LeHack, LHE, and recon

This weekend was huge with LeHack, and here it is for the full story of the event.

Le Hack

This is a French event ( with some English talks ) that has existed for a long time, but it started to be more mainstream, and the talks are not the best, but I wasn't here for the talks.

I come here every year for two reasons: first, hanging out with all my friends there, and then for the LHE organized by Yes We Hack. And today, we'll focus on the LHE.

LHE

This LHE is very different from the other on Hackerone or Bugcrowd. First, LHE means Live Hacking Event for those who don't know. Hackerone is one of the biggest companies doing them, and the schedule is like 2 weeks at home looking for bugs and then a few days or a week on site to finish the event and for the social part.

The LHE made by Yes We Hack is different, as this is only one or two days, and you don't know the target beforehand. So it can be quite hard looking at the target for the first time and having not a lot of time on it. But it's still good as it's open for everyone.

Last year, I finished 6th after reporting just a few bugs because I didn't like the target, so I hoped that this year, that would be better.

The event started on Saturday at 10 AM and finished on Sunday at 1 AM, so just a couple of hours to discover the target and find juicy bugs. I heard that the company didn't want to be quoted, so it was a big French company, with a pretty huge scope.

The bounty table was great, 5k for the crit on critical assets, 3k on other assets.

At 10 AM, we started seeing the target. The scope was huge, we got 2 wildcards and a bunch of other assets. But most of them are authenticated, and it's hard to get an account; it's not self-registering for most of them. So I was kind of disappointed, and I wanted to just hunt for a few hours and then switch to another target and forget the LHE.

We started doing some recon, trying to find a good website to hunt on. And my friend @cosad3s asked me if I could help him on a website to test a vulnerability. And it worked, so the first critical of the day after just 2 hours after the event started.

We continued together on the target, and we found a bunch of other critical vulnerabilities. That was mostly IDORs and Improper Access Control that leaked very sensitive data. It was also possible to modify the data.

So, we started reporting all of them; we were not alone on the scope, but we didn't get any duplicates, so it was great. This particular scope wasn't authenticated, or to be more precise, it was possible to self-create an account. To be honest, at this kind of event, having access to an account can be a huge bonus, and as most of the target was authenticated, having an account could be very nice, but I think that most of the people don't use this service, so we were all equal.

As each vulnerability was critical, we ended up with a very nice bounty.

We managed to finish together in the first and second place, with a total of 20k together, 10k each, which is amazing for a less than 24h event.

As I told myself, if I was able to make 10k this month, I would buy a Switch 2 to play Mario Kart, so here it is

I'm also still good for my yearly goal of making 100k. I'm currently at 60k after 2 quarters, which means that I'm a bit in advance. Looking at how much vacation I took, it's already huge. But I still need to continue working to achieve it, and not only play MK.

Looking at the end of the year, I also plan to travel a bit, in Sweden, Berlin, and another big trip in Asia. I'm living my best life right now. What a job to be able to do all of that.

Recon

During the event, all of my friend showed me their pretty dashboard made by Vibe Coding, and that was awesome. I also want to get mine, but I will probably team up with wlayzz and improve the one he made that is already very great.

It's fascinating how now it's so easy to develop anything in seconds using Cursor and AI. Of course, it's not perfect, but the base is amazing, and you can work on that.

I'm working on Hackyx as well, to give you a proper new version soon. I'm still parsing all the content, so it's pretty long.

A lot of great stuff is happening, and it's the beginning. This summer will be pretty good.

It's also the 50th Aituweek I'm making. I'm pretty happy to be consistent at doing it. I know that a lot of people like them, some want longer posts, and it's perfect for others, so I will just continue making them like I want, with all the mistakes I can make on them. With that, I'm getting a nice journal to come back later to see where I came.