The player is loading ...
Sign up to get updates from us
Episode 49: In this episode of Critical Thinking - Bug Bounty Podcast, Justin Gardner is once again joined by Nagli to discuss some of their recent hacking discoveries. They talk about finding and exploiting a backup file in an ASP.NET app, discovering vulnerabilities through Swagger files, and debating the vulnerability of a specific ‘undisclosed’ domain. Then they reflect on 2023’s Live Hacking Event circuit, and preview what’s to come in 2024’s.
This episode sponsored by Wordfence! Wordfence recently launched a game-changer of a bug bounty program with ALL WordPress plugins over 50k installs are in-scope. They are currently paying 6.25x their normal bounty amounts, and have agreed to give CT listeners a 10% bonus on top of that! If you wanna pop some crits and see those bounties roll in, head over to https://ctbb.show/wf for more info and keep an eye on the CTBB Discord for inspiration/collabs.
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
------ Ways to Support CTBBPodcast ------
Sign up for Caido using the referral code CTBBPODCAST for a 10% discount.
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Episode Resources:
Timestamps:
(00:00:00) Introduction
(00:02:37) wwwroot .zip Hack Recap
(00:13:44) Swagger File Hack Recap
(00:18:27) Undisclosed URL Hack Recap
(00:24:29) 2023 LHE Circut Recap
(00:37:14) 2024 LHE Preview and New Standards
(00:47:22) Bug Bounty Motivation
Justin Gardner (@rhynorater) (00:01.767)
All righty man, round two. We just got settled in the sunroom here at my house and recorded for 15 minutes and then we realized that the mute button on Nagli's mic was on. So once again, welcome to the podcast, Nagli. I have to wait for the second time and let's hope this one, my mic, will work. Let's hope so. We can see.
Gal Nagli (00:01.77)
Already, man. Now let's do it. Yeah. We got settled in the living room here at my house and recorded for 15 minutes and then the mute button on my mic was on. So once again, welcome to the platform. Thank you. Happy to be here for the second time and let's hope this one, my mic is working. It's too complex for me, this very expensive microphone. All right, man.
Justin Gardner (@rhynorater) (00:30.087)
All right, man. So let's see. We can talk about a bunch of live hacking event stuff and we should, I think, and I think we will. But I think before we get into that, let's talk about some of the hacking we've done over the past couple days. Because we have been working together on some hacking stuff for what? Probably three or four days. And I think we found some pretty interesting stuff. So let's talk about the
Gal Nagli (00:34.398)
about a bunch of stuff and we should back it if we will. But I think before we get into that, let's talk about some hacking we've done over the past couple of days. Because we've been working together on some hacking stuff for what, probably three or four days. And I think we found some pretty interesting stuff. So let's talk about the wwwroot.zip.
Justin Gardner (@rhynorater) (00:59.756)
www.root.zip thing that you came upon and how we kind of exploited that. So give me give me a little bit of an intro into that.
Gal Nagli (01:01.806)
thing and how we did that. So give me a little bit of an intro to that. Yeah, so it was just one random domain suddenly pops up on my Slack automation with exposed www root backup file, zip file, whatever you can call it. It's nothing fancy, just random nuclear template. So when you see a backup file, I mean, first thing you want to report it right away, you know, so it won't be duple or anything else and then all the efforts will go down.
Justin Gardner (@rhynorater) (01:14.367)
for wwwroot backup file, zip file, whatever you can call it. It's nothing fancy, just random nuclear template. So when you see a backup file, I mean, first thing you would want to report it right away, you know, so it won't be due for anything else, then all the efforts will go down.
And while we open it with ASP.NET app full of source code, B files, config files, web.conf and so on. So nothing really, I mean, you wouldn't find like AWS credentials out of nowhere in the source code or like PIA leakage of all users, some stuff like that. There were some juicy stuff, some source code, but still you would want maybe to take it, you know, one step further, not only the... Probably the exposure is a critical for itself, but maybe we can find more stuff to do with it.
Gal Nagli (01:31.402)
And while we open it, it was ASP.NET app, full of source code, bin files, config files, web.conf and so on. So nothing really, I mean, you wouldn't find like AWS credentials out of nowhere in the source code or like PII leakage of all users, some stuff like that. There were some juicy stuff, some source code, but still you would want maybe to take it, you know, one step further, not only the, probably the exposure is a critical for itself, but maybe we can find more stuff to do with it.
Yeah, so I mean, source code exposure at that level, definitely I think is critical in and of itself, but a lot of programs want to see impact from it too. And so, obviously, we went and got that impact, so we'll talk about that. But the initial discovery, I kind of wanted to double-click into that as well. Was that a custom new thing that you had, or was that one of the defaults that were in the list? Or do you have so many now it's kind of a red flag? Yeah, I think it's just-
Justin Gardner (@rhynorater) (02:01.273)
I mean source code exposure at that level definitely I think is a critical in and of itself But a lot of programs want to see impact from that too and so, you know, obviously we went and got that impact so we'll talk about that but um The the initial discovery I kind of want to double click into that as well Is that was that a custom nuclei template that you had or was that a one of the defaults that were in the list? Or is do you have so many now? It's kind of hard to keep track Wow
Gal Nagli (02:28.49)
of the default backup files templates. Okay, that's awesome. So, and then how fast did you respond to this? After you got automation, and that's all the targets you have in your system, you know, it's written paste. How fast did you have to respond to be the first? It really depends. Some of the stuff you have to be really, really fast, like.gitconfig, for example, you can't let it lay down for more than...
Justin Gardner (@rhynorater) (02:31.119)
Okay, that's awesome. So, and then how fast did you respond to this? After, because you've got automation running these nuclei scans across all of the targets that you have in your system, you know, at a certain pace. How fast did you have to respond to be the first one to report this?
Gal Nagli (02:54.646)
half an hour maybe or five minutes until someone will pick it up. But this one, I'm not sure I was that fast about it because it was just a random template. I mean, I didn't, I don't do much of root cause analysis like whether the host was just new and that's why I got it because it's not a dupe, I mean, I got it reaged eventually. It was like two or three weeks ago. But I mean, certainly you want to report your findings less than one day after you get a notification or something like that. So that one, I'm not sure if it was like rapid.
Justin Gardner (@rhynorater) (03:20.567)
or something like that, so...
Gal Nagli (03:23.722)
the same second, but it always depends if you find a new host, if the host just became publicly accessible or if something happened. So yeah, I'm not really sure how long it took, but it wasn't in a minute, I guess, for that one. Yeah, that makes sense. I think when you're doing automation scanning like that, you kind of gotta be pretty quick to get all of your targets as well. Yes. Are you using...
Justin Gardner (@rhynorater) (03:37.895)
Yeah, no, that makes sense. I think, you know, when you're doing automation scanning like that with nuclei, you kind of gotta be pretty quick to scan all of your targets as well. And so for that, are you distributing those scans or you actually just have one box just like pounding all of these hosts with nuclei? Yeah, so I use Axiom to distribute like most of the heavy scans if I want to do fast. I also just created a show.
Gal Nagli (04:00.104)
Are you distributing those scans or you actually just have one box just like pounding all of these codes in a nucleotide? Yeah, so I use Axiom to distribute most of the heavy scans that I want to do fast. I also just created a shockwave box for like, I literally went manually to all of my programs on Hacker One and background, and I collected a list of 90 programs that I consider good, paying well, wildcard, good teams. And then I will just add only their root domains to like a more dedicated.
scanning features that we can see like changes more frequent, like easier way to see with UI and stuff like that. So I like, there is the entire program data set that someone can suddenly expose a backup file and we can find good money. And there is the problems that I know, okay, we need to keep close eyes on them for changes because they develop and ship new line of code every few days and they have good bounties. So like I divided my scanning and my targets to two different divisions.
Justin Gardner (@rhynorater) (04:42.251)
They develop and ship new lines of code every few days and they have good bounties. So like I divided my canning and my targets into two different. Nice, so you've got sort of like the S tier programs and then some other. All the rest. Gotcha, and then the rest. No, that makes sense. And that incentivizes programs to really pay some good bounties because hackers like this are, like Nagli are doing that sort of thing. So that's cool. Shockwave you mentioned there. I'm gonna give you 30 seconds.
Gal Nagli (04:53.79)
All the rest, all the rest, yeah. And then the rest. That makes sense. And that synthesizes programs to really, you know, place some good boundaries because hackers like this are, like, not really are doing that. That's cool. Shockwave, you mentioned there. I'm going to give you 30 seconds, you know, uninterrupted, to do a Shockwave promotion right now. Yeah. So look right there to the camera.
Justin Gardner (@rhynorater) (05:12.811)
you know, uninterrupted to do a Shockwave promotion right now. So look right there into the camera and talk to us about your product Shockwave.
