Bug Business is a series of interviews in which experts from the bug bounty industry shine their light on bug types and trends. The next three interviews will feature the top 3 bug hunters in our leaderboard in the first quarter of 2020.
Bitmap came in second with an Exceptional streak. He took time off collecting bounties and posters to answer our questions.
Hi Tom! Can you tell us a bit about yourself, who you are and how you got into bug bounty hunting?
Hi! I’m Tom, 23 years old born and raised in Belgium. I’m currently building a house with my girlfriend and I’m owner of a Bernese mountain dog called Lowie. I practice martial arts three times a week to clear my head and build up a bit of fitness. I’ve been passionate about IT since I was a little kid, trying to get into my brother’s desktop to play the new DOOM game (DOOM III) 😀 . I played around with windows commands and tricks to fool others on the same network like msg.exe and shutdown commands because I thought it was funny. As a 11/12 year old, I was booting backtrack and learned the concept of shells and basic malware stuff which I sent to friends to pwn their systems (I told them it was a new video game hahaha).
When I graduated high school in human sciences, I went to study Cybercrime in college where I first got in touch with bug bounties. Back in the day, Arne Swinnen gave a talk at our college about his Instagram findings and handed out Intigriti stickers. I registered on the platform but I wasn’t really an active member.
I got a job as pentester after graduating college and learned A LOT during the first year. I also did more bug hunting and got more success than in the beginning (read: I was stoked about finding an XSS, nothing fancy). As time passed by and my knowledge grew, I found more critical stuff and became really addicted.
So, what does your life look like now? Do you do bug bounty full-time or as a hobby, and how does it fit into your life?
I’m still working as a full-time penetration tester at NTT Belgium where I combine pentests with 0-day research and red team assignments. I start bug hunting when I get home for about 3-4 hours a day and in the weekend. It still feels as a hobby but I have to admit I feel a bit addicted and my girlfriend regularly has to pull me away from my laptop.
Now onto the technical questions! How do you approach a target? Do you follow a pre-defined methodology? And would you recommend testing few functionalities for all possible bugs, few bug classes across all endpoints, or anything else?
I tend to pick targets that are a bit aged because there’s less chance of duplicates. I always start with recon and screenshots of every domain followed by directory bruteforcing with a smaller wordlist to quickly find common or interesting directories. I manually check each domain one by one with bigger wordlists if I feel like they’re interesting or promising.
I always approach *. domains in waves of hunting. In the first wave, I go over the more common issues like XSS, IDOR’s and SQLi’s,.. on every domain. Once that’s done, I do a deep-dive into the interesting domains and try to find logic bugs or more complex chains tied together. Lastly, I tend to check if there’s interconnection between systems or applications that can be abused (E.g. an API that returns data I also noticed on another web application).
Does recon play an important part in your bug hunting? And how does it look like for you?
Recon is definitely an important part of my bug hunting because it might expose scope others didn’t discover or haven’t discovered yet. I created some custom scripts to perform recon based on publicly available API’s to quickly discover e.g. subdomains as well as bruteforced subdomain techniques to have a thorough scope cover.
Do you have any favorite bug classes or types of targets that you focus on the most, and why?
If I had to pick a favorite target type, it would be hosting providers. I do a lot of infra-related stuff during my day to day job ranging from internal tests to red-teams and I just feel comfortable hacking networks or active directory stuff. Infra targets are pretty limited so most of the time I choose targets I use on a daily basis or I think are interesting to look into.
I don’t really have a favorite bug class but I like things like sandbox escapes, local file inclusions and IDOR issues.
What was the most interesting bug you found (or your favorite)?
My all time favorite is a full active directory compromise of a hosting provider network. I used a hosting package as my entrypoint and created socks tunnels to a cloud box to relay smb and ldap traffic to the internal network and ultimatly gained domain admin rights on their Active Directory.
Now a classic question. I think a lot of people are curious to know about the tools other bug hunters use. So, what does your arsenal look like? Which types of tools do you rely on, how do you choose them and which would be your favorites?
I think my setup is pretty standard in comparison with other hunters. I use Burpsuite as interception proxy together with plugins like authorize, reflector, file upload scanner,.. If I need some custom behaviour, I like to use mitmproxy on top of Burp with custom scripts because it allows me to quickly script something and run it inside a proxy.
I like Dirsearch a lot to quickly find interesting directories because I like the overall output format 😀
In regards to infra, rpivot and the impacket suite are my go-to tools for socks tunnels and AD interaction.
Patience, patience and… patience. I learned to not always rush a target but to take time and learn the different areas of a target and logic of different functionalities.
What advice would you give your past self about bug hunting?
Patience, patience and… patience. My past self would move to another target if I didn’t find something within a couple of hours. I learned to not always rush a target but to take time and learn the different areas of a target and logic of different functionalities.
I also want to add imposter syndrome is something I struggled with in the past (and still do) especially during live hacking events. I just collapse when I see crits coming in and I still have nothing. My girlfriend helped me to downplay the feelings but I still have it a bit somehow.
One of the main hurdles many bug hunters face are burnout and time management. As a successful part-time bug hunter yourself, do you have any advice for hackers struggling to find a work-life balance? Do you have any processes or habits that helped you improve your hacking skills and results, while having a full-time job, a social life, and staying sane?
Personally, I try to limit the amount of hours I spend on bug bounty in a day to 3 or 4 hours after work. Otherwise, I’m lost until late at night. Of course these hours vary if there’s an upcoming event or some other assignment. I try to keep evenings in the weekend for my girlfriend, family and friends to have some quality time with them.
In terms of improving hacking skills, I learned a lot from blog posts and write-ups. I try to keep up with new posts on a daily basis to cover the most interesting ones.
One thing that can help keep track of everything is taking good notes. Do you use any note-taking apps or knowledge management system?
I always use markdown to take notes because I’ve been using it for a long time and got used to it. I like the fact that I can insert images or create flows without any hassle and have a decent output format on top. Visual Studio Code in combination with the Markdown Preview Enhanced plugin is currently my go-to tool for taking markdown notes.
Why do you hack and what motivates you to keep on bug hunting despite any hurdles?
Bug bounty and IT security just attracts me. I like the “blood rushing through my veins” feeling when I discover an issue. On top, I really like creating stuff as much as breaking stuff, some custom malware for a red team or some scripts that makes my life easier.
Which hacker(s) would you give a shoutout to, whether they are a mentor or a community member?
I would like to give a shout out to @rogue_kdc for teaching me a lot of fat client stuff I had little knowledge of before. I would also like to mention @Ward_V who tought me most of the AD skills and is always available for a brainstorm.
Have you already collaborated with other bug hunters? Can you share with us your experience, and if there is anyone you would like to collaborate with in the future?
I didn’t really do a decent collab before. Feel free to ping me on Twitter or Slack if you’re up for it!
What are your expectations of bug bounty platforms, and why did you choose Intigriti?
I really like short response times and support on platforms. It just sucks to see your crit in Triaged for a couple of weeks/months. I think Intigriti stands out as the triage team is really working hard to get you your well deserved money as fast as possible. Other community members are always available on Slack to answer scope or other questions so you can focus on finding bugs instead of wasting time on support.
Thank you so much for this interview! Any last words?
I would like to thank you and the Intigriti team for this interview!