Episode 125: How to Win Live Hacking Events

Title: Transcript - Thu, 05 Jun 2025 17:26:18 GMT
Date: Thu, 05 Jun 2025 17:26:18 GMT, Duration: [00:47:05.24]
[00:00:01.19] - Justin Gardner
Stay in your lane and start, like, hack hard. Okay. Don't listen to all of the chatter about, oh, you know, Justin's got 50 bugs on this app. No, ignore that. Pick your portion of the scope, lock in and find a shit ton of bugs. Best part of hacking when you can just, you know, critical thing, right? Yeah. Sup, hackers? Super lightweight. This week in bug bounty segment for this week, we just have a new program announcement on yes, We Hack. And that is going to be decathlon. And so if any of you guys are, you know, outdoorsy type, you're probably familiar with this brand they just went public on. Yes, We Hack. And of course, yes, we hack doesn't do VDPs. So. So this is of course a Pagbani program. And you know, like, we always talk about maybe a good idea to hack brands you're familiar with or that you've used. So if you're, if you're using any of their, their equipment, then could be cool to check out. They've got WWW in scope for all of their tlds across all the different languages. So check them out if you're interested in popping that. That brand. All right, let's go back to the show. Alrighty, sub hackers. This week, Brezzo and I are both going on vacation, so we're doing a little bit of a separate prerecord. And I've got an episode for you guys on how to succeed at live hacking events. That's been one of my things that I focused on and my career as a bug bounty hunter is how do you perform consistently at these live hacking events? Because the opportunities are amazing and I want to continue going to them. So recently I was working with one of my mentees, Gret Me, the guy that runs the hacker notes for critical thinking, and I sat down with him during one of our sessions as he was going into his first live hacking event and gave him some advice on how to succeed at the life hacking event. And my boy crushed it, guys. My boy crushed it. And I selfishly, of course, I'm going to take credit for that. No, Brandon worked really hard and did a great job, but I did want to take some of the advice that I gave him and consolidate it into an episode for you guys so that if any of you guys have the opportunity to go to a live hacking event, you know how to crush it. And also I think a lot of these principles are really applicable to just how to hack in general with intensity. So we'll kind of go through those. But first, let's go ahead and jump into some of the just research news that's kind of hit the scene over the past couple days. I'm going to go ahead and share my screen. The first one that's up is yet another post from Jorian. This guy has been crushing it with research lately and this one sort of piggybacks off of Palos research on double click jacking and I think makes it makes it quite good. The title of this one is the ultimate double clickjacking POC. For those of you on YouTube, I'm sharing my screen and it's just a combination of a lot of different factors and stuff we've talked about on the podcast, so I wanted to go ahead and show it. I'm going to actually play the POC video here while I'm talking about it so that you guys can see on YouTube. Really really well done. Essentially this technique sort of combines the research of double clickjacking along with window moveto to hijack the click and a pop under that we've talked about from a couple weeks back from Renoir using the sign in with Google functionality that's sort of embedded into Chrome to cause a pop up to get pushed behind a window and then he simulates it with a flappy birds game where where you know your click click click click to make the bird jump and then when you need to make him jump high of course you double click and that's when your GitLab account gets pwned. So really, really awesome POC here by Jorian. If you guys want to if you have guys ever had the opportunity to build out something like this then this could be a great place to start taking a look at that. The explanation here is very thorough. You can see exactly how everything works with the move to that's why he uses the pop under is to get everything in place and ready for when you need to hijack the click and just really really good work. And also shout out to Renoir for the pop under. Yeah and he also builds out the fake cloudflare captcha. It was pretty clean. Definitely a good read if you're into client side stuff. Okay so next up is the grafana CVEs that hit recently and I am a little bit of a Grafana hacker myself. So whenever something Grafana comes up I kind of like to go back and look at it. I think Grafana is a really cool code base where you know it's written and go it's pretty readable. You can go in and you can go and you can Go and audit the code and kind of attack it. And Grafana is pretty much everywhere. Like there are hundreds of instances of Grafana, if not more out there in scope of bug bounty programs. So it's a really good target for if you're trying to find zero days in a software and then spray it across a bunch of bug bounty programs, it's a really good target. So this guy Alvaro goes ahead and documents some of the vulnerabilities he found and we see that it starts with an open redirect. He kind of goes through exactly how he did that by getting a specific file embedded and then he hits it. Eventually he hits it with a. Where's that, where's that piece? Right here. So here's the open redirect right here. It's via a slash and then backslash based traversal, right? Which is something that we see quite often. So this turns into. Right here. This turns into a absolute URL when normalized by the browser. So slash backslash at the beginning will turn into. Which is an absolute URL now, not a relative. This sort of relative URL and absolute URL confusion