Gal Nagli (05:22.586)
Basically, we try to help companies, small or big, just give us your domain, give us your company name, we'll show you all your assets, technologies. Very easy to see with one click, very easy to scan with your own templates, even with nuclei or whatever scanners you'd like to see. Also for companies or campaigns or projects who want to launch a bug bounty campaign or like a way to interact with the external researchers through comments and markdown, we have that very easily integrated and set up. Everything is in the website, so no.
Justin Gardner (@rhynorater) (05:48.959)
Set up, everything is in the way.
Gal Nagli (05:51.318)
I mean, no nonsensical adjust you can see in the world of the future. So it's like an ASM plus bug bounty interface. Challenges, VIP, I mean you can invite your top researchers to see all your assets, you know, instead of giving Excel file or Google Sheets file or Google Docs. So you can add the researchers to the actual ASM interface. Yeah, and they can have like only view only, you know. I mean, imagine like an ACK1 or Backout program instead of giving you CSV file and you parse it, run a GPX, and go to stuff, just having your entire researchers and...
Justin Gardner (@rhynorater) (05:53.587)
So it's sort of like an ASM plus bug bounty interface of sorts. Yeah, people, I mean, you can invite your top researchers to see all your assets, you know, instead of giving Excel file or Google Sheets file. Ah, so you can add the researchers to the actual ASM interface as well.
Justin Gardner (@rhynorater) (06:19.315)
You can just skip the recon, focus on manual. That's awesome, man. No, I totally dig that. So yeah, definitely. What's the domain where people can find out more? Shockwave.cloud. Check it out, y'all. So you've got Shockwave, you know, your Shockwave instance set up, and we get this ping. You report it as quickly as you can. You know, this one was a little bit slower, but the whole source code for this app is sort of leaked in...
Gal Nagli (06:21.006)
You can just skip the recon, focus on manual. That's awesome, man. I totally dig that. So yeah, definitely. What's the domain name we can use? Shockwave.cloud. Shockwave.cloud, check it out, y'all. So you've got Shockwave, your Shockwave has been set up. And we get this thing. You record it as quickly as you can, you know, a little bit slower. But the whole source code for this app is sort of leaked in the document root.
Justin Gardner (@rhynorater) (06:47.999)
the document route and the team comes back and they want more impact with it. No, I'll tell you, they, I mean.
Gal Nagli (06:52.138)
and the team comes back and they want more impact with it. And no, actually, I mean, I reported it 11 days ago, then no one, not three heads were on it, sadly, and then the team reopened it, and like three days ago, and said, hey, is it still working? So I'm like, I'm not sure, wait, did you fix it? Was it fixed by its own? Do you want me to retest? So it's like hanging in between, so I said, let's, we can still exploit it, so let's see what we can get out of it. Yeah, and obviously, the source code disclosure is a problem, but we want to check.
Justin Gardner (@rhynorater) (07:14.631)
Yeah, and obviously the source code disclosure is a problem, but we want to try to bring actual tangible impact to the asset as it is currently. Because if they had said, if they had somebody delete that file and then they go back and look at your report, they're like, well, we didn't make a change because of your report, so you might get that closed.
Gal Nagli (07:21.134)
actual tangible impact to the asset as it is currently. Because if they had said, if they had someone delete that file, then they go back and look at your report, they're like, well, we didn't even came to the report, so you might get that quote. I mean, they might even fix it, like it's resolved now, we can't access the file, but it's still not resolved. If someone got the file, it's like, you can still get the stuff that we managed to escalate. Yeah, and especially in those ASP environments, because what we ended up doing with that was,
Justin Gardner (@rhynorater) (07:38.587)
Yeah. It's still not resolved. You know, if someone got the file, it's like, yeah, you can still get the stuff that we managed to. It's the it's the end of the world. Yeah. Especially in those ASP environments, because what we ended up doing with that was the backup, the zip file backup had the prod machine key in the web.config file for that application. And then what we were able to do was use
Gal Nagli (07:51.086)
the
Gal Nagli (07:55.534)
the shink in the web.
Gal Nagli (08:01.594)
And then what we were able to do was use YsoSerial to craft a deserialization view state, or And that they also hadn't fully resolved the bug because they hadn't rotated the problem. Yeah, they have to rotate it. So some bugs, I mean, they can resolve the exposure, but they need to...
Justin Gardner (@rhynorater) (08:07.555)
a deserialization view state or a view state that would get deserialized and execute some malicious code. And then that proved that we were able to actually turn it into RCE and that they also hadn't fully resolved this bug because they hadn't rotated the prod machine key.
Gal Nagli (08:27.946)
rotate some keys and stuff. It's like incident response after the initial discovery. Yeah, and sometimes you can get a second value for that if they really don't do a good job of cleaning up after them. So that's another tip to keep in the forefront of your mind. But something that was interesting to me technically about this bug that as we started collaborating and actually showing the box and getting it on the team was that the ASPX file that we sent this request to.
Justin Gardner (@rhynorater) (08:32.603)
Yeah. And sometimes you can get a second bounty for that. You know, if they really don't do a good job of cleaning up after them. So that's another, you know, it's kind of tip to keep in the forefront of your mind, but something that was interesting to me, technically about this bug, that as, you know, we started collaborating on actually shelling the box and getting an RCE, was that the ASPX file that we sent this request to, with the view state, it actually had some source code in it that said view state enabled false.
Gal Nagli (08:56.662)
with a view state, it actually had some code in it that said, view state enabled false. Yeah, like it didn't want... Yeah. And so, you know, when looking at that, you might think that a view state isn't getting parsed, but I found in this article somewhere that back in 2014, they just said, all right, we're just going to... Yeah, we don't care that you put the false really. Yeah, exactly. And they're going to parse it anyway. So, you're still able to get that, even if the view state is set to false.
Justin Gardner (@rhynorater) (09:03.255)
Yeah, and so when looking at that, you might think that the view state isn't getting parsed, but I found in this article somewhere that back in 2014, they just said, we're just gonna ignore this parameter. Exactly. And they're gonna parse it anyway. So you're still able to get that even if the view state is set to false, specifically within the document or within that specific file. And then so...
Gal Nagli (09:25.618)
is specifically within the document or within that specific file. Let's talk about the second piece that happened there. Now we've popped the RCE and they're good, but now there's still a bunch of source code that we've got access to. For us, that looked like a couple ASP.xmls. We were able to expand that quite a bit by looking through the source code that was there and finding that there were a couple of DLLs in that.
Justin Gardner (@rhynorater) (09:30.787)
Let's talk about the second piece that happened there. So now we've popped the RCE and we're good, but now there's still a bunch of source code that we've got access to. And for us, that looked like a couple ASPX files. And we were able to expand that scope quite a bit by looking through the source code that was there and finding that there were a couple DLLs in that source code that were being referenced in the ASPX files. And...
Gal Nagli (09:54.654)
in that source code that were being referenced in ASP.NET files. Those DLLs were created using ASP.NET, and so they could be reversed in a software called.peak. We loaded it up into.peak, and we got a massive amount of source code that was found in this whole application. It depends. It might bring this asset inside the network.
Justin Gardner (@rhynorater) (09:58.819)
inside and those DLLs were created using ASP.NET and so they could be reversed using a software called.peak. And so we loaded it up into.peak and we got access to a massive amount of source code that was powering this whole application. And it depends, you know, they might bring this asset inside the network and I might advise them to bring the asset inside the network at this point.
Gal Nagli (10:23.674)
Yeah. And I might advise them to bring it actually inside the method. So I wouldn't go down and spend the months on it before we see the reaction to the second bug, see what they want to do with the host. Is it important to be outside? So in scenarios like this, you normally wait to go down that additional exploitation path, assuming we have permission from programs that have used the source code and that sort of thing. You normally wait to see how they are going to deal with that scenario before you go down that path of extra exploitation.
Justin Gardner (@rhynorater) (10:31.956)
second part.
Yeah. It's important to be outside of that. So in scenarios like this, you normally wait to go down that additional exploitation path, assuming we have permission from the program to use the source code and that sort of thing. You normally wait to see how they are going to deal with that scenario before you go down that path of extra exploitation. It's not intense enough.
Gal Nagli (10:52.262)
Not in terms of holding bugs, but in terms of not spending time for nothing. You know, like, let's see how the reaction and let's continue from there, because we don't want to spend two weeks on bugs that you will fix with one, one go, we'll reward one bounty for. So in that sense. Yeah. You got to try to avoid those. Um, so that was a fun one that we found. Uh, let's see, what is that? I mean, the only reason that I contact, I mean, we saw the secret and there wasn't, I said there was no like AWS access key or N or passwords, but.
Justin Gardner (@rhynorater) (11:06.747)
Yeah, you got to try to avoid those scenarios. So that was a fun one that we found. Let's see, what is that? The only reason that I caught it, we saw the secret and there was no AWS access.
