Note that during these interviews I also moderate thus quality may vary.

Profile ๐Ÿ

  • 33 years old
  • Job was made redundant - โ€œhit rock bottomโ€
    1. Started in IT helpdesk
    2. Got his comptia certs
    3. Saw STOK video, got interested in bug bounty
    4. Went to DEFCON
    5. Been hacking for 1 year and full-time since 6 months
  • Hobbies
    • Likes to go to the beach

Bugbounty ๐Ÿ

  • Came across STOKโ€™s video
  • Didnโ€™t know anything
    • Difference between GET and POST etc.
  • Basic networking
    • How IPv4 and IPv6 work

Learning ๐Ÿ

  • Started wrong
    • No foundation, depending on tools.
  • Go deep
    • Read RFC
      • Get solid foundation of HTTP works
    • Look up how headers work
    • What do these cookies mean?
    • Google what you donโ€™t know
  • Spend a lot of time doing X
    • Bash
      • Build one-liners for yourself.
    • CLI
    • Watch others and copy. Then make it your own.
  • OWASP top 10
  • Focus on web sec academy

Tips ๐Ÿ

  • Beginner: pick a vuln type
    • Pull up every single resource and go through it
      • What was their mindset?
      • What is their approach?
    • Go to DoD and grind for 8-9 hours
  • How to pick a program?
    • Bounty tables, have to be financially positive
    • Bounty table > scope
    • Is there a lot of features to work with?

Certifications ๐Ÿ

  • OSCP (certs) are valuable when job searching
  • Gets you past HR

Mentors ๐Ÿ

  • Anyone who puts out content

Programming ๐Ÿ

  • Programming isnโ€™t a requirement but definitely beneficial.
  • Itโ€™s a requirement for himself
  • Took a JavaScript course to level-up.
  • Took Golang and Python courses after that.

Recon ๐Ÿ

  • Gathering intelligence
  • Helpful when chaining vulnerabilities
  • Single web app
    • Use it as a user
    • Go through sign up process
      • Analyze requests
    • Go through JavaScript automated and manually
    • Waybackurls
    • Take notes of interesting behavior/findings while analyzing (turns into checklist)
    • Go through same process the next day while leveraging known data

Tools ๐Ÿ

  • FFUF
  • Waybackurls
  • gau
  • Burp Pro
    • Auto-repeater
      • Replacing auth tokens
      • Changing GET to POST
      • Change content type to XML
        • Look for error
    • Authorize
    • Upload scanner
    • Burp history
      • Compare sessions

Routine ๐Ÿ

Hack 8-12 hours a day

  • Get up 5:00-5:30AM
  • Meditate/gratitude
  • Run/walk
    • cognitive benefits
    • Listen to hacking related stuff
  • Green juice
  • Shower
  • Start hacking
  • Game / relax
  • Hack some more (4 hours)
    • While in game queue go through Burp requests
    • Read write-ups
    • Perform light fuzzing
  • Go to bed at 10:00PM

Burn-out ๐Ÿ

  • Try to understand why heโ€™s burned out
  • When he feels burned out he goes into learning mode
  • Take long breaks
  • Push yourself but donโ€™t overdo it

Imposter Syndrome ๐Ÿ

  • Definitely deals with it
  • Acknowledge that heโ€™s a beginner

Collaboration ๐Ÿ

  • Nahamsec
  • Specters
  • Would collaborate with anyone

What's buzzing?

If you have a question, a comment, or if you just want to say hi, feel free to reach out on Twitter.