happens really often. And this is one of the more common variations I see. So great work to finding the open redirect. And then he changed that into full read SSRF by hitting the render endpoint on Grafana. And he's able to do lots of other stuff with it as well, some client side path traversal. So it's just a good summary of how exactly to chain an open redirect inside of these environments. And he gets $3,700 for it. He does say however, that this one isn't really great for spraying to multiple bug bounty programs since the exploitation paths require authentication. But to be honest, I would send it out just in case. If you can build a POC and you're very confident that your POC will work, if somebody authenticated clicks on it, then yeah, why not? But there could be some nuance to the situation here. Anyway, it's a good read. Maybe check out Grafana if you're interested in doing some zero day research on an open source project that also has big bug bounty implications. Oh, also, yeah, he dropped the exploit as well. We'll link it in the description. But he dropped the exploit for that on GitHub as well on his. On his GitHub CVE2025 4123. So you can check that out there. All right, Last, last piece on the news is Evan Connolly's write up on his first 100 bugs that he found on HackerOne. And I just love these sort of data like reports, right? Like these where people take all of their reports, they conglomerate all the data together, they sort it by type, they talk about their strengths and weaknesses as a hacker. I just think this is a really profitable read for anybody who's into bug bounty. It doesn't even necessarily have to be the beginners though certainly this is very impactful for beginners. So if you guys have any friends that are getting into bug bounty or something like that might be a good one to forward over to them. Let's see if I can find the quote that I really wanted to talk about here. Yeah, he says that moment made everything click for me. Not just the adrenaline of finding a critical, but the realization that you can uncover impactful issues even outside of the typical web proxy tool flow. And this single report gave me the confidence to treat other programs as viable targets. And I think for a lot of hackers, especially if you guys are mentoring newer hackers, it's really impactful to try to show them and make them believe tangibly that bugs exist. That's why I like to do, you know, with my friends that I'm teaching how to hack, I like to do these, these hack alongs where we have, I have a vuln uncovered already like a low or something like that on one of these programs and then I guide them to finding it during the hacking session and, and sometimes I don't have time to prep that in advance, but I've done it once or twice where I have and it's just great to see it click in their brain. Like, oh yeah, wow, I just found a security vulnerability. I can hack this. So cool ideas there to implement with your friends if you're interested. And it costs a couple hundred bucks, right? You know you're going to lose the low or whatever, but it adds a lot more value to your friends. So it's worth it for me. I, I love these graphs here talking about the severity distribution, the type distribution and of course I love the shout out that he gives us at the end saying check out the critical thinking podcast and discord community. Dude, Evelyn, I appreciate you man. Thank you so much for being an active part of our community. And I also do echo what he says here about Reddit bug bounty r bugbounty Reddit. There's a lot of jaded people out there and I can't blame them in some capacity because it is very much a punch in the gut when you try to submit something to bug Bounty and a Triager says F off or whatever and you just can't get a bug or you get dupe right on a perfectly valid bug. Super annoying. And I could see people get jaded and not have the gumption, the stick to it ness to keep pushing, pushing, pushing. But that's what we try to talk about here on the pod, right? We try to show you that consistent and high quality success like Evan's here in the Vagani world is totally possible if you just keep pushing, pushing, pushing and understand the rules of the game and keep giving it your full effort. So anyway, great write up by Evan. Definitely check it out and pass it on to some newer hackers as well. Love this section. Advice for newer hackers as well. Okay, so that's the news. Let's go ahead and move over to the main topic of today's episode, which is how to win at live hacking events. Now I'll just spend a moment giving some of my credentials for this. I have won four live hacking events, two HackerOne events, two Google events, and freaking Franz Rosen keeps one upping me. So I think there are a couple people I don't hold the top spot for most live hacking events one, but I've done this a couple times and I participated in probably 30 plus live hacking events. And so I do have a little bit of a system here for how to, how to win at these, how to perform well at least. And also let me say I have like eight second place trophies like, which is super annoying to me. But you know, my goal is consistently to try to rank in the top five. If I'm in the top 10, I'm not going to be sad, but if I'm below the top 10 I'm like, I hacked something up, I got to figure out what I did wrong. So let me take some of the pieces of the methodology that I've developed over the years and give it to you guys. Okay, so I'm going to break this out into several sections. First is going to be pre event. Then we're going to move into Scope call or post Scope call. We're going to move to the dupe window and end, which is signals a big change in how you should approach the targets, the on site and the day of the event. So let's go ahead and go through each one of these. So first pre event you get your invite typically