Gal Nagli (11:20.646)
I saw the prod machine key and then I just remembered on the back of my head some tweets of think Shabs used to do a lot of ASP.NET or other people and they always say if you find webconfig, if you find prod machine key, you have RC. So like you have this on the back of your head and say, okay, yeah, Justin, you want, maybe you could dig a little bit further there. When you get prod machine key, you can treat it like that to Justin. Yeah. And if you will try to get better at speaking to you. No, that's good, man. I think it's a good, you know, various factors have different.
Justin Gardner (@rhynorater) (11:28.473)
Andre, yeah.
Justin Gardner (@rhynorater) (11:38.703)
When you get prod machine key, feel free to reach out to Justin and he will try to get that RCE for you No, that's good, man. I and I think it's a good, you know, various hackers have different skills and You know, I would have never found that www.root.zip Just because I don't scan for that sort of thing on a regular basis and then we can kind of put our minds together It actually get the RCE. So it's a good collab the next interesting bug that we found was
Gal Nagli (11:51.33)
and I would have never found that the new root does it because I don't scan for that sort of thing on a regular basis and then we can kind of put our minds together and actually get the RCE, so it's a good collab. The next interesting bug that we found was this swagger file that we did to an S the bucket arbitrary root. So talk to me about the initial root content discovery process. Yeah, I mean, you'll always like to...
Justin Gardner (@rhynorater) (12:06.095)
this swagger file that turned into an S3 bucket arbitrary read. So talk to me about the, I guess, initial recon and discovery process for that.
Gal Nagli (12:18.37)
to look for swagger files either for trying the XSSes, which barely work these days, most of them are fixed, unless someone wants to find a new zero day on swagger and it will be very, very good, very good one. So instead of just looking for XSS, sometimes you have unauthenticated access to execute API calls and stuff like that. So the one host that we found was like, very weird API calls, they just list tons of.
data which first looked like it's dev or demo, but it was production data actually. And we had to piece out, like to assemble a lot of small pieces to get to some impact out of the host. But we found like a good, eventually we found like a good leader that we could get directory list access to internal SV bucket by, and because we were able to get a pre-signed URL on a pass, like not on an endpoint. And then it just gave us access to the.
the host if you want to explain a little bit about that. Yeah, yeah, so I guess the first step of that was starting to sort of recreate the requests and try to piece together a lot. The swagger file is great, it gives you the sort of technical details, but it doesn't always kind of explain all the lingo behind everything and all of the purposes of the various functions. Actually, there were docs there, but it's an internal domain. Like they said, if you want to read about how it works.
Justin Gardner (@rhynorater) (13:16.483)
Yeah, yeah. So I guess the first step of that was starting to sort of recreate the requests and try to piece together the logic. Because the Swagger file is great because it gives you the sort of technical details, but it doesn't always kind of explain all the lingo behind everything and all of the purposes of the various functions. Actually, there were docs there, but it's an internal domain. Like they said, if you want to read about how it works.
Gal Nagli (13:44.266)
Check this internal domain. And we're like, oh, yeah. So we're trying to piece it together. And it was actually a couple layers deep, right? So in order to find the initial, in order to find the string, I guess the format of the ID that we needed to give, to give the endpoint that ended up leaking the pre-signed URL to the SD bucket, we had to go through about two other API calls to get it.
Justin Gardner (@rhynorater) (13:45.403)
And we're like, oh, drat, can't do that. So we're trying to piece it together. And it was actually a couple layers deep, right? So in order to find the initial, in order to find the string, I guess the format of the ID that we needed to give to the endpoint that ended up leaking the pre-signed URL to the S3 bucket, we had to go through two other API calls to get
to list all the objects associated with some stuff, and then pick one of the sub-objects within there, get more details on that object, and then that leaked the ID, and then we used that ID to get access to the S3 bucket arbitrarily. So it goes to show, you know, when you're looking for these, when you're seeing these swagger APIs pop up, you know, sometimes it's a little bit unfortunate because you go and you check them out, and then it says auth required, auth required, auth required, but in scenarios where
Gal Nagli (14:14.57)
to list all the objects associated with the stuff and then pick one of the sub-objects in there, get more details on that object, and then that leads to the ID, and then we use that ID to get access to the SV bucket arbitrarily. So it goes to show you when you're looking for these, you're seeing these swagger APIs up, sometimes it's a little bit unfortunate as you go, you check them out, and then it says, Auth required, Auth required, Auth required. But in scenarios where Auth is not required,
Justin Gardner (@rhynorater) (14:42.999)
Auth is not required. It definitely pays to sort of double click into those and read through and kind of experiment. We probably spent what, like two hours playing around those endpoints? Yeah. And I think we'll get a good bounty for it. So that should definitely be interesting to see how that one pans out because we just found it like earlier today or yesterday. The whole thing is that question.
Gal Nagli (14:44.75)
it definitely pays to sort of double-click into those and read through the way and kind of experiment. We probably spend, what, two hours playing around those endpoints? Yeah. And I think we're gonna be bound for it. So that should definitely be interesting to see how that one pans out because we just found it earlier today, yesterday. I mean, the whole thing is I question what the responses and what you see returns from your actions. I tried to put a full URL there, like with an actual log endpoint, and then I got like...
not found, like the endpoint directory wasn't found. I said, okay, what happens if I just remove the endpoint and check the directory? And then it gave you full access to the directory with pre-signed URLs. So that's like, question everything you see, okay, we can't find this, can we make the API do other stuff? Yeah, and sort of IDA, you know, on top of that too. Like, even as you're thinking, you can be, you know, deleting various paths and seeing how they're gonna let you trivially back up in that scenario because we have an ID that contains paths.
Justin Gardner (@rhynorater) (15:29.5)
Can we make the API do all this stuff? Yeah, and sort of ideate on top of that too. Even as you're thinking, you can be deleting various paths and seeing how far it'll let you traverse back up in that scenario because we had an ID that contained paths that we were kind of working with. And so that was the way we ended up actually popping it there. So yeah, I guess swagger files.
Gal Nagli (15:42.422)
that we were kind of working with and so that was the way we ended up actually popping it there. So yeah, I guess Swagger files, do you often actually inspect the content of the Swagger files that you're searching for or are you just kind of looking to public assesses with the Swagger files? How does that play into your normal information? I'm not doing routinely scanning for them, it's like there are thousands so it's like one of the most popular endpoints for like random, you know.
Justin Gardner (@rhynorater) (15:54.159)
Do you often actually inspect the content of the Swagger files that you're searching for? Are you just kind of looking to pop XSS's with the Swagger files? How does that play into your normal automation?
Gal Nagli (16:11.938)
that is common for every program around the world. Once in a while, if it's interesting program or if I want to do some manual hacking and check swagger, less in the automation side and other things. Yeah, no, that makes sense. I'm gonna go ahead and do the, hey Google, turn on the sunroom lights. There we go. Wow, technology. Look at that, look at that technology. Coming into play. For those of you actually listening to this podcast as an audio medium.
Justin Gardner (@rhynorater) (16:21.479)
Yeah, no, that makes sense. I'm gonna go ahead and do the, hey Google, turn on the sunroom lights. There we go. Look at that, look at that technology coming into play. For those of you actually listening to this podcast as an audio medium, we just turned on all the lights in the sunroom. Yes, by voice.
Gal Nagli (16:40.326)
turning on all the lights in the sunroom. By voice. Yes, by voice. So, yeah, that was a great bug. And then I kind of want to talk to you as well about getting sort of debate with you. The url.
Justin Gardner (@rhynorater) (16:46.115)
So yeah, that was a great bug. And then I kinda wanna talk to you as well and sort of debate with you the {REDACTED} domain. We're gonna need to bleep that one. But that's the one that I spent a bunch of time on and you told me to give up on. And then I ended up confirming that it is vulnerable. But it's gonna take at least 70 days worth of
Gal Nagli (16:56.142)
superawesome.com domain, we're going to need to delete that one. But that's the one that we spent, I spent a bunch of time on, and you made me give up on. And then I ended up confirming that it is vulnerable, but it's going to take at least seven days worth of HTTP requests to actually pop this bug because of the cryptographic complexity of the vulnerability. So...
Justin Gardner (@rhynorater) (17:14.115)
of HTTP requests to actually pop this bug because of the sort of cryptographic complexity of the vulnerability. So this domain, you found just through normal recon and then you passed it off to me, right? Can you elaborate on that at all? So we found someone who needs to say...
Gal Nagli (17:25.11)
This domain you found just through normal recon, and then you have it off to me. Where do you elaborate on that at all? So we found some. It's like a domain for well-known targets, and they have a lot of subdomains. And we found the one domain which was pointing to a third party. It was just a login panel. Then you see the version down there. It was like 1.74 or 1.74. And then the first thing you do is look for CVEs for the version. And we just saw critical CVEs solved for version.
