon 2020 with over 12,000 registrants, we are back this year for an even bigger and better conference!

h@cktivitycon is a place for hackers to learn, share, and meet friends. Join Vickie Li, NahamSec, and friends for CTFs, prizes, talks, villages, and more for h@cktivitycon 2021.

Partners

Starting new this year, we are introducing villages to h@cktivitycon. Stay tuned for more information.

IoT Village
Red Team Village
Nahmsec
Offensive Security
Github Security
Hack the Box
No Starch Press
Hacktivitycon en espanol

CTF

Registration is now open! Click here to sign up

This year we will be hosting another Jeopardy style CTF with 50+ challenges hosted by John Hammond. We will be releasing more information about the CTF shortly, so stay tuned!

CTF Prizes

1st Place - $3,000 + HackerOne Swag
2nd Place - $1,500 + HackerOne Swag
3rd Place - $500 + HackerOne Swag

Contact

Do you have any questions? Please reach out to community-events@hackerone.com

Agenda

View the H@cktivitycon 2021 Agenda

View the Red Team Village Agenda

View the h@cktivtycon en espanol agenda

Phillip Wylie is the Senior Red Team Lead for a global consumer products company, Adjunct Instructor at Richland College, and The Pwn School Project founder. Phillip has over 22 years of experience with the last 8 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project a monthly educational meetup focusing on cybersecurity and ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Richland College in Dallas, TX. Phillip is a co-host for The Uncommon Journey podcast. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT.

Keynote: Launching an InfoSec Career

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

Justin Gardner is a full-time bug bounty hunter based near Tokyo, Japan. His focus in the security space is on web vulnerabilities and automated reconnaissance as pertains to bug bounty hunting. Before bug bounty hunting full-time, Justin was held various roles in IT ranging from software developer to IT architect, as well as consulting as a penetration tester with SynerComm for 2 years. Outside of security, Justin loves Jesus, spending time with his wife Mariah, volleyball, learning languages, and Brazilian jiu-jitsu.

All Your (Data)base Are Belong To Us: Getting Started in Vulnerability Research with Code Execution Bugs in Office Applications

This talk outlines the experience of discovering a full-read unauthed SSRF vulnerability in a product used by thousands of companies in their DMZs. There will be 3 main sections of this talk: the discovery, the exploitation, and the results.

Starting with the discovery of this bug, we’ll discuss some methodology of looking at open-source software for security vulnerabilities and how this led to the discovery of CVE-2020-13379. Included in this section will be defining your goals for what kind of impact you wish to achieve, identifying areas of interest, and perseverance (also known as going down the rabbit hole).

From there, we’ll dive into a demo of the bug. This will include a working PoC for CVE-2020-13379, an exploitation kit that will assist in full exploitation, and a summary of some useful escalation techniques. We will also discuss what it looks like to use this bug against companies who host Grafana instances in the DMZ or in the internal network.

To bring it all around, we'll talk about the experience of reporting this bug to different vendors and mass-exploitation across bug bounty programs. This will include some lessons learned from mass-exploitation, some awesome collaboration with very skilled hackers, and some great interactions with programs.

Panel hosted by Busra Demir

Justin Gardner is a full-time bug bounty hunter based near Tokyo, Japan. His focus in the security space is on web vulnerabilities and automated reconnaissance as pertains to bug bounty hunting. Before bug bounty hunting full-time, Justin was held various roles in IT ranging from software developer to IT architect, as well as consulting as a penetration tester with SynerComm for 2 years. Outside of security, Justin loves Jesus, spending time with his wife Mariah, volleyball, learning languages, and Brazilian jiu-jitsu.

Breaking Down Offsec Certifications

This talk outlines the experience of discovering a full-read unauthed SSRF vulnerability in a product used by thousands of companies in their DMZs. There will be 3 main sections of this talk: the discovery, the exploitation, and the results.

Starting with the discovery of this bug, we’ll discuss some methodology of looking at open-source software for security vulnerabilities and how this led to the discovery of CVE-2020-13379. Included in this section will be defining your goals for what kind of impact you wish to achieve, identifying areas of interest, and perseverance (also known as going down the rabbit hole).

From there, we’ll dive into a demo of the bug. This will include a working PoC for CVE-2020-13379, an exploitation kit that will assist in full exploitation, and a summary of some useful escalation techniques. We will also discuss what it looks like to use this bug against companies who host Grafana instances in the DMZ or in the internal network.

To bring it all around, we'll talk about the experience of reporting this bug to different vendors and mass-exploitation across bug bounty programs. This will include some lessons learned from mass-exploitation, some awesome collaboration with very skilled hackers, and some great interactions with programs.

