My first official LHE with YesWeHack !

public
3 min read
My first official LHE with YesWeHack !
© Aurore Vinot and Jossuha Théophile

Table of contents

Today, I'm gonna cover these past 2 weeks which was crazy in terms of opportunity for me in bug bounty.

First, I went to the InCyber Forum (ex-FIC) in Lille, and YesWeHack was hosting a Live Hacking Event during the 2 days.

And then, I was invited to the second edition of HackMeI'mFamous, also by YesWeHack.

LHE in InCyber Forum

That's the second time that I'm going to this one. Last year, it was for the Paris Olympics and I found nothing during the two days.

This time, I wanted to be better and find cool stuff. The target was "La Caisse Des Dépots" which is a financial institution in France, used by many customers and companies.

The first day was pretty annoying for us, some bugs were found but not big issues. The problem with this target was that we didn't have credentials for most of their apps. And for the app where we have credentials, it was our credentials for managing our retirement and critical stuff that you don't want to use for a bug bounty program.

But the second day was amazing, I managed to get credentials on one of their apps, and this one was not secure at all.

I was able to find a crit, some highs, and a few mediums for a total of 12k, which was the highest amount of bounty I was able to make in less than 24 hours. And I finished in a very nice second place.

That was a cool event, and it reminds me that even if the target is hard and you don't find anything at first, it's possible to find another entry and find a lot of juicy stuff.

Hack Me I'm Famous

This event is also hosted by YesWeHack, but it's different. Anyone can join the first one, it's on a free forum and you can join. But this one was private, only 40 hackers were invited to Paris.

And it was crazy. The target was Louis Vuitton, and we went to their HQ in Paris to hunt for two days. We've got a lot of very cool swag from YesWeHack.

Swag from YesWeHack

It's the first time that I've been invited to this kind of event, and I have to say, I want to do it every time I can.

At first, when I received the invitation, I got a big impostor syndrome, why was I chosen and not other very talented hunters? But I think we all feel that, and by talking with other hackers, some of them just feel the same as me.

This event was during the same week as the most important goal of 2024 for me, my marathon, so it was hard to do both, and I had big issues finding sleep during this week but that was for the best. I have the chance to have all of these opportunities, to be invited, and also to work on what I want.

So I decided to focus more on the social part of the event and not only stick to find bugs. I collaborated with Pwnii and SpawnZii ( you left the report but we all know that you were on the same boat as me 👀 ). We found the most critical informative we have ever seen. From our perspective, we were able to poc a good critical, but finally, it was only from the client side, even LV was anxious at first, but after verification, everything was fine on their side.

When you think you found a good bug - © Aurore Vinot and Jossuha Théophile

But that was fun, a lot of adrenaline, and nothing at the end. After that, I only talked with other hackers. That's nice to meet people you always talk to online.

I know that I'm not very steady with this blog, but in the next few weeks, I'm going back on travel, in 7 different European countries, so I'm sure I will be more motivated to post some news!

I really enjoyed these two events, and I'm eager to meet all of my fellow hackers at LeHack for the next Live Event ;)

Aituglo

Aituglo

Paris
The author of this blog, a bug bounty hunter and security researcher that shares his thoughts about the art of hacking.