Justin Gardner (@rhynorater) (17:35.707)
subdomains and we found the one
domain which was pointing to a cell part, it was just a login panel. Then you see the version down there. It was like 1.74. The one thing you do, first thing you do is look for CVEs, you know, for the version. Yeah. And we just saw critical CVE solved for version 1.73 or what passed in 1.74. So we are right on the verge of, okay, is it vulnerable or not? Like that's the version. So yeah, in order to confirm it, there was public CVE, public POC, which
Gal Nagli (17:55.238)
1.73, or what, patched in 1.74, so we are right on the verge of, okay, is it vulnerable or not? Like, that's the very, so, yeah, in order to confirm it, there was public POC, which basically tells you, okay, you need to brute force a lot until you get a collision, like PHP type juggling, I guess. Yeah, it was a PHP type juggling, yeah. Yeah, and it required you to generate a patch that starts with zero E.
Justin Gardner (@rhynorater) (18:08.109)
Okay, you need to...
Justin Gardner (@rhynorater) (18:12.903)
Yeah, it was a PHP type juggling pug. Yeah. And it required you to generate a hash that starts with zero E and this is an MD5 hash. Zero E and then every other character in the whole hash is a number rather than a letter. Um, which is very, very tricky to make happen. Um, but we were running, I was working with another hacker and we were kind of running the math on it.
Gal Nagli (18:24.466)
And this is an MDFundash. Zero, E, and then every other character in the whole hash is a number. Yeah. Um, which is very, very tricky to make happen. Um, we were running, I was working with another hacker and kind of running the math on it. And he says he thinks we can do it in roughly 70 days. Oh my god. So it would be a pretty effective bug if it actually.
Justin Gardner (@rhynorater) (18:41.003)
and he says he thinks we can do it in roughly 70 days of brute forcing non-stop. So, and it would be, it would be a pretty impactful bug if it actually popped. So, uh, I'm going to set up a script and just kind of have it run because why not?
Gal Nagli (18:52.298)
I'm gonna set up a script and just kind of have it run. I think for those stuff, maybe if it's a good team, and I think here it's a good team, you could try and ask them, like, maybe in the back of one of your reports, or like in a new report, hey, I mean, I'm pretty sure it's vulnerable because we actually diffed the GitHub version and saw that it's on the vulnerable version. I mean, would you accept it without me brute-forcing it for 70 days, like killing the server and stuff like that? That could work sometimes. Filling up all of the long files, yeah.
Justin Gardner (@rhynorater) (19:15.851)
Yeah, you know, filling up all of the log files. Yeah, and I think just to clarify or to dive a little deeper on what we did to confirm it was vulnerable, even though the advisory said it was patched in 1.7.4, what we ended up doing was going to the GitHub because it's an open source software. And we, I guess, hosted within the organization, it's an open source software. And we found that there was a modification to the readme.html file.
Gal Nagli (19:20.683)
And I think just.
Gal Nagli (19:29.166)
we ended up doing was going to the GitHub because it's an open source software. And we, I guess, hosted within the organization, it's an open source software. And we found that there was a modification to the read.html file that was done right before the change that fixed the critical vulnerability. It was modifying a lowercase age to an uppercase age. That's it.
Justin Gardner (@rhynorater) (19:45.647)
that was done right before the change that fixed the critical vulnerability. And it was modifying a lowercase h to an uppercase h. That's it. And when we went to the readme.html file, we ended up finding that it was the lowercase h still, confirming that it had not been, that the vulnerability had not been patched. That there had been other changes made in that same version. But they had, when they pulled down that version,
Gal Nagli (19:58.61)
And when we went to the readme.html file, we ended up finding that it was the lower case H still confirming that it had not been, that the vulnerability had not been packed. That there had been other changes made in that same version, but they had, when they pulled down that version, it was into the point where- Before the patch. Yeah, had to have the patch in it yet. So we were able to identify that it shouldn't still be vulnerable. Yeah, that's a good idea. You know, we could, we could reach out to the- Yeah, I mean, it wouldn't, I mean-
Justin Gardner (@rhynorater) (20:15.487)
It wasn't to the point where it had yeah had the patch in it yet. So we were able to Identify that it should still be vulnerable. Yeah, that's a good idea. You know, we could we could reach out to the program Yeah
Gal Nagli (20:26.43)
Worst case, they tell you, exploit it. That's the worst case. The best case scenario is they accept it and patch, which is easy. So, best case, you get the bounty which you deserve. Worst case, you need to do what you want to do anyway. So like, maybe it's a better idea to let them know first. Yeah, I'll reach out to them and see if we can get it to pop. But I spent, because the exploit that was out there, the POC that was published was...
Justin Gardner (@rhynorater) (20:40.139)
So like, maybe it's a better idea to get rid of them. Yeah, I'll reach out to them, see if we can get it to pop. But I spent, because the exploit that was out there, the POC that was published was a... HTTP. Yeah, it was only for HTTP. And the server that we were interacting with would only communicate over HTTPS. So you had to rewrite the exploit for HTTPS.
Gal Nagli (20:56.131)
a HTTP. Yeah, it was only for HTTP. And the server that we were interacting with would only communicate over HTTPS. So you had to rewrite the exploit for HTTPS compatible, which wasn't very tricky. Actually, you told me to have ChatGPT do it, and I was like, very funny. And then I told ChatGPT to do it, and it like generated almost all of the code. Oh shoot.
Justin Gardner (@rhynorater) (21:07.155)
compatible, which wasn't very tricky. Actually, you told me to do it, have chat GPT do it. And I was like, very funny. And then I told chat GPT to do it. And it like generated almost all of the code. Oh, shoot.
Gal Nagli (21:24.874)
We're not dead, right?
Gal Nagli (21:30.491)
Oh, I know.
Gal Nagli (21:37.506)
Just me here.
It's okay.
Justin Gardner (@rhynorater) (21:45.927)
I mean, it seems like it. Yeah. 21. Are you still showing us recording? Yeah. OK.
Gal Nagli (21:45.986)
I mean, it seems like it. Yeah. Oh, 2150. OK. Does it still show US recording? Yeah. OK.
Justin Gardner (@rhynorater) (21:59.931)
Yeah, OK, that's good. OK. So where were we at on that?
Gal Nagli (21:59.978)
Yeah, okay, that's good. Yeah. So where were we at on that? Uh...
Justin Gardner (@rhynorater) (22:10.104)
Let me think.
Gal Nagli (22:10.162)
Let me think. HTTP, HTTPT. Oh, yeah. So I guess, like you said, I took it and put it into HTTPT, and it generated almost perfectly valid exploit. I just only had to make a couple of modifications, but then there was the whole process of like, okay, is it something wrong with this exploit or is it something wrong with...
Justin Gardner (@rhynorater) (22:14.207)
HTTP, chat GPT. Oh yeah, yeah. So I guess, like you said, I sort of took it and put it into chat GPT and it generated almost a perfectly valid exploit. I only had to make a couple of modifications, but then there was the whole process of like, okay, is it something wrong with this exploit or is it something wrong with the server and it's not actually vulnerable, right? Or is it just taking time? And at the end of the day, me and this other hacker that went after it,
Gal Nagli (22:33.39)
the server and it's not actually vulnerable, right? Or is it just taking time? And at the end of the day, you know, this other hacker that went after it sort of determined that the server was definitely vulnerable, which is gonna take a bunch of time. So I gotta go set up a script after this to actually continuously monitor that. And reach out to the team, do the team ABC. That we don't actually disturb the services there. Exactly.
Justin Gardner (@rhynorater) (22:41.699)
sort of determined that the server was definitely vulnerable, which is going to take a bunch of time. So I got to go set up a script after this to actually continuously monitor that. And reach out to the team, right? Yeah. That we don't actually disturb the service. Exactly. Yeah, all right. So that's what we had for the bugs that we found. Let me see if there's anything else on here. Oh, yeah. Do you want to tell them? No, I'll do the honors. And the S3 bucket was filled with.
Gal Nagli (22:58.898)
All right, so that's what we had for the books that we found. Oh, yeah, do you want to tell them? I'll do the honors. And the S3 bucket was filled with, drum roll, please, credit card transactions and action data. So it should be pretty juicy when the team gets it out loud. So all right, let's take... We're going to go with them here shortly, I think.
Justin Gardner (@rhynorater) (23:10.831)
Drum roll, please. Credit card transaction data. So it should be pretty juicy when the team gets that one and gets that one triaged. So, all right, let's take, we're gonna go get some dinner here shortly, I think, but let's go ahead and discuss the live hacking event season that we had in 2023, and then also go and talk about the new live hacking event standards that dropped.
Gal Nagli (23:29.238)
Let's go ahead and discuss the live hacking season that we had in 2020. And then also, can I talk about the new live hacking standards that dropped for 2024, not too long ago, because they made some changes that are looking quite good. First, I want you to tell me about two live hacking events that you've been doing.
Justin Gardner (@rhynorater) (23:41.755)
for 2024, not too long ago, because they made some changes that are looking quite good. First, I want you to tell me about two live hacking events that you've been to this year. Buenos Aires and, actually, let's do three, because these are the ones that I'm the most salty to have missed, okay? Buenos Aires, that's the Ambassador World Cup. We got the Facebook event in Singapore. No, no, no. In South Korea, that's right.