Jason is the Head of Security for a leading videogame production company. Previously he was VP of Trust and Security at Bugcrowd and currently holds the 29th all-time ranked researcher position. Before joining Bugcrowd Jason was the Director of Penetration Testing for HP Fortify and also held the #1 rank on the Bugcrowd leaderboard for two years. He is a hacker and bug hunter through and through and specializes in recon and web application analysis. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason lives in Colorado with his wife and three children.

InfoSec: A broken industry that keeps it insecure and risky

The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or redteamer we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.

CTF4Hire

Chloé Messdaghi is the VP of Strategy at Point3 Security. She is a security researcher advocate who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She is the founder of WeAreHackerz (formally known as WomenHackerz) & the President and cofounder of Women of Security (WoSEC), podcaster for ITSP Magazine’s The Uncommon Journey, and runs the Hacker Book Club.

Twitter: @CTF4Hire
LinkedIn: linkedin.com/in/messdaghi
Instagram: instagram.com/chloemessdaghi
Website: chloemessdaghi.com

Developing CTFs: Writing and Hosting Intentionally Insecure Software

Have you ever felt like no matter how much sleep you get, you feel exhausted? Struggle to concentrate? Having trouble balancing work and personal life? Or perhaps feel your work is your life? Then this talk is for you.

Burnout. We all go through it at one point. It feels like you are low on battery and it can cause impact emotionally and physically.

In this talk, we will cover burnout, how to overcome it, and how to prevent it from happening.

Phillip Wylie is the Senior Red Team Lead for a global consumer products company, Adjunct Instructor at Richland College, and The Pwn School Project founder. Phillip has over 22 years of experience with the last 8 years spent as a pentester. Phillip has a passion for mentoring and education. His passion motivated him to start teaching and founding The Pwn School Project a monthly educational meetup focusing on cybersecurity and ethical hacking. Phillip teaches Ethical Hacking and Web Application Pentesting at Richland College in Dallas, TX. Phillip is a co-host for The Uncommon Journey podcast. Phillip holds the following certifications; CISSP, NSA-IAM, OSCP, GWAPT.

Introducing Networking and Security through TikTok

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

STÖK is a hacker, content creator, and creative with 25 years as a professional in Information Technology. STÖK is not only dedicated to bring excellent content and share new techniques to the red-team and bounty community but also strives to inspire the next generation of hackers to enter the infosec space.

Introducing TruffleHog the Chrome Extension

I get asked “how to get started in bug bounties” every day, and it’s been like that since the first day I began my own bounty journey about 2 years ago. To be honest, I don’t have a simple answer anymore. In 2020 there are so many different paths to choose, and it can be really overwhelming for someone that wants to break into the hacking space. Should I focus on VPDs? Should I do ctf's? should I spend my time doing recon, should I automate stuff? Or should I go app deep? There is no right or wrong way to do it. But the most important thing is to simply take action, and simply just start hacking.

In this presentation, I will share my journey and my experience from being in the bug bounty space for the last 2 years. I will share the tools, both physical/mental, and the resources i use to gain information. How I collaborate and create new friendships. How I on multiple occasions couldn’t sleep because of bounty fever. How I dealt with dupes and program frustration. How I created content that has inspired thousands and finally how I overcame burnout, all while not knowing how to write a single line of python.

Heath Adams (aka The Cyber Mentor) is the CEO and founder of TCM Security. Outside of TCM Security, he is an online cybersecurity instructor on platforms such as Udemy, YouTube, and Twitch, teaching his students penetration testing methods and tactics. Heath is also a military veteran, having served in the US Army Reserves, and helped co-found VetSec, a 501c3 dedicated to military members in cybersecurity. When Heath is not at work, he enjoys spending time with his wife, Amber, and their five animal “children.” He is an avid runner, musician, trivia nerd, and sports fan.

Haptyc: A Library for Building Microfuzzers in Turbo Intruder

This talk covers a few of my favorite stories from the past year and will demonstrate different ways that I managed to “own” an organization during a pentest engagement. Stories include:

No MFA? Thanks! - This story discusses how I obtained domain admin access as an external attacker, teaching some key lessons along the way.

IPv6 FTW! - This story discusses how IPv6 can be abused in internal networks and easily allow for complete domain compromise.

You Spent How Much on Security? - This story discusses how I obtained domain controller access on an organization that was doing *almost* everything right and spending a lot of money to do so.

Digging Deep - This story discusses how I managed to take down an internal network when no apparent exploit existed.

Network / security architect that has a passion for car hacking, found vulnerabilities in his own car and also private Car bug bounties. Now runs Car Hacking Village UK and is part of the team behind CHV at defcon

LinkedIn: linkedin.com/in/mintynet
Twitter: twitter.com/mintynet
Website: mintynet.com

Hacking on Bug Bounties for Five Years

Details of the car hack on my own vehicle in 2017 and then how I first created an ‘IVI in a box’ and then PD0 ‘CAR in a box’. Some hints and tips on how not to break your own car!