Being honest with hacking

You're scrolling twitter (or x now) or on a discord, or just on youtube, google, what have you and you see multiple posts "$10,000 bug bounty!!! $50,000!! $100,000". And it seems like an auction of bug bounties. Or maybe you hear about pwn2own and see that some teams get awarded up to $250,000 and you think to yourself "wow, hacking seems like a big money maker, I think I'll take a crack at it." 

So you spend the next 6 months, or 12 to get into bug bounty hunting. You read the books like bug bounty bootcamp, the tangled web, etc. you watch the youtube videos like insiderPhd, codingo, and so on. And you spend a lot of time learning about the web, you find a bounty platform like bugcrowd and you dive into a platform after 6 months. At the end of 12 months, you've found nothing. Nata. Zilch. So what do you do? Do you continue another 12 months? Or give up?

I want to preface this with saying that I am not trying to discourage *anyone* from getting into ethical hacking/bug bounty hunting/etc. I believe we need more people from different backgrounds. What I want to get across is this: hacking is hard and developing the skills to become a good hacker takes time, like anything. 

From my point of view it seems there is a pervasive tendency to oversimply the complexities of hacking, and to sensationalize it. Believe me, finding a big bounty or getting a z-day, or getting root even on a ctf is extremely rewarding and feels amazing. But we have to be real that it takes time to get to this level. You might think it's obvious but from someone who came into hacking bright-eyed and bushy-tailed with the expectation that I could be making $10,000 dollar bounties within 12 months or so, it wasn't. Sure, part of it was ignorance on my part and I admit that, but part of it also was industry hype and bootcamps. (I also want to be clear I am not calling out anyone specific, or mentioning anyone on purpose above to call them out. The people I mentioned just happen to be popular within the bug bounty community). 

It takes time, and time, and more time to get to a good knowledge of any platform. With the amount of technology out there it seems impossible to learn it all, and it is. So you focus one thing and dive into it to learn, and accept the fact that you'll be learning the rest of your life. A lack of knowledge can bring about mistakes. Let me give you a personal example. 

Recently I thought I had found an open redirect bug on a certain platform. I was very excited. Testing it over and over, and confirming with others. Others had commented on how it seemed to be just how browsers/url's work, not an actual exploit. But the hype of finding my first bug was so much that I submitted it anyway. And guess what? It was non-applicable. LOL. Quite embarrassing to say the least. The thing is, no matter my attempts to try and get a bug bounty, and how bad I wanted it, I just didn't understand what I was doing completely. Sure, I understood in simple terms, but if I had had a better understanding than I would have said "ope, well, let's try something else!" 

I could have easily let this bruise my ego and given up, and thought I wasn't capable of much. But I am not a quitter, instead I used this as an learning opportunity in order to better understand open redirects (which is what my next blog will be about!) and make sure I *understand* completely. 

I don't want to communicate that hacking is some impossible dream only meant for super nerds. I really just want to express that all those $10k plus bounties you see, there are a plethora of non-applicables, duplicates, lower payments due to disagreement on severity, and so on. The thing is, to not give up. As a hacker you have to be comfortable with not finding anything. These people that find multiple zero days or get $100,000 a month from bug bounties have been doing this for a long time. Or, they have obsessed over it so much they've spent copious amounts of time on it. So please do not be discouraged. In fact, be encouraged. If you find yourself struggling and seemingly finding dead ends, then good for you! It means you're becoming a better hacker. Slow down, take a deep breath, take a walk, and try again. :) 

Thanks,

BlackCatt

Comments

Post a Comment

Popular posts from this blog

Post SOTB and Happy New Year :)

Image
 If you missed out on SOTB that really stinks, but also I understand. Shell on the Border happened during new years and man was it an amazing experience. I couldn't attend the speaker part but the ctf was fun. It was at an arcade that had major Mr. Robot vibes. A truly different and awesome experience in the unlikely city of Fort Smith, Arkansas. Want to make a huge shout out Shyft, MoonKaptain, Fie, FractumSeraph, Allee, Fort Smith Arcade, and HackNWA (if I forgot you I am sorry it's not on purpose). All of y'all made this an amazing experience and the work we put it in was definitely seen. I am proud to be apart of FS2600 and I am grateful for the opportunity to be able to help, and to even do some of my first challenges.  I wanted to go over my challenges that I did, just 3, for those that are curious. First of all this being my first time making CTF challenges there were some mistakes on my part. I had made these challenges with a huge assumption of prerequisite knowled
Read more

Arkansas Hackers: More than meets the eye

      What do you think of when you think of Arkansas? Walmart? Bill Clinton? Barefooted hillbillies? Now, what do you think of when you think of a hacker? I am willing to bet that most of you reading this probably don't think the two go together at all. But you'll be surprised to find out that there is a large group of Cybersecurity experts and hobbyists with all kinds of interests. And so hopefully by the end of this post you will see just how expansive Arkansas Hackers is!  Last week from Friday the 6th to Sunday the 8th I had the privilege of being able to attend a popular hacking CTF that goes by the name of JOLT. For those that may not know, a hacking CTF is basically where teams of hackers come together to try and get flags that are behind challenges. These challenges are wide-ranging and cover all types of hacking areas. Other than the bragging rights there are generally rewards for the top 3 winners. JOLT is located in Little Rock, Arkansas and is headed by members of
Read more

Vulnerability Spotlight: Type confusion

What is type confusion exactly? And how can it be used to exploit programs? According to the CWE (Common Weakness Enumeration) "Type confusion is when: the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. When the program accesses the resource using an incompatible type, this could trigger logical errors because the resource does not have expected properties. In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access." C and C++ are common examples used because these languages do not have type checking. This allows attackers to potentially exploit type confusion within C/C++ programs, which can lead to code execution. Of course C and C++ are not the only examples, languages with dynamic typing generally (like Perl) have this issue. C++ has 3 main Cast
Read more