Gal Nagli (23:52.118)
Buenos Aires and actually let you through because these are the ones that I'm the most salty to have made. Buenos Aires, that's the Ambassador World Cup. We got the...
Facebook event in Singapore. No, in Seoul. In South Korea. Yeah. And, and then we have Hacker One Las Vegas, which I didn't go to by choice, which, which was, which was a hard decision to make, but I think the right one for me at the time. So start with Buenos Aires. And that was the best of the World Cup event.
Justin Gardner (@rhynorater) (24:11.063)
Hacker One Las Vegas which I didn't go to by choice, which was a hard decision to make but I think the right one for me at the time. So start with Buenas Heras, that was an Ambassador World Cup event. Tell me a little bit about that and how that sized up to normal live hacking events that we go to on a regular basis. Yeah, so basically this is the second edition of the Hacker One Ambassador World Cup. The first year there wasn't any live hacking event, it was a very good event bounty wise.
Gal Nagli (24:25.55)
Tell me a little bit about that and how that sized up the normal live hacking events that we go to on our ego business. Yeah, so basically this is the second edition of the Hacking One Ambassador World Cup. The first year there wasn't any live hacking event, which was a very good event, you know, bounty wise. The biggest perk was and still is that it gives more people opportunities to get to live hacking events. They usually save some slots from the competition to show up for the team, or it's community edition that they nominate for the event. I got my first event invite just from...
Justin Gardner (@rhynorater) (24:40.467)
The biggest perk was and still is, if it gives more people opportunities to get to live hacking events, they usually.
Gal Nagli (24:55.722)
participating and doing well in the Ambassador World Cup last year. So this year we were in the group stage with Team Spain, which we actually battled for the first place eventually, and one part of Team USA, I don't know if you... I think you were there, maybe? No, it wasn't mine, it was the West Coast. No, it was yours. Team USA is split into two different teams. Yeah. My team... How many teams did you have? I only had one team.
Justin Gardner (@rhynorater) (25:09.059)
No, it wasn't mine. It was the west coast. No, it was yours. So Team USA is split into multiple different teams. Yeah. My team... How many teams did you have? I only had one team. No, how many teams did the US have? The US had two teams. Yeah, so we were against you. No, you were against USA team... Oh, you mean in the beginning of the World Cup. Yeah. Oh, yeah, yeah. In the beginning. I thought you were saying that. Yeah, we were only once against the US.
Gal Nagli (25:24.042)
No, how many teams did the US have? The US had two teams. Yeah, so we were against you. You were against USA team... Oh, you mean in the beginning of the world. Yeah. No, we were only one against the US team. Oh, okay, okay. The other team, the ones with the West Coast team... Yeah, they lost to Nepal. That's right, they got knocked down on the other team. So you're right, you were against me in the beginning, and you knocked us out in the first round. It was you and Spain.
Justin Gardner (@rhynorater) (25:38.259)
Oh, okay, okay. So you guys, the other team, the West Coast team. They lost to the Italians. That's right, they got knocked out on the other side. So you're right. You were against me in the beginning and freaking knocked us out first round. It was you and Spain were also in that same bracket, right? So, you know, you at US zero had it hard from the beginning because we had up against such a strong competition. I mean, we were very happy in the quarter finals.
Gal Nagli (25:53.326)
You know, you at US Zero had it hard from the beginning because we had such a strong competition. I mean, we were very happy in the quarterfinals this year that they announced to the eight ambassadors that were left, okay, we didn't know if it would be like a knockout for the final in person, like two teams, 24 members each, or it would be like 14. So then they announced before the quarterfinal stage that there would be 14.
It was very good motivation for the quarterfinals. We were against Singapore in the quarterfinal and we beat them, so that was good. Then in the quarterfinal, then the semi-final was online as well. We beat Team France there. It was a hard battle there as well. And then for the finals, we, four teams flew, 12 to 10 members from each team. And then it was the fight for the first place and the fight for the third place. Nepal and France for the third place, us and Israel and Spain for the first place.
And it was the same target, same environment, same LHV vibes as always, but like, you know, we battled for different pilots. Okay, so all of the top four teams, the first, second, third, and fourth, you know, whatever undecided places they were in, they were all hacking on the same target. They were duping each other on the same target. Did they have a dupe window or? I don't remember.
Justin Gardner (@rhynorater) (26:54.319)
Okay, so all of the top four teams, so first, second, third, and fourth, whatever undecided places they were in yet, they were all hacking on the same target. So you were duping each other on the same targets. And did it have a dupe window or? Time to remember. If there was a dupe window, it wasn't a big one because I don't remember. No, don't think, there was no dupe window. Oh really, okay. I think it was, sometimes you could say a welcome change because I found.
Gal Nagli (27:12.178)
If there was a dupe window, it wasn't a big one because I don't remember. No, I don't think there was no dupe window. Oh really? Yeah, I think it was, sometimes you could say a welcome change because I found lock for change five minutes after the event started. So that was like super crazy. So did you just like load up the domains into your Chuckwave tool and then it just like... Yeah, I do that, but actually I found it randomly not from that. Like my routine scan just lock for J out of my own in scope domain.
Justin Gardner (@rhynorater) (27:27.239)
So did you just load up the domains into your Shockwave tool and then it just like... Yeah, I do that but actually I found...
Gal Nagli (27:41.482)
before the targets were announced. Before we knew the costumer, I got an alert 30 minutes before. It was in person, we were actually in Portugal at the time and the Spain team were around me and I told them, hey, I just found Log4j, I got 10k after two hours. They paid me like, so some good things they did, they pay you right away and no dupe window. So those are like, I mean, dupe window you could say sometimes it's good, sometimes it's bad, but they pay you also right away and not only in the event. So it was very, very nice to start the event like that.
Justin Gardner (@rhynorater) (27:42.862)
No way
Justin Gardner (@rhynorater) (28:09.151)
start the event like that. Okay, so they actually, the whole time they were paying, they weren't waiting to do payouts until the in-person. Wow, so you're already coming to the event, already having a lot of the bounties in your pocket. I bet that made for a nice environment actually at the, in Buenos Aires because you were already paid out in a lot of ways. You were kind of, I mean, I don't know, maybe the competition was still raging.
Gal Nagli (28:11.15)
actually the whole time they were paying, they weren't waiting to pay out the whole time. Wow, so you're already coming to the event, already having a lot of bounties in the program. I bet that made for a nice environment actually at the end where it said this, because you were already paid out in a lot of ways. You were kind of, I mean, I don't know, maybe the competition was paid out. No, in one end, yes, but in the second end, because the point system is not reputation-based and not bounty-based, it was only, it's like severity and volume-based.
So we didn't really know the rankings. It was like internally for the Hakei One team, they had to do a lot of calculations. Maybe for next year they will have a proper leaderboard just to display the points. So our team was like first, second and third, like three people, me, Matan, Ber and Avishai on the bounties, but it doesn't mean that we are going to win because like four mediums are one critical, or three mediums is one crit. So even if we have 10 crits and they have 50 mediums, it's like, it's even better than that. They had crits also as well, but we had like the most crits.
So you don't really know if you're winning or losing on site, which it adds a little bit of suspense, but I mean the bounty sometimes is good to get beforehand. Less stress. So I mean with that then, do you...
Justin Gardner (@rhynorater) (29:19.424)
So, I mean, with that then, do you prefer the live hacking event based money sort of order of payouts or I guess like in the live hacking events, the leaderboard is based off of how much money you've earned, right? Do you prefer that or do you prefer this system with... I prefer how much money, like today.
Gal Nagli (29:34.526)
No, I prefer how much bounty, like today, like we have today, how much bounty you earn. I think it's the most, it's the best, no farming, no other stuff that you could do. But I mean, team competition, it's interesting to have a point system. I guess it makes sense to have points and not bounty based because there are some targets like PayPal or like one-man show targets, you know, like Alex Vilsen or Joe Hash. They get a target that they would easily win alone with one hand.
You know, so sometimes you need like team competition with point system. And it makes sense in this event. That makes sense, man. So you've got the Ambassador of All the Cossens, like it was very LHTE, with a little bit of changes to it. Yeah, some experiments. Yeah, some experiments that seem to have gone well. Talk to me about the South Korea event with Facebook. Because like, man, was I bummed to not have been able to do the event.
Justin Gardner (@rhynorater) (30:02.981)
Yeah, 100%, yeah.
Justin Gardner (@rhynorater) (30:09.647)
That makes sense man. So you've got the Ambassador World Cup, seems like it was very LHE with a little bit of changes to it. Yeah, some experiments. Yeah, some experiments that seem to have gone well. Talk to me about the South Korea event with Facebook, because man was I bummed to not have been able to go to that event. I had a bachelor party that weekend, so I wasn't able to make it out there.
