This week we did a hacker house like last year, same crew. And it was just as cool as ever.
It also gave me back the itch to hunt way more than before, and to actually get back into it.
HackerHouse
Every year, with a crew of hacker friends, we rent a villa and spend a few days there hunting and chilling. It's one of the best moments of the year, because these are guys I basically only talk to on Discord and see two or three times a year max.
So getting back together is always the best. We took a nice villa in the south with a pool, so we could enjoy it despite the heat.
There's never really a goal each time, other than getting together and hunting a bit side by side. We pick a program and we grind it.
But this year was a little different. It's the first time we all met up after Claude and friends showed up in our lives, so it was interesting to see everyone's setup and the new way of working.
Hunting setup
Where last year we each had our own methodology, we're all mostly manual hunters, so each of us had a recon tool that was more or less efficient, then we'd go look at the most interesting subdomains.
Now we all basically just point Claude at the scope. Each in his own way, with or without skills, with zero or twenty subagents.
Claude does the recon itself, installs the tools, finds the interesting subdomains and starts digging for leads on them.
There's an upside to that: you can fire up several Claudes and go chat by the pool while it works. But sadly it's not as efficient as you'd think.
And this trip gave me the real picture of what's worth doing and what isn't. Because just running Claude on a loop, on a loop, guiding it a little, and spinning up a bunch of agents, it will find bugs.
But everyone finds them too. It was funny to see the time gap between our Claudes, who'd find the bugs first and who wouldn't. But in the end almost all our sessions surfaced the same bugs and the same leads.
And everything we reported came back as a duplicate.
What worked best was using an external recon tool, to have more material to dig into and to not end up with the same things as everyone else, then pointing Claude at it to surface the interesting leads, and digging those leads yourself.
Left fully autonomous, even when it finds bugs, it's often a duplicate (when the bug it finds is even valid).
It's funny because before, the low hanging fruit was usually lows. Now it can be criticals too, it all depends on how fast the programs process and fix.
So you have to be even more creative than before, and use it wisely to get the best leads to dig yourself.
Dup land
The result of this trip on the hunting side was pretty bad: a scope moved out of scope before we could even report our bugs, and a fair amount of duplicates.
But honestly, I couldn't care less, because the most important thing was being together, chatting, having a few drinks. And that, in the end, I find way better than a bug (even if we wouldn't have said no to a few criticals to pay for the villa).
Either way, it gave me back the taste for hunting, at least for a few weeks, so that's nice.
And it got me thinking about improving my hunting setup, which I'll talk about in the next article.
This week is LeHack, so if you're passing by come say hi. There'll be the YesWeHack live bug bounty event, another cool one, can't wait to see how it goes this year!
Comments