Hacker House, Teaching and Gadgets

It's been a while since I posted here. I had a lot of work this week, and the past week was tiring too, but awesome.

We did our first Hacker House with some friends, and I'm gonna talk a bit about that. Also, I finished giving the course in the engineering school. So let's go.

Finding gadgets

A first topic I want to talk about is finding gadgets. I discovered that approaching a hardened target nowadays can be very hard, especially when they have run a bug bounty program for a long time.

But each time at each LHE, a lot of great hunters still find a lot of crits on them, how? After digging more into their interviews and talks, it's always the same: finding gadgets that can be useful in a chain.

The crits found in these targets are usually a good chain of little bugs or tricks. It's kind of never a simple command injection, or something simple. It can, but it's rare.

Finding CSPT, OR, or any little gadget that is harmless at first but chains with other bugs can be devastating. So, in my opinion, it's a great star and another point of view that can help a lot when looking at a new target for me.

I'm gonna write a whole article about that topic on Bugcrowd, so stay tuned if you want more details about this way to find bugs.

I already wrote an article for them, and that was awesome, the team is very kind and I love to write, so it's a great opportunity for me, and the articles will be more technical than here, so pretty perfect.

Hacker House

Last week, we made our first Hacker House with a team of French people. We were like 15 hunters, in a big house in the south of France for 4 days, hunting together, and that was amazing.

The villa was huge, the pool amazing, and this weekend was crazy. We found some good bugs together. Hunting together is always great, but doing it in the same place is way better. You can show everything, think together, and drink a little "pastaga" to help you find more bugs.

Having 15 different minds on the same problem helps a lot to find the solution. We switched from program to program, and we were able to find bugs in many of them.

We also ran with Wlayzz, and I'm happy that I gave him the idea of pushing himself and continuing. He finished running his first 10k alone, which is awesome.

It also helps me start digging into big public programs on HackerOne and Bugcrowd, so pretty nice. It was great chilling with guys you usually speak only on Discord.

I'm very looking forward to the next one, I hope we will make it outside of France and for a longer time. I also had to leave earlier, I had a race on Sunday. Doing everything is tiring, but it's a great way to live life, I think. Period of rushes and period of chill.

Next event will be LeHack at the end of the month, so see you there.

Teaching people

I always wanted to teach people, being a professor. A lot of people already tell me that it can suit me, as I can explain complex things pretty easily.

I gave it a try this week with a 30h course for Master's people here in Paris. It was about an Intro of Cybersecurity. It was hard preparing the course. I didn't know what was needed and how to make great slides, where to put some hands-on, etc ..

But in the end, it was great. They loved it. Just doing slides wasn't suitable, so I changed during the course to give them more hands-on. I teach them how the web works, how to use Burp ( sorry Caido ), how to understand requests and stuff.

And for the final mark, I did a bug CTF around Juice Shop, and they loved it. I helped them understand things, and some of them now want to dig more into the topic, so in my opinion, I succeeded.

The only issue was the price. I was paid 40 euros an hour, tax included. Compared to Bug Hunting, it's very low, and also you have to prepare the course, so it's more hours in the end. But the experience was great.

Maybe I'm looking more into giving talks with companies or schools, but not a full course, just some modules. Will see if I get new opportunities like that.

I can now come back hunting, writing articles, coding, and stuff. I found that I love my liberty so much, switching from one thing to another instead of being forced to take the subway at 7 and finishing at the end of the day, it's tiring, especially when talking all day.