through the HackerOne panel or an email or something like that. And you've got a timeline now and you don't typically know the target at this point. But you know, maybe sometimes you hear through the grapevine what the target's going to be. A lot of people will go and start trying to hack on that target and become familiar with that target and come with bugs in their pocket to the live hack event. I personally don't do this because I think it's a high risk thing to do. I prefer to focus on, you know, the ways to optimize my earnings. And I don't think that spending time on this target, you know, before I know what's in scope or what's not in scope is probably the best way to optimize my earnings. So I don't do that. But be aware that some people may do that and that, you know, people may have a critical on an in scope asset in their pocket on days, day one, you know, as soon as the scope call is over. So, you know, weigh your options there. If you really, really want to perform at this event and it's like your life goal and you're not really optimizing for money, you're optimizing for this, then you may want to start, you know, try to put some feelers out, see if anybody knows the target and then start pre hacking if they have a bug bounty program where stuff is in scope. Okay, here's where stuff gets a little bit controversial. Okay, I am going to recommend or my, I'm not even going to recommend it. I'm going to tell you guys that my approach is not to collab before the dupe window ends, okay? And the reason for that is because I think that I find a lot of bugs before the dupe window ends. And if I am splitting those with other hackers, then it doesn't normally work out in my, in my favor from a financial perspective. And I've tried this many, many different ways, many many different times. It just doesn't typically work out in my, in my favor. So what I typically do is I lock in for the between when the event starts and when the dupe window ends, I should back up. What is the dupe window? The dupe window is a period of time after the live hacking event starts where if people dupe on each other, the reward gets split across all the hackers. Okay? And if you are collaborating with other hackers, right then you're, you get us in, that report is duped, then you get a split of a split and these things get really, really small, really, really fast, which is very demoralizing. So I personally don't collab before the dupe window ends. There Are people that very successfully do this. And they are. They are very invested. All of the people on the team are very invested in spending the same amount of time hacking. Right. Working very hard. And my advice to people that would be willing to do full split collabs with other hackers from the very beginning is collab with a hacker you feel inferior to or a hacker that has a very different skill set than you. That way you're not going to feel like there's some sort of overlap there. Or if somebody is not as invested as you, you're not going to feel like, oh, I put 40 hours into this while they put 20. I'm getting gypped out of the situation. Okay. And at the end of the day, if you do commit to a collab, commit to the collab and don't. Don't take a ledger, you know, but you should use it to inform future decisions, but don't hold it against the other collaborators. Does that make sense? Hopefully so. All right. So I personally don't collab before the dupe window two lock in. Okay. I always say this to people. If this. If you're doing a live hacking event, you should take it very seriously. When I had a job, a W2 job, I would take time off of work, unpaid because I'm going to make more money at this than I am at my work anyway, and get really serious about it. What does it mean to get serious about it? Well, what I often do is preload time with my wife, with my kids, with my chores. Right. I try to, you know, take my wife out on a couple dates, make sure her. Her love meter is at 10 out of 10. Right. Going into this, because I'm going to be really focused on work for the next couple weeks. Same thing with the kids. Make sure you do something fun with them. Make sure that they know that you care about them so that when you're locked in here, they're not running on zero in their tank. And then try to knock out any chores or logistic things that might get in the way. If you've got. If the lawn needs to be cut, cut it. If you need to do your taxes, get them knocked out before the live hacking event so that you can stay locked in and not be distracted by other things during that time. Okay? And here's another one that is really important, guys. One of the very impactful things about the live hacking event is how competitive it is. Right. I would strongly recommend to you not to look at the leaderboard. Do not look at the stats near the bounty brief. Do not pay attention to the hackers in the slack that are like, excuse me, could I get a triage on number one, two, three or whatever? Because it's a critical and I really want you to get it done quick because users are at risk. They're just flexing, dude, they're flexing, okay? And that's going to do nothing but make you feel bad about your findings if you haven't had a critical, okay? So don't do that. Stay in your lane and start like, hack hard, okay? Don't listen to all of the chatter about, oh, you know, Justin's got 50 bugs on this app. No, ignore that. Pick your portion of the scope, lock in and find a shit ton of bugs, okay? Also, inversely, don't flex on other hackers, okay? If you do find a crit, don't be that guy that like puts it in the channel and is like, hey guys, I got a crit on this one. Could you get a fast. No, no, just be sportsmanlike. Lock in, hack stuff. Present yourself with humility. Okay? Okay. So that's sort of pre event stuff. I guess the ignoring the other hackers is kind of after the event