Corb3nik is a bug bounty hunter with a several years of experience in the pentest and R&D field. As a CTF enthusiast, he enjoys working on web and binary exploitation challenges, and hopes to one day compete in the Pwn2Own competition.
How did you come up with your HackerOne username?
I took the name from my favorite video game series called .Hack (dot-hack)
How did you discover hacking?
I became interested in hacking when members of my guild in an MMORPG I used to play got hacked. Being very young, my main motivation at the time was to understand how they got hacked, and figure out how to hack them back! With time, that motivation faded, but it got me into learning about WiFi hacking, hacking into network devices, and finally CTFs.
What motivates you to hack and why do you hack for good through bug bounties?
My hacking motivations are split in two; hacking in CTFs and hacking in bug bounties. I've always loved hacking in CTFs for its competitive aspect and how it forces you to learn about deep technical stuff. For some odd reason, I find that spending hours trying to solve a single challenge can be quite fulfilling. As for bug bounties, my main motivation is a financial one. I'd like to buy a car and a house at some point, and bug bounties are helping me achieve that goal.
What makes a program an exciting target?
Lots of different factors, but mostly I'll work on targets that have either a large scope, or an asset with a lot of complex functionality.
What keeps you engaged in a program and what makes you disengage?
I like to work on programs that are responsive and willing to work with hunters. I love programs that actively help hunters escalate their findings.
How many programs do you focus on at once? Why?
I try to focus on one program at a time. This allows me to gain more knowledge on the target and hopefully find better bugs.
How do you prioritize which vulnerability types to go after based on the program?
I like to focus on specific scenarios instead of vulnerability types. For example, if an app allows users to upload personal documents, I'll upload a document as one user, and try everything I can to leak that document as another user, whether it involves IDORs, SQLis, XSS, LFIs, etc. I find that having specific goals like that makes it more interesting, rather than randomly testing vulnerability types.
How do you see the bug bounty space evolving over the next 5-10 years?
With the amount of writeups/tutorials/sharing in various communities, I think we'll see more and more competition from hunters in the BB space. Hopefully, we'll also see a lot more BB programs too!
Do you have a mentor or someone in the community who has inspired you?
My friend Vakzz (@wcbowling), a fellow CTF player who recently started doing BBs and has been really successful at it. Super technical and versatile, he's someone I aspire to be like hacking-wise! Shoutout to ringzer0ctf.com and to the OpenToAll CTF team for getting me to where I am today :)
What advice would you give to the next generation of hackers?
I would suggest people do CTFs before jumping into BBs! Regardless of how unrealistic they are, you can gain so much knowledge from CTFs that can be later applied to BBs.