Last month, we organised our best and biggest Live Hacking event in Brussels, the heart of Belgium. Thirty carefully selected individuals from all around the world joined us in our mission to help secure a couple of high-profile targets. Stakes were high, as bounties up to €15.000 were offered for valid security concerns raised by our researchers. One of our amazing hackers took the opportunity to describe this experience from their own point of view — enjoy! 

IMG_0749

Had I been told a year ago that I would attend this live hacking event, I would have laughed incredulously. But here I am at a 4-star hotel at the heart of Brussels. The elevator door opens and inside are four familiar faces… Some of the best hackers in the world that I’m only used to seeing in interviews and on Twitter, sharing advice and exploits.

I barely managed to say hello, choked up, like a fan who would have seen the Kardashians.

Later that night, I met more hackers gathered at the hotel’s lounge. Some were regulars of live hacking events, traveling across the world several times a year, most of them knew each other, and a few were first-timers like me.

My intention with this recap is to share how I experienced this event and the lessons I learned from it. I hope it will give you a taste of what a live hacking event looks like, and that it will motivate you to continue hacking and surpassing yourself so that you are next on Intigriti Hacker Airlines.

Throwback to 2 months before the event, when all this started…

2months.png

I got an email invite to the event with an RSVP form to confirm attendance.

I could not believe it, but it got real a few days later went Intigriti’s Travel Team contacted me for choosing plane tickets.

1month.png

I was added to a private Slack group for everyone going to the event. The first thing I did was check the list. Imagine the Hall of Fame that scares you off a program, but worse!

A few days later, I also  got an email with more practical details like the hotel and venue addresses, the date of a scope call with the client, an RSVP form to claim a free Uber ride from airport to hotel and back, an RSVP form for a Virtual Reality (VR) activity, and another one to confirm whether I want to appear in pictures on not.

2weeks.png

I received an NDA to sign online, before the scope call.

12.png

This is the day everyone was waiting for! During the scope call, we finally got to know the target, plus some information on their architecture and some of the assets in scope. We also got a private invitation to the program on the platform, and credentials to enroll into the mobile apps and website.

I couldn’t make the call. So, I was relieved to see that it was recorded and shared through the program’s page. In fact, all important information was written, shared, highlighted… And right after the call, the Slack group went crazy. So many messages, questions, requests, updates…

Bug submissions also started rolling out quickly.

What struck me most during this phase was that despite this being a very competitive situation, many hackers helped each other and shared with everyone tips to save time and troubleshoot some common issues.

3.png

I got an email with last details like the hotel and venue, Uber’s airport pickup location, contact numbers, check-in information, etc.

That airport map with Uber location was of great help. Since I knew I wouldn’t have 3G in Brussels, I worried that it would be complicated to find the car. So, it was a little attention from Intigriti, but greatly appreciated!

2.png

I hopped into an airplane to Brussels, checked into the hotel, visited the Grand Place (beautiful lights by night), and had dinner at my favorite fast-food chain (EXKI for the curious).

Once I got back to the hotel, I was surprised to find a welcome swag pack that I didn’t notice before. Early Christmas as you can see:

Then I joined a group gathered at the hotel lounge for a drink. It was awesome to finally put a face to many (Twitter) names.

1.png

Until 4 pm, we were free to either hack or relax/visit the town. In the afternoon, a bus took us to a VR place that was fantastic. There is a game I really liked but only started getting the hang of it at the end. So, now I have to make it to another LHE to play that game again!

0.png

Finally, the big day!

HACK0024 copy

I arrived at the venue around 9.20 am. After presenting myself at the reception, I was given a badge, a hoodie and a poster to sign. Afterwards, we were guided to the 3rd floor, where all the hacking was happening.

HACK0055 copy.JPG

We could choose between 3 rooms: one for people collaborating, one for relaxation and discussion, and one for working silently. I chose the last one. It had a big screen with a leaderboard.

HACK0266.JPG

Then Inti explained the duplicate rules and introduced additional scope.

Hacking had officially begun!

HACK0296.JPG

The leaderboard was updated from time to time to reflect triage results.

From that point, I didn’t notice much apart from what was going on in my laptop’s screen.

HACK0354

That was until El Profesor from La Casa de Papel, (aka Inti) appeared in the room, with music in the background and a briefcase in his hand. He opened the briefcase and started throwing (surprisingly realistic) fake money on someone. That person had just received a bug bounty, as indicated by the updated leaderboard.

HACK0504 copy kopie

It still rained money for a few minutes, then everyone got back to work.

At the end of the day, we had a very fancy dinner. It was really delicious. If only I didn’t have so many snacks before!

Afterwards, winners were announced and awards attributed. Some of the best bugs found were briefly explained. That was high level stuff!

Award Winners

Lessons learned / My takeaways from this event

  • Hacking actually starts days before the event, so make sure to free up time. I thought only recon would be authorized and definitely did not plan enough time for this phase.
  • Decide what you want before the trip: Miss social activities and focus only on hacking, or do both. Some night owls went to the VR activity and got out for lunch/dinner, but spent the night working.
  • Get a good laptop. In my case, 8 GB of RAM was definitely not enough for comfortably running two Android Studio emulator devices, Burp Suite, a VPN, and tons of browser tabs.
  • Enrollment and setting up the testing environment for this event was rather complicated. But I heard since day 1 that the ones who stuck with it and overcame these hurdles were able to find bugs sooner than the others. They had an advantage over hunters who were discouraged by setup difficulties and thus only had access to a limited scope. So, lesson learned: persistence gives an advantage!
  • Surprisingly, a lot of work could get done in one day, especially because there were no distractions. The room dedicated to those of us who wanted to work in silence was a good choice.
  • Not all assets in scope are announced before the event. More can be disclosed onsite.
  • VR games are fantastic! R.A.V.E.N., the place we went to in particular had cool games and great food. It is worth trying if you’re ever in Brussels.
  • Brussels (at least the center) is way more beautiful than I expected. It is worth visiting again for both its historic monuments and food specialties.
  • There is no need to worry about food if you have a special diet. I am pescatarian and was more than delighted during this whole trip. Just remember to specify all dietary needs when you fill-up the RSVP form for the event.

All good things must come to an end

This was a dreamy experience for me. I went back home with cool swag, nice memories, and motivated to dedicate more time for bug hunting. Hackers I met raised the bar so high with impressive and very creative bugs. So, thank you for being such an inspiration!

I also want to thank Intigriti staff for being so welcoming and for the impressive attention to details. It did not go unnoticed!

Also, a big thank you to the client without whom all this would not have been possible.

If you’d like to attend a live hacking event yourself, you can! For future event invites, we will use our rolling 90-day leaderboard as a reference, along with geography, average severity score, performance during previous live hacking events and customer related skillsets.

Hope to see you during one of our next events! Happy hacking!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.