starts. But I'll move that to my next section. Let's talk about the scope call. Okay? The scope call is the kickoff call that occurs when you are starting the live hacking event. There will typically be a period of time where they'll do a presentation, they'll talk about the bonuses, they'll talk about the increased rewards, they'll talk about the scope for the event, what targets you can hack on. They'll give you access to accounts, that sort of thing. Yeah. What I would recommend to you here is focus on two things for the scope call, what does the team want me to hack on? What is going to make them go, oh, shit, if I pop that right, that's what you should probably be hacking on. However, you need to balance that a little bit with anticipated interest from other hackers because it does suck when you get a bunch of dupes. So what I typically go for is something that is tier zero, right? So something that is extremely valuable to the program, but probably like tier 1 or tier 2 on interest with other hackers. Right. Other hackers are maybe a little intimidated by it or maybe don't think it's as feature rich as it could be. Something like that, Right. I don't typically go for tier zero interest zero because that's going to get a lot of. A lot of other interest from other hackers, all right? Then the next thing that I'd recommend is something that I call pick your portion. Okay? So look at the scope that they presented to you and you got it. You got to pick, you know, what piece of that app you want to cover or what piece of this, this company you want to cover. Because typically the scope is going to be pretty wide and you're not going to be able to cover all of it with enough depth. That's just the way these things work. Okay. So what I typically do is I pick one app and I say, all right, I'm going to go ham on this app for the next couple days and as soon as the scope call is over, make a snap decision on what that is and try to go try all of the impactful semi obvious scenarios over the past or over the next couple hours. The one that pops in my mind is freaking host header based password reset link injection where you change the host header, that host header gets put into a password reset link that was generated and it goes into someone's email and now you've got account takeover zero click, or technically maybe one click atl. Try all that stuff for the first couple hours because you want to try to pop those as early as possible. Yeah. And then after those couple hours, you should just from the feel of the app, when you're in there trying all those other things, you should have an idea on whether your snap decision was a valid decision or not. On, on, like, is there enough scope here for me to focus on it for like four to five days at least? You know, maybe 10 hours a day? Or do I need to switch to something else? You have one opportunity here to switch to another piece of scope. Okay. Once you switch, you must stick to that scope. Do not get distracted by the shiny objects, okay? Stay locked in on that piece of scope until you are the world expert on that piece of scope. I typically recommend three times as long as you would normally spend on an app to spend on these apps that you're in the live hacking. It's here because you need to go deep. You need to go deep, deep, deep on these apps. Okay? So that's kind of what I would recommend. Let me see what I had something else under this section. Yeah. Like I said, try to pick something that other hackers might be intimidated by and then prioritize what attack vectors you implement based off of the attack vector value that I've talked about in my high ROI bug hunters talk. If you haven't seen that, it's available to the critical thinkers in the critical Thinking discord. And I think there might be a recording floating around there on YouTube. No, that was Buggani Village, not the main. Main stage. So it was not recorded. So the only recording is in the critical thinkers tier. I'll just give you a summary of it real quick. The attack vector value is. Well, hold on, let me just pause it really quick and grab the presentation. Okay. Here's the one slide that I'm going to share from this, which is the attack vector value. This is what I typically use to try to decide what I am going after. This is the impact. And this attack vector value is defined by the following function. It's impact times viability divided by friction. Okay. And this is imperfect. This is just how I think about it currently. So impact would be what is like the. The. The impact of a successful exploitation. Right? Like, do I get account takeover? Do I get, like, can I leak the, you know, query parameters? I don't know. There's a large variety of impact that could happen. And then what is the viability? What is the chance that this will actually work or not? Right. If. If something about the application informs us that, wow, they're super vulnerable to idor. And I can see a request that looks like it's vulnerable to idor, but it's super buried in the application or something like that, the liability is pretty high that that will actually work. Right. Because we know that they're vulnerable to IDOR pretty regularly. We just got to get deep into the app to get it. And speaking of getting deep into the app, that's what friction is. Right? So friction is the amount of effort to attempt a given attack vector. So impact times viability divided by friction. Okay. And that's kind of how I think about these attack vectors. And don't. Don't get me wrong, I'm not like, quantifying each attack vector idea that I come up with. I'm kind of doing this VI vibe mostly in my brain, but it would be really cool to figure out a way to quantify all these. So maybe something for you guys to think on. All right, let me get back to my other stuff. Yeah. So prioritize off of those three variables. Impact, viability, and