Gal Nagli (30:32.17)
I had a party that weekend, so I wasn't able to make it out there. But it seemed awesome. And I think you said out of all the destinations that you've been to for the live hacking events, South Korea was one of the favorites, right? Yeah, it's very good vibes. They're very good, very chilly. Like it's very nice country. And I got reached out from one of Facebook's former program managers. They wanted to invite like they have their inner circle, they have leagues, they've got leagues, diamond league, but they also wanted like other LHG hackers from Hacker One, from Bakar and so on. So.
Justin Gardner (@rhynorater) (30:35.559)
But it seemed awesome and I think you said out of all the destinations that you've been to for the live hack events, South Korea was one of your favorite, right? Yeah.
Gal Nagli (31:00.574)
We got into the event, me, Joel, and TechnoGeek decided... No, Joel is TechnoGeek. Me, Joel, and Space Raccoon decided to collab a little and see if we can find anything. And actually, just as I was on the train to catch the flight, we managed to land together XSS on www, which is like super rare. Even, you know, Yousef is one of the best architects on Facebook, he said it's super rare to see the stars, so we got paid good and it was very nice to get that.
But also, I mean, it's nice to see events from other companies as well, see how they manage it, some stuff that they do differently or not, but it was very good experience as well. Can you talk about the XSS a little bit? I guess, in Glee, was it a reflected XSS or a DOM-based XSS? It was some DOM post-message stuff. Basically, we found embedded inside www, they had some service which was open source. And I think it was Excalidrom.
Justin Gardner (@rhynorater) (31:36.591)
Can you talk about the XSS a little bit? I guess vaguely was it a reflected XSS or a DOM based XSS? It was some DOM post message stuff. Basically we found embedded inside www some service which was open source. And I think it was Excalibro.
Gal Nagli (31:55.234)
Probably, I think Space Raccoon is filled actually a zero day for it or one day. I think they fixed it already. So Joel was already messing with some CodeQL stuff to reverse engineer. So he took that code, put it in CodeQL. He saw some accessing. I mean, he told him there is accessing, but I mean, if CodeQL tells you there's accessing, you're far away from actually seeing the pop-up. So we reached out to Space Raccoon and he told us that he found a very, very similar.
Justin Gardner (@rhynorater) (32:00.971)
So Joel was already messing with some CodeQL stuff to reverse engineer. With the code, he saw some excess.
Gal Nagli (32:23.734)
bug on other big company. So he just looked at it, okay, modification here, modification there. He has public blog about another very similar, just detailed all the way, so took him 20 minutes and we got our very good bug for the event. Dang, man, that's crazy. So the goal is actually hitting with Code Cuel. That's an interesting approach. I haven't used Code Cuel at all, especially not in a JavaScript context. That seems like an interesting. I'm not sure if it was JavaScript.
Justin Gardner (@rhynorater) (32:36.399)
Dang, man, that's crazy. So Joel's actually hitting with CodeQL. That's an interesting approach to that. I haven't used CodeQL at all, especially not in a JavaScript context. That seems like an interesting- I'm not sure if it was JavaScript. For the library, it must have been, right? Because it was a client-side proposed message? It was a third-party product embedded into Facebook.
Gal Nagli (32:53.402)
for the library, it must have been, right? It was like a third party product embedded into Facebook. I don't remember which code is like, one of the code curators supported the stuff. That's really cool. I agree with that. And that was, I mean, I imagine you had a ton of bugs that had been, but that was the crowning jewel of the event for you. Yeah, other bugs were a little different. I mean, it's hardware and it's called Facebook, so it's like very, very hard to find some good bugs. I had some few.
Justin Gardner (@rhynorater) (33:05.737)
I don't remember which code is like, one of the code queues supported it. Gotcha, gotcha, that's really cool. Nah, I dig that. And that was, I mean, I imagine you guys found other bugs at that event, but that was the crowning jewel of the event for y'all. Yeah.
Gal Nagli (33:20.83)
Minor ones but that was the big one.
Justin Gardner (@rhynorater) (33:25.82)
I wanted to go to it so bad. Alright, so that's the Singapore event. Not Singapore, I'm sorry, South Korea. Again, I keep on getting that mixed up in my head. The last one, Vegas. Missed this one because of Mariah's birthday. I'm going to try to come every other year, but it always goes over her birthday. So sometimes I got to stay home and enjoy the family life over here.
Gal Nagli (33:26.338)
go to it so bad. All right, so that's the Singapore event. I mean, not Singapore, South Korea. Again, I keep on getting that mixed up. Last one, Vegas. Missed this one because of Brian's birthday. I'm gonna try to come every other year, but it always goes over her birthday. Yeah. Sometimes I gotta stay home and enjoy the family life over here. But this year, kind of tell me how Vegas went and what were your thoughts on the wedding.
Justin Gardner (@rhynorater) (33:51.803)
this year, kind of tell me how Vegas went and what were your thoughts on the live hacking event.
Gal Nagli (33:56.294)
Yeah, so the vibes were very good. It was two very big and good customers from previous LHEAT as well and so on. Great bonuses, great people that came along. It was very... We had some small fun challenges between ourselves as well. Me and the other people, for example, we found Franz Rosen a little bored, which is very rare to see him bored because he got so many bounties. So he didn't know what to do. So I was I was finding some XSS and literally I took my computer. I gave him the URL.
I set up a timer of 10 minutes and I took in cash, I think dollars and I put it near him There is a picture of it somewhere or video and I told him okay You have 10 minutes to get to bypass the waffle which I know he wouldn't be able to do which is he can do Everything but I think I saw this one. He couldn't if you bypass it you get a 2k cash Because I needed it for a bug. Please tell me you did it. No, he couldn't But he made way more Yeah, because it was like
Justin Gardner (@rhynorater) (34:45.471)
Please, you did it. No. Oh, no. Oh, man. That would have been ridiculous if he had bypassed it in 10 minutes. Yeah, because it was very, very difficult to laugh and other... It would be a zero. There was some very big stuff. Oh, my gosh. It was fun. Fun challenge and good bounties, good bugs. We managed to get some very critical bugs. Even one of the products that I was hitting was just motion. After the event, I mean...
Gal Nagli (34:55.026)
very, very difficult to work on. It would be a zero, they were some very big things. But it was fun, fun challenge and good bounties, good bugs, we managed to find some very critical bugs. Even one of the products that I was hitting was just decommissioned. After the event, I mean, we were able to find so many bugs and critical ones on this very important component of one of the products that the team said, okay, it was developed by third party, we had enough of fixing the bugs there, let's just.
Justin Gardner (@rhynorater) (35:13.279)
We were able to find so many bugs and critical ones and it's a very important component of our network.
Gal Nagli (35:24.738)
decommissioned it and put it behind our very more secure code base. So like we actually managed to get the product decommissioned, which is nice achievement. I guess I mean, poor people if they know still jokes. I mean, I lost some, I lose some bounces now because of that, because the host is dead now, but it was fun experience.
Justin Gardner (@rhynorater) (35:33.143)
Nice achievement. I would call people if they lost their jobs. No, not Leek. That does feel good though when you just see the host disappear and never appear again. I lose some balance now because the host is dead now. But it was a fun experience. Yeah, hopefully they won't do that to our vuln that we mentioned earlier with the source code now. That would be great if we could hold on to that and keep trying to find bugs there.
Gal Nagli (35:53.798)
Yeah, yeah. Or we got the source code now. That would be great if we could get on to that and keep trying to find the last day. All right, man. Let's go get some dinner soon. But I want to talk about the live hacking events that dropped. So I'm going to go ahead and pull it up here on my phone and you can pull it up on your computer. It's new season starting now. Yeah. So the new season for live hacking events is coming out in 2024.
Justin Gardner (@rhynorater) (36:00.887)
All right, man, let's go get some dinner soon. But I want to talk about the live hacking event standards that dropped. So I'm going to go ahead and pull it up here on my phone, and you can pull it up on your computer. It's new season. Yeah, so the new season for live hacking events is coming up in 2024. We both got our invites today for a live hacking event in January, which we can't give any other details on right now, but we're pretty hyped for. So that should be great.
Gal Nagli (36:18.934)
We both got our invites today for the live hacking in January, which we can't give any other details on right now, but we're pretty good for. That should be great. I took some notes here. I kind of read through it and took some notes here. The first thing that I kind of saw that looked most interesting was they're offering up to 10 researchers invites with this condition.
Justin Gardner (@rhynorater) (36:31.187)
I took some notes here, I kind of read through it and took some notes here. The first thing that I kind of saw that looked most interesting was they're offering up to 10 researchers invites with this condition. Hacker One platform performers over the last 180 days, researchers with 75% or greater submissions rated high or critical in more than five total higher crits in that time frame.
Gal Nagli (36:45.502)
Hacker One platform performers over the last 180 days. Researchers with 75% or greater submissions rated high or critical in more than five total higher points in their time frame. And then this list is prioritized by total rewards in the last 180 days. So it looks like they're looking for hackers that have pretty much just submitted high and critical reports in the past six months.
