loading...

From beginner to submitting 5 reports to HackerOne

pirateducky profile image pirateducky ・5 min read

Success is going from failure to failure without losing enthusiasm. - Winston Churchill.

I am writing this to make myself accountable, and as a disclaimer although I have submitted 5 reports to hackerone, a bug bounty platform, none have been paid. I currently have 4 duplicates and 1 informative, here is my hackerone profile: pirateducky.

I started my journey learning about web application security at the beginning of this year(2019), after being rejected for a front-end developer job. After that I looked back at why I had started to learn to program and I remember telling myself that I wanted to learn how to hack - that was about 4 years ago, at which time I bought the following books:

  1. The Basics of Hacking and Penetration Testing, Second Edition: Ethical Hacking and Penetration Testing Made Easy
  2. The Hacker Playbook 2: Practical Guide To Penetration Testing
  3. Rtfm: Red Team Field Manual

I started reading and not understanding anything, but I kept trying, using Google and YouTube to do research, at one point I decided to go back to the basics, and started to look for resources to learn how to program. I eventually found a course on coursera which taught me how to build web applications. I failed a bunch of times, taking hours to troubleshoot small problems(looking at you syntax errors), trying to understand CS concepts and smash my head until that "AHA!" moment would come. I enjoyed challenging myself and learning new things but up until that point I had learned and not put into practice anything I learned. I took courses online and bought some really good course material - which has been super helpful but at some point I forgot why I started this whole journey, that is until I got rejected from the job I applied for. After being rejected the "Impostor Syndrome" kicked in, and I couldn't help but feeling like I didn't know what I was doing, but then I found the hacker101 CTF which allows you to solve challenges and get flags which turn into points which eventually turn into invitations to private programs where your chance to find a vulnerability and get paid increases.

I started doing the CTF and got completely lost - after the first challenge. Then I hopped on twitter to see if I could find someone doing the CTF as well - using my awesome OSINT skills I looked up #hacker101 and found a user(@nemessisc) that had started a Discord server for people who were doing the CTF, and shot her a message asking her if I could join, she sent the invite and this is where it got interesting. I found the most amazing community there, full of people who were also doing this CTF and struggling just like me, sharing resources and just overall being friendly. It's awesome and I have made so many friends through there, some are expert hackers that have been featured in the NEWS others are beginners just like me, and we all help each other.

Through the help of these awesome people I was able to understand the basic vulnerabilities going from challenge to challenge using Google when I didn't know what I was doing or what to ask. After a few weeks of doing the CTF I decided to go out and look for bugs, I popped an XSS on a site and I felt the rush, it felt awesome to see my alert(1) actually showing up on a page, I then submitted the report and it came back as a duplicate, meaning someone else had found it already but still - I had found an actual bug, it was an awesome experience, from there on I continue to work on the CTF and hunted for bugs, I have found a total of 4 duplicates and 1 informative.

I have also attended my first security conference BSidesNash. I found an awesome group of local hackers organizing the conference through twitter of course - they invited me to join and be part of the organizing which I gladly did and it was the best choice I could have ever made because I met so many friends and cool people. Being around people who share the same interests and who push you to do better is amazing, and something I haven't had before, so I felt right at home. I am continuing to learn every day, reaching further and pushing my knowledge to the limits. It has been an awesome experience to get to know everyone, and learning new things always makes excited so recently I have felt like a little kid in a candy store. My goal is to keep pushing myself and learn from the people I have met both in the discord server and locally.

I got rejected from the front-end position but that pushed me back to the reason why I started all of this, because my curiosity knows no limits and my hunger to learn has been insatiable lately, I am fully committed to this and want to make a career out of it - so life, universe, or whatever you want to call it: I am ready, I am ready to challenge myself and learn everything I can. I am still looking for my first valid bug and I know it's near. In the words of a famous philosopher -

"Gotta catch 'em all" - Ash from Pallet Town.

Tips that I as a beginner think are important:

  1. Be nice to everyone.
  2. Don't be scared to ask questions.
  3. Patience.
  4. Perseverance.
  5. Join a community (S/O to the hacker101 Discord) If you want to join here's the invite.
  6. Find a local group of people (S/O to BSidesNash).
  7. Take breaks away from the computer.
  8. Share what you have learned.
  9. Don't hack something you have no permission to hack.
  10. Have fun.

Some cool resources to check out for beginners:

  1. hacker101 CTF - HackerOne CTF
  2. hacker101 YouTube Hacker101 Playlist.
  3. Stök's YouTube - Awesome YT channel.
  4. PortSwigger University - Awesome educational content.
  5. Web Hacking 101 when you sign up for hackerone you get this book for free
  6. PayloadsAllTheThings - Repo with payloads of all kind.
  7. PenTester Land - Sign up for their newsletter is awesome!
  8. Learn X in Y Minutes - Awesome primer for programing languages.

For future me: I hope you are still learning new things and that your curiosity has not died out, I'm sure you have met even more awesome friends and have gone to some cool events. Stay curious and don't let anyone tell you that you can't do something.

Posted on by:

Discussion

markdown guide
 

Hi, I’m also a N00B like you but I would suggest sticking with one or a few applications and learning interesting things apart from low hanging fruits like xss etc. Challenge yourself to go for the hard high hanging fruits that pay a buck. Also you can top your game by reading specifications and standards of the web. Lastly work with a mentor, be positive minded more and document your findings.

 

Thanks for the awesome feedback, reaching further than just low hanging fruit is really important for growth and education, and also finding a mentor & group of friends is huge because this field is hard and it can get frustrating, so I absolutely agree with everything you said!

 

I am security researcher at bugcrowd but same like all got duplicate can you help me related to CTF I find much but got much resources but can't understand where to start like in bug bounty I learner from p4 to P1 but here is no idea what to do ?

 

I think the most important thing in bug hunting is sticking with a target, choosing one vulnerability and sticking with that one throughout the application seems to be what most bug hunters suggest. Also, use the application as a regular user and keep in mind all endpoints you see, this will give you a good layout of the application and the functions that run in the back-end. I'm still looking for my first valid bug as well but let's keep trying and learning! If you have any tips I'd love to hear them as well!

 

So very helpful and thank you for such valuable insight and information

 
 

This was such a fun read. Even I'm on my initial stage of learning the "hack" and I've been told by many that reading books and grasping blogs is the key!