friction. Okay, now here's where stuff gets a little bit counterintuitive. Okay. During the live hacking event, you may be inclined, especially if you're super locked in, to not eat, not drink, not exercise, not get any sunshine, not get any sleep. Right. I'm looking at you, Ronnie Carta, Mr. Lupin over there, Mr. All Nighter. I Would really not recommend this. Your brain will not be functioning at top capacity. And you can say, oh, I'm one of those people where. No, you're not. Like, that's just not how human biology works. It doesn't. So really try to get good quality food, try to get water, get in some. Some exercise and sunshine. You're going to. Your brain will be functioning better and get however much sleep you need. Okay. You know, there is variance in how much sleep people need, but you do need some sleep, I guarantee that. So don't neglect those things. I am not a perfect example of this. I do not feed myself during life hacking events. My wife very graciously will bring me food while I'm hacking because I just, for some reason, for the life of me, cannot remember to eat or drink while I'm hacking. Um, but we have a system for that, right? My wife and I partner on that and. And she helps with that. As far as exercise and sunshine goes, I go for walks and that's something I'll kind of COVID in a little bit. But you need to take time away. Well, we can just cover it now. You need to take time away from the screen and away from stimulation to let your brain sort of iterate. I often will go into the hot tub or go for a walk for those two things to let my brain start. Try to come up with different attack vectors or different ways of approaching a problem. I have popped multiple crits while sitting in the hot tub or on a walk. So it's very, very important, especially ones that I spent like eight hours staring at my screen for. I was so frustrated about this one time. I knew that this one vulnerability was exploitable, and I just stared at my screen for eight hours and I was like, really, honestly, barely doing any typing or reading. I was just mostly thinking, but I couldn't figure it out. And then I go in the hot tub and I solve it in like 30 minutes. So really try different environments. Try to get some exercise, try to get some sunshine. Okay. Yeah. And then I also say, don't forget to relax a little bit during these events. If you're taking my advice, you're probably going really hard, but you need to have some scheduled calculated rest as well. Okay. I do this typically on Sunday. I try to follow the Christian biblical principles of Sabbath during the life hacking events. There is some nuance to that, but I do try to spend a bit of time on those Sundays relaxing and, you know, detentionizing myself. Okay, now I'm going to give you a little bit of Conflicting advice with that. If there is something that pulls you away from hacking, have your brain running on that hacking stuff while you're away. If you're in the shower, if you're on the toilet, if you're running an errand, you know, be thinking about the app, think about attack vector ideation. Have notebook LLM or whatever read you the docs, right? If you're out somewhere, if you're waiting, like at a doctor's appointment or in line at the grocery store, scroll through the docs, read the docs. You know, you need to really eat and breathe and sleep on this application for the next week or so. And then while you're doing this, record attack vector ideas, record gadgets. I do it on one of these big. I've got a bunch of them right here, but they've got text on them, so I'm not going to hold them up. But these big legal pads, these yellow legal pads, that just helps me think, even though my handwriting is atrocious. So have something with you where you can write that down. Okay, here's another thing you need to realize, if you want to win this live hacking event, you need to find at least one critical. So one of the mistakes I've made in the past that I noted down for myself was I wanted volume and coverage, but I didn't go after high, high attack vector targets enough. Okay, so there was one app or one event in particular. I'm thinking of not going to disclose the company, but every single freaking endpoint on this company was vulnerable. So I was like, all right, I'm going to cover all of these. And it ate up all my time and I got like 40 mediums. But I didn't win that event because I didn't get enough criticals. I came in second. Hurts me. So don't make that same mistake I did. Make sure you're going for high impact bugs at these live hacking events, because that's really one of the differentiators. Okay, that being said, once you've picked your portion, you must cover all the core functionality, dig through the JS files, configure the app, do whatever you have to do to become the world expert on this. Do not neglect auth that is one thing that I have kind of done in the past. Okay, do not neglect the authentication mechanisms. We spend a lot of time checking authorization most of the time as hackers, but authentication is sometimes a little bit scary. Don't neglect it, assess it. And then more than ever. And once again, I know that this is in juxtaposition with what I just said about finding criticals, but you need to double down on any weaknesses you found. And that's what I thought I was doing in that live hacking event, right? I was saying, oh wow, every endpoint is vulnerable to idor. I'm going to report every single eyedor. And you should definitely do that. But you also can't do that to the neglect of high impact vulnerabilities. You know, not to say that those are mutually exclusive, but you know what I'm saying? Double down on any weaknesses you find. Spend time thinking, why was this specific endpoint vulnerable? Why? Why is this application acting so quirky in this specific scenario? Right? You got to think through all