Justin Gardner (@rhynorater) (36:58.851)
And then this list is prioritized by total rewards in the last 180 days. So it looks like they're looking for hackers that have pretty much just submitted high end critical reports in the past six months with over a 75% amount of that, right? And they pulled the impact requirements from everything.
Gal Nagli (37:14.378)
with over 75% amount of that, right? And they pulled the impact requirements from everything. Impact, they started, they pulled this last year, I think, actually, because it was like hard 22 impact, which eventually didn't make sense because you don't want, I mean, collab, basically because collab takes your impact down as well, it's tough, so you can't tell people not to collab, so it was good, it's good that they took it off from there. This stats, it's a little, it's still hard here to understand because...
It tells you to report less medium and lows back. I mean, most, some people have this by default above 75% higher than grid. Think I have above 75, they probably cause me and have it, Alex Beerson, those guys probably answered that criteria. But it doesn't reflect on the leaderboards, right? On the HackerOne leaderboards today. Because if you check top 10, I think nine of them are not having only high in grids. Well, that's crazy. I definitely did not have above 75% high.
Justin Gardner (@rhynorater) (38:08.335)
Wow, that's crazy. I definitely did not have above 75% high end crit reported as I report lots of mediums and lows just as a part of my normal flow. Is that something that you're doing intentionally? Are you not reporting the lows or the mediums? No, I'm not reporting the lows. I don't find it. I wish I would find the mediums and lows
Gal Nagli (38:13.302)
reported as I report lots of mediums and lows just as a part of my normal flow. Is that something that you're doing intentionally? Are you not reporting lows? No, I'm not doing that. I'm reporting mediums. I don't find, I wish I would find more mediums and lows but it's more money. But I mean, this year I found less mediums and lows but if I find, of course I will report them. Yeah. I mean, this stat, I think maybe they could
remove like, let's say remove the restriction of 75% but have a hard cap, okay, to have 10 crits or 10 high-end crits paid and also minimum bounty. Like at least 50K for six months, at least 100K for six months. That would be also, could be a good barrier also. No, I really like that. I would love to see the-
Justin Gardner (@rhynorater) (38:56.159)
Yeah, could be a good value or something. No, I really like that. I would love to see them move this top performer on the platform to strictly bounties earned from highs and crits vulnerabilities. Like if they're looking for people that are dropping a lot of highs and crits, then you should just look at highs and crits and then sort by amount of money earned from those highs and crits reports, right? Because you're essentially what that proves is you're finding lots of highs and crits on targets that are paying highs and crits well.
So I think that would accomplish their same goal. So you don't want to have like.
Gal Nagli (39:26.103)
Yeah, so you don't want to have one person, let's say Corbin finds a 1,500k bug on OpenSeal, let's say he finds 200k bugs.
You want to have like 10, you need to have like 10 of these in the field and you need to have the bounty average or the bounty stat. Yeah, totally agree with that. But there's a good opportunity there because I feel like there's probably not as many people that are submitting 75% hyzer credits. Yeah. If you really, if like your life goal is to get invited to a live hacking event, then it might be worthwhile to pass these bugs off to a friend or trade bugs off to a friend.
Justin Gardner (@rhynorater) (39:40.591)
Yeah, totally agree with that. But there's a good opportunity there because I feel like there's probably not as many people that are submitting 75% highs or crits. So if you really, if like your life goal is to get invited to a live hacking event, then it might be worthwhile to maybe pass these bugs off to a friend or trade bugs off with a friend and just focus on submitting highs and crits for six months if you wanna get invited.
Gal Nagli (40:02.174)
or, and just focus on submitting highs and crates for systems. The next sort of section that I thought we might have some conversation about is up to three researchers that are new to live hacking. This is researchers who have shown criticality, consistency, and contributed to the community across the Docker 1 platform, but have not participated in the live hacking they've previously. Hackers must have the below criteria, greater than 5k rep, greater than 5 signal.
Justin Gardner (@rhynorater) (40:07.175)
The next sort of section that I thought we might have some conversation about is up to three researchers that are new to live hacking events. And this is researchers who have shown criticality, consistency, and contributed to the community across HackerOne platform, but have not participated in a live hacking event previously. Hackers must have the below criteria, greater than 5K rep, greater than 5 signal. And so it seems like that is not too crazy of a...
Gal Nagli (40:31.582)
It seems like that is not too crazy of a criteria. Yeah. Right? Like there are a lot of people that have above 5k run out and above 5 signal. Yeah, I mean, nowadays I think when Acre One first began and I wasn't still hacking on the plans, signal was more in play because there were way more NA's. These days I think there was way less NA's only if you're really spamming, you get NA and your signal is getting affected. Yeah. But above 5k it's fair. Yeah. Like if you get 5k it means you did something. I mean...
Justin Gardner (@rhynorater) (40:36.627)
Criterion there right like there are a lot of people that have above 5k rep and above 5 signal
Gal Nagli (41:00.042)
I would say some people could have 5k only from VDPs as well, but it's easy to filter if someone has no bounties but above 5k. I think Ali actually got his first live hacking event invite because of that. He was like new to live hacking events and he got a chance as a community choice this year, so now they have this criteria and he did very well on the event that he participated in. So it's a good one to have. Yeah, yeah. No, I really like this one. I think it'll bring some questions about it and the criterion is not so difficult. Yeah, yeah.
Justin Gardner (@rhynorater) (41:18.847)
It's a good one to have. Yeah, yeah. No, I really like this one and I think it'll bring some fresh blood in and the criterion is not so difficult that it excludes a bunch of people. So I imagine what this will look like is either a lottery or some sort of choice system because there's going to be a lot of people that meet this criteria, right? And then there's also obviously, of course, the local hacker.
Gal Nagli (41:29.518)
it excludes a bunch of people. So I imagine what this would look like is either a lottery or some sort of choice system because there's going to be a lot of people in this criteria. Right. And then there's also obviously of course, the local hacker thing. So if you're, you know, if a local hacker is getting hosted in your city, there's a chance that you'll get invited to that simply because you're local and you don't require flights and hotels. Yeah. So that's something to be on the lookout for. I mean, the most...
Justin Gardner (@rhynorater) (41:44.463)
So if you're you know, if a live hacking event is getting hosted in your city There's a chance that you'll get invited to that simply because you're local and you don't require Flights and hotel and that sort of thing. So that's something to be on the lookout for as well
Gal Nagli (41:59.042)
The biggest change they did this year, I don't think you mentioned it on the docs, but I see it here. So basically from last year, they introduced a new criteria to have up to top 10 researchers from the past events. So they take the past three events, they accumulate the top 10 for each event, then they take the top 10 of the bounties, like individual bounties from the last three events, and they have another leaderboard, and they invite the top 10. So this year they made it 20. So there are 20 people. Either you got MVH, best...
exterminator, any other award or top 10 based on bounties, it really helps you, like you got the chance once, if you will be on the top five, top 10, get awards every event, you will be there again, which is very good, I mean, you don't want to be invited to an event, do very well, and then you wouldn't answer any other criteria, so you would be going, so that's I think the biggest and best change. Speaking from the heart right now, aren't you currently in the top five performance for all of 2023, right? No, no, I was, I mean, in Vegas I was top 10.
Justin Gardner (@rhynorater) (42:45.023)
Yeah. That's the biggest thing. Speaking from the heart right now, aren't you, Nagli? With his top five performance for all of 2023, right? No, no, it was.
Gal Nagli (42:56.77)
because it was two targets, but I was top 10 across most of them. But yeah, I mean, it helps you to also push harder when you get invited and not just lay back and chill, like try to do a good job to get invited to the next one. And also this year they mentioned specifically that they, I think they saw a little bit of trend of people who really don't find any bugs or don't even try, I mean, to have, and I think they specifically mentioned if we saw people who were invited and didn't really even try or something, they take it into consideration as well.
event. I think the trying piece is pivotal because I think if you don't try it's just disrespectful and it's a squandering opportunity that a lot of other people would fight really hard to get their hands on. So I'm definitely glad to see that as well and I guess within the life hacking root circle that extra top 10 piece is really interesting. Unfortunately they called out specifically in here the MVH being included.
Justin Gardner (@rhynorater) (43:26.639)
Yeah, no, I think the trying pieces is pivotal because I think if you don't try, it's just disrespectful and it's squandering an opportunity that a lot of other people would fight really hard to get their hands on. So I'm definitely glad to see that as well. And I guess within the life hacking group circle, that extra top 10 piece is really interesting. Unfortunately, they called out specifically in here the MVH would be included in the...
in the top 10 list or whatever, but I don't see that same little caveat that they've had in years past of MBHs being invited for the live hacking events for the next year in there anymore. There are so many now, you know? Yeah.
Gal Nagli (43:54.862)
in the top 10 list or whatever, but I don't see that same little caveat that they've had in years past of MDHs being invited for the live hacking events going to year in there anymore. There are so many now, you know, a lot of MDHs and a lot of events, plus five events a year. I mean, you could have like 10 award winners an event if you collab for Exterminator or for Best Collab, so it's harder now, I guess. It's definitely becoming more difficult.
Justin Gardner (@rhynorater) (44:21.003)
It's definitely becoming more tricky. And then the last one that I wanted to call out here was the plus one nominations, which I still think is one of the best ways to get invited to a live hacking event, if that's your goal, is to collaborate well with somebody who gets an invite to a live hacking event and then get that plus one nomination and get chosen for that. And for that, they don't lay out the specific stats that will result in their decision, because they can't accept everyone who's nominated. But if you have a good HackerOne profile,
Gal Nagli (44:22.966)
And then the last one that I wanted to call out here was the plus one nomination, which I still think is one of the best ways to get in right into a live hacking event. If that's your goal is to elaborate well with somebody who gets into a live hacking event and then get that plus one nomination and get chosen for that. And for that, they don't lay out the specific steps that will result in their decision, you know, because they can't accept everyone who's nominated. But, you know, if you have a good hack one profile and you get nominated as a plus one.
Justin Gardner (@rhynorater) (44:49.283)
and you get nominated as a plus one, you certainly have an opportunity. One of the things that I saw here though was multiple nominations does not increase the priority, excuse me, does not increase the priority to ensure consistency and fair review. So that's one thing that we've kind of talked about before at the top level of like, okay, we've got this specific friend that wants to be invited, we all want him there. And so we all put him as a plus one in hopes that he'll get chosen.
Gal Nagli (44:52.122)
We certainly have an opportunity. One of the things that I saw through that was multiple nominations does not increase the priority, does not increase the priority to ensure consistency of their review. So that's one thing that we've kind of talked about before at the top level of like, okay, we've got this specific friend that wants to be invited. You know, we all want him there. And so we all put him as a plus point, you know, in hopes that he'll get, he'll get chosen, but they've made a specific caveat to steer that is not. It makes sense. Yeah.
Justin Gardner (@rhynorater) (45:16.691)
but they've made a specific caveat this year that is not the case. Yeah, yeah, so that does make it a little bit more difficult to sort of brute force that process and try to force the people you want to get chosen in, but I'm definitely looking, this plus one nominations thing is one of the key pieces of the live hacking event sauce and finding people who are able to perform at live hacking events through referral essentially.
Gal Nagli (45:21.534)
Yeah, so that does make it a little bit more difficult to sort of reinforce that process and try to force the people you want to get chosen in. But, you know, I'm definitely looking... This plus one nominations thing is one of the key pieces of the live hacking event thoughts in finding people who are able to perform at live hacking events, you know, through referral essentially. So I'm continuing to...
Justin Gardner (@rhynorater) (45:44.867)
So I'm continuing to look forward to seeing how that is gonna play out.
Gal Nagli (45:46.934)
look forward to seeing how that is going to play out. Yeah, I think in general we need to be grateful to have events at all and even to be invited, it's like very... It's a crazy opportunity to have a good time, find good bugs, learn. Like, so it's very... Every time we get one, and I hope there will be as many as possible, and also with background integrity, I hope they will take to have, like... They will do well also in this year in terms of live hacking events, and yeah, I'm looking forward for the next year. Yeah, me too, man, for sure. All right, last thing that I wanted to cover...
Justin Gardner (@rhynorater) (46:12.731)
Yeah, me too, man, for sure. All right, the last thing that I wanted to cover before we get some food, I know I've been teasing you at dinner, like, we'll go get some dinner, but, no, is this whole concept of bug bounty motivation. And you shared with me while you've been here, you know, maybe when we're chilling in the hot tub or, you know, relaxing, that you struggled a little bit with motivation with bug bounty outside of the life hacking events. And...
Gal Nagli (46:16.642)
where we get to food. I know I've been teasing you with dinner. Like, no, it's okay. It's okay. I can still buy it. It's okay. Is this whole concept of bug bounty motivation. And you shared with me while you've been here, you know, maybe when we're chilling in the hot tub or, you know, relaxing, that you struggled a little bit with motivation with bug bounty outside of the life hacking events. And one of the ways you've tried to solve that is by sending out this, you know,
Justin Gardner (@rhynorater) (46:42.431)
One of the ways you've tried to solve that is by setting up this 50K bounties in 50 days challenge and kind of trying to motivate yourself. And I'm sure the Ambassador World Cup also helped, but trying to motivate yourself outside of live hacking events. So, two part question here, okay? First question is, do you think live hacking events have sort of poisoned your brain in
Gal Nagli (46:46.306)
50k bounties in 50 days challenge and Kind of trying to motivate yourself But you're to motivate yourself outside of life Do you this is two-part question here? Okay, first question is do you think life hack events? Have sort of poisoned your brain And kind of made it more difficult to focus on non-life hack And then to what are some ways?
Justin Gardner (@rhynorater) (47:10.115)
and kind of made it more difficult for you to focus on non-life hacking men targets. And then two, what are some ways that you have found to try to motivate yourself outside of a life hacking men?
Gal Nagli (47:15.606)
you have found to try to motivate yourself outside of a life, I think. Yeah, I don't know if it's the challenge or if it's the public accountability because the leaderboard is open for everyone or if it's the fight with friends, but definitely every gamification, external factors helps you to focus more and know because like I said, I have now 90 different programs and I know we pay well if I focus on them, but how can you focus on 90 programs with 500 rule domains and...
250,000 subnumens. So that's like the question, where do I focus now? Oh wait, I focus here, my ROI wouldn't be that good for other programs. So it's like, in poker they say EV, you know, expected value. Do you want to play the hand? If you, I mean, do you expect how much you could earn if you make this play based on the probability and stuff? Like in general, I mean, am I making the right choice focusing on this program when I have all of the other programs awaiting?
So the best way to have the best EV or the best ROI is like when there is an event and everyone is focused and you can get invite to the next event if you do well. So that's like the best ROI that I can get. I don't know in like on normal times, we don't know where is the best ROI to get. I mean, maybe if someone tweets, oh, I got 100K from Epic Games, so I got 250K from Epic Games, maybe the best ROI will be there at the moment. So it's all about the moment, like where would we find the best ROI at a given time? So.
Some of the people I know were looking at the activity feed on Acre One, just to see programs who resolve the bug, to see, okay, they're alive. Let's check them because they are active. Now we can't do it because they changed something in the activity, but they will revert it back, I think. But it's basically like that. I mean, find a way to know which programs are active, paying, if you can make a competition or between people like a league or something like, to have extra motivation to do better. But yeah. Between you and the program. Yeah, just for the fun, for the fun, just for...
Justin Gardner (@rhynorater) (49:07.598)
between you and your friends maybe.
Gal Nagli (49:11.718)
focus with another person. So yeah, I mean, a lot of ideas that I don't have answers for, but if anyone knows. Or maybe fly out to Virginia and hang out with your friend in person and do some hacking. Yeah, competition and stuff. Yeah, that's good. Yeah, it's a hard problem to solve the hacking and innovation thing. And I kind of shared with you when we were talking about this thing, for me, it's a lot about forcing yourself to start doing it. And then from there, you...
Justin Gardner (@rhynorater) (49:17.867)
Anyone knows. Or maybe fly out to Virginia and hang out with your friend in person and do some hacking there. Competition and stuff. Yeah, that's good. Yeah, it's a hard problem to solve the Bugatti motivation thing, and I kind of shared with you when we were talking about this that for me, it's a lot about forcing yourself to start doing it, and then from there, you get curious about the target.
Gal Nagli (49:41.73)
get curious about the target, right? You, for me, I get that technical curiosity that kind of grows. Um, and, but in the beginning, you really got to force yourself to go, you know, back down that deep that I began, uh, which is definitely hard to do. So it's a, it's a struggle that we all kind of deal with and we'll continue to count as book down hunters, but, uh, I'm sure it helps everyone who's listening to the podcast to know that a top hunter, uh, even if it's not automation, as to like yourself, uh, deals with those sort of similar struggles. So.
Justin Gardner (@rhynorater) (49:43.047)
Right. You, you, for me, I get that technical curiosity that kind of grows. Um, and, but in the beginning, you really got to force yourself to go, you know, back down that deep dive again, uh, which is definitely hard to do. So it's a, it's a struggle that we all kind of deal with and we'll continue to overcome as bug bounty hunters. But, uh, I'm sure it, it helps everyone who's listening to the podcast to know that a top hunter, uh, even a top automationist like yourself, uh, deals with those sort of similar struggles. So thanks for sharing that. Not really.
Gal Nagli (50:10.562)
Thanks for sharing that. Yeah, for sure. All right, man. The time is up. Let's go get some dinner. Yeah. I think, I think that's it. That's a wrap. Okay. Thank you very much. Peace.
Justin Gardner (@rhynorater) (50:12.419)
Alright man, the time has come, let's go get some dinner. I think that's it, that's a wrap. Okay, thank you very much. Peace.