those things. Okay? Once you've really like covered all the main functionality of your, your portion that you picked, then you go deep into peripheral assets, SDKs, legacy stuff, staging assets, mobile apps, Chrome, extensions, APIs, you know, XML based garbage, you know, like everything that you can find on this app and do some like past recon on this app to, to understand like what the app looked like as it evolved over time. Go deep, deep, deep into those. Okay. And then so the last section that I had here while we were in the actual post scope call, pre dupe window end portion was just a quick shout out to Joseph's recent write up that we'll put in the description. Root for your friends, right? If you are working with people, even if you're working not collabing with them, but you're in the live hacking event with them, root for them as much as you can. Like I said, try to, try to not give yourself the input, especially if you're hyper competitive and tend to get down on yourself if you're not performing as well. Try not to give yourself input on how other hackers are doing. But if you see it, push your brain to respond positively like, hell yeah, my boy Joseph just popped a crit. Let's go. You know, that sort of thing, right? Rather than like, man, I don't have a crit, what am I gonna do? No root for your friends. Take that as motivation. Okay? Now you know that there's a crit out there, right? You can go find it too. Okay? Things change a little bit when the window ends. This is typically like a week or so. I don't know the actual duration. I'm just normally like, all right, set a calendar entry, go. But when the dupe window ends, you know, things change a little bit. I typically open myself up to collaboration a little bit more. I try, I try to finish most of my stuff by the time the dupe, the due period ends. And I submit most everything that I have, you know, especially if I'm unfamiliar with a company's threat model and what they may or may not consider a vulnerability. You don't really get nas at live hacking events, so submit what you've got and, you know, they may inform it of you. And it's not the end of the world. You know, if you're at a live hacking event, you've probably got enough rep and stuff where your signal or impact or whatever can take a little bit of a hit. Okay? Okay. So don't stress out about that. Yeah. So, you know, if for whatever reason, I wasn't able to like exploit some gadgets or maybe I've got like half vulnerabilities that are just very close to being exploitable, that's when you kind of reach out to some other hackers and kind of get a feel for what's going on. You see what kind of success they've had on what other pieces of scope you see. You try to compare notes, you try to give add value to the other hacker by like, hey, here's this vulnerability. Like, this is my takeaway from this vulnerability, right? You're trying to add value to other hackers at that point. Okay. And I also want to say trade value, right? If somebody comes to you and says, hey, man, you know, I know you're looking at this scope, I figured out how to like, decrypt this really important thing. Dude, thank you so much. Like, hold on, let me grab something for you. You know, get them an equivalent trait of value as far as information goes. And in the live hacking event, just realized my little circle light is off there. My bad. Yeah. So try to get them an equivalent trait of value, right? So that you are adding value to your other hackers as well. Pay very close attention to what you missed, man. I'll never forget this one live hacking event where freaking inhibitor 181 and I spent the entire event on the same scope and didn't have almost any overlapping vulnerabilities. Crazy. And I just. The stuff that I missed and he way out hacked me at that event like crazy. The stuff that I missed, I will never, ever, ever, ever, ever miss again, ever. Because of the pain in my heart from what he found. Right? And that pain can help you learn, right? But you got to also redirect that in a positive way. Like, you know, dab up your boy. Be like, yo, well done, dude. You know, that sort of Thing. All right, let's see. Yeah, find hackers who have hacked on similar scope and compare notes. That's kind of what I was saying there. Also, I'll add this piece. Try to collaborate fairly in this, in this post. Dupe window collaboration stuff. Now I open myself up to collaboration. You want to. If somebody gave you something, you want to offer them at least 5 or 10%. Right. Of the vulnerability. That's a minimum. If somebody. But you really do want to be fair, a lot of people will be like, oh man, if you even give this little bit, then it's 50, 50. And I'm like, I don't think so. I don't think that's the best way to deal with this. Right. It doesn't feel great from my side when I do that to other people. And it doesn't feel great when I'm on the giving side of that either. So I try to say, hey, here's the number. I really value honesty. Give me your thoughts. You know, and we're all professionals here. We can negotiate. And then what I would ask is that you advocate for yourself fairly and honestly. And I'm not going to take it personally. Right? That's what we, that's what we do. And then at the end of the day, you know, if there is conflict, know that your relationship with the other hacker is more valuable than the specific bounty. Because if you're going to be on the live hacking event scene, that hacker will definitely have something you need at some point and you don't want to burn that bridge. Also, just don't be a bad person. That too. Okay, cool. All right. So that's kind of like the post dupe window collaboration. There's not much actually that happens after the dupe window closes besides more collaboration and things start getting triaged, which is cool. But you really, you stay locked in. You know, if you have fully covered your target and you have, you know, 3x to the time that you would spend on that target, then switch to a different target and do that same methodology, right? Or maybe a peripheral target, right? Something that is tangentially related to the application you're already hacking. So you can reuse some of that knowledge. Okay, next section is on site. So, um, some of you guys may not be participating in an on site live hacking event, but it is very, very tricky to stay locked in when you are on site because your friends are around, you're meeting people for the first time, you're surrounded by hackers that are of similar skill level, and you're. And it's freaking great. Like, that is why we made this. Joel and I started this podcast way back in 2023 was because we freaking love that environment and we want to bring some of that hype and energy to you guys every single week. Okay? That being said, if you really want to win and you really want to perform, you should stay locked in on site. A lot of people, you arrive, you know, you do the meet and greet or whatever, and then people will just like drop their laptops and go out drinking and party and then stay up till three and get super drunk and be hungover the next day. And it just like it cascades. Those people are. Can do whatever they want. No judgment here, but. But if you want to win, don't do that. Yeah. And I think if you want to win or if you really are passionate about hacking, it's really fun to just grab your laptop and grab a soda or whatever and go back to your room with your buddies and be like, all right, I'm looking at this. What are you looking at? Comparing nodes, hacking on stuff together almost every single event. If you do this, you will pop a crit in the hotel room. Like, it just happens that way. My boy Nagli has done it like 10 live hacking events in a row. Shout out to my boy n. So stay locked in. There will be more time to play after the live hacking event is over. Okay. And you want to kind of optimize your time on site by utilizing your other hackers that are present. Right? So if you know your buddy's really good at this and you got a lead in that area, maybe just connect him with that lead. Even though if you think that maybe there's some more time that you could spend on it in. Plus, it feels good to get momentum going, right? And the life in the on site live hacking events. So definitely do that. If you have no leads between you and other hackers, which is pretty rare, but I have seen it a couple times. Pick a small, small piece of scope to deep dive and try to finish it all, you know, during the on site period. Okay, this. I've done this a couple times and it has paid out for me pretty well. The other thing is you can do is if there's a meet and greet and the team is actually there that you're hacking, you can go up and talk to them and be like, hey, guys, listen, I just kind of finished the scope that I was hacking on. If you were in my shoes, where would you look for vulnerability? And I did this one time, I had not hacked on this target at all. I did this on the day of the live hacking event. One of the engineers came up to me, he's like, dude, this area is riddled with bugs. Go tear it up. And I did exactly what he said and made like 40 grand. So shout out to that guy. I don't know if you remember who you are, this is a long time ago. But shout out to that guy, dude, because that was amazing. And there goes all my student loans. So that is also a thing to do. Talk to the team. And also pivoting into the day of the event sort of section. When you're on site, on the event, on the event day, talk to the triagers, advocate for your bugs. Okay? A lot of people are not doing that. When you get on site, if there is a bug that's mistreat or if there is a high or critical vulnerability that you've got in there that is not getting the attention that it deserves, go knock on the war room door and be like, hey man, here's this. And have a prepared poc. Have a very easy to follow flow that they can see to quickly reproduce the bug and triage it. And that helps them because they don't have to like get all the context on that bug and, you know, do it. They can just see it and follow along with you. And it helps you because now your bug is triaged and you know, on the in the payout queue for the live hacking event on the day of so. And if something is mistreated, then definitely go and knock on the door and be like, yo, yo, yo, this is hect. This is not a low, this is a high. You know, this is a critical and so advocate for your bugs. If you literally cannot do this, find a friend to do it. I have advocated for my friend's bugs multiple times on their behalf because I don't know if you guys know this, but I can talk a little bit, right? You know, just a tiny bit. So find someone else to do it for you as well. Once again, I'll repeat it. Stay locked in on the day of the live hacking event. Sit down, hack, hack, hack, till the last minute on the timer, okay? One of the bugs that I am most proud of ever. I completed the exploit for and downloaded for a team of eight. Eight team members, right there were the program we were hacking on live within the last hour of the event. I'm so happy I popped that bug to this day. And one of my favorite hacking memories ever is me sitting in this environment having 18 members from this massive company behind me and be like, check this out. Boom. And it's like a mega crit. And they're all like, oh, shit. Like, you know, it was just. It was the best. It was. It was the best. Guys, stay locked in. You will find cool stuff at the live hacking event. Okay, day of the event, last thing, pay very close attention to show and tell. I'm sorry, not last thing, but close. Last thing, pay very close attention to show and tell. Show and tell is the portion where other hackers will give a presentation on the bugs that they found that the team selected because they thought they were the coolest. Truly reflect on these bugs and figure out how you could have found them yourself. And then really integrate that into your methodology. Visualize yourself doing that, and that's how you improve. The other thing is, show and tell bugs are great, but guess what? You have access to unlimited show and tell. If you go around and you talk to other hackers and be like, hey, can you show me your bugs and I'll show you mine? Show me yours and I'll show you mine. And to be honest, I've learned so much from that. And most everybody at that live hacking event is passionate and loves hacking, right? So very rarely would they be like, nah, I'm not going to do it. There are a couple hackers that will be like, nah, I want to keep my secrets to myself. But most everybody's like, dude, check this one out. And they show you one that's really amazing and blow, you know, blows your mind. And then, you know, they get that dopamine hit of having somebody who also understands how impactful these vulnerabilities are. Be like, dude, no way. And then. And then, you know, you get the knowledge and it's just. It's a win, win. So talk to other hackers. Freaking Brandon Gretmi that I mentioned at the beginning of this does an amazing job of this phenomenal job, and it just makes the growth just skyrocket as a hacker. Okay, last little bit before I close it out. I know it's already getting long, especially for a solo episode. This is something that's very near and dear to my heart. Do not define your identity as a hacker on the outcome of this live hacking event. Okay? If you showed up to this live hacking event, you followed what I said here. You gave it 110% and you did not rank or you didn't find a bug. That's okay. All right? It happens. If you follow this methodology, I think it's probably Pretty rare. But I'll tell you, I have had really, really bad life hacking events with like sub 10 bugs, and it just happens. Nothing you can do about it. Doesn't mean you're the worst hacker, doesn't mean that you don't deserve to be there. Right? And if you, if you are, if you are defining your identity as a hacker on the outcome of a live hacking event, it's so volatile, dude, it's so volatile you could have just picked the wrong piece of scope. The asset could be 5003ing while you're trying to hack it. And it's just, you know, there's so many confounding variables that could go into place, okay, Put your identity as a person and as a hacker, you know, in something more stable than live hacking events or even bug bounties in general, because bug bounties are hella unstable. I've said this time and time again. I personally really, really struggled with this until my wife and I had a conversation about, hey, Justin, you're not putting your identity in Christ. Which is where I normally try to focus my identity on, right? As a Christian, and after that conversation with my wife, I have almost never struggled with that comparison, that burnout. I just felt much more free to enjoy my hacking life when my identity is in Christ rather than in my performance as a hacker. Right? And I'm not going to get all religious on you guys. You guys can, you know, maybe Christianity isn't the religion for you. Maybe, you know you've got something else, right? Whatever, but just don't freaking put it in bug bounty, please. Like, bug bounty is volatile as hell. So, yeah, that's my recommendation to you. Put your identity in something more stable. All right, guys, I think that's about it. You know, if you, if you follow all these, I think you will have a really, really solid life hacking event. And like I said, many of these principles are applicable to outside of life hacking event as well. Just normal bug bounty, reflecting on the documentation, staying locked in, going really hard, making sure you're taking care of your responsibilities so that you can optimize your longer pieces of time for bug bounty and staying locked in on technically complex stuff. So there's lots of little tidbits there that you can use to optimize your experience in normal bug bounty as well. Just, just right before this episode, there was a little bit of discussion in the critical thinking discord about rating the show on Apple podcasts and Spotify, which is something that I used to ask you guys to do every every time. But I just have kind of forgot now that we've gotten a couple hundred of them and, and we're pretty well ranked, so. But I'll ask now. If you guys enjoyed the show, please give a rating on Apple Podcast and Spotify. If you're listening on YouTube, sub on YouTube, drop a comment for us. That does help the show get some additional distribution. And of course, if you're not in the critical Thinking discord, definitely go check it out. It's a really solid community, as Evan said in his write up that we covered earlier on. And to be honest, man, I'm really blown away by it. I'm really grateful to be in the critical thinking community because there are a lot of people there that are way more skilled than I am contributing and adding value and I'm just like, wow, this is freaking great. So I would love to see you there. If you haven't, if you haven't seen you know how to get in there, you can go to CTVB show, click the Discord link or CTV Show Discord if you want to just go directly to it. All right, I think that's a wrap. Hope you guys enjoy this episode and I'll see you next week. Peace. And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end y' all. If you want more critical thinking content or if you want to support the show, head over to CTBB Show Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of the master classes, hack alongs, exclusive content and a full time hunters guild. If you're a full time hunter, it's a great time, trust me. I'll see you there.