Think like a hacker
I learned hacking by myself 7 or 8 years ago. After studying software engineering at university, I started learning and coding tools. I became a Bug Hunter and found critical vulnerabilities for companies such as Paypal, Google, Kaspersky, Mozilla…
I also frequently participate in many CTFs with my teams (my current team is DCUA).
When I create a new CTF, I always try to think like a hacker, and I develop different plans for each task. I start by coding tasks and preparing the environment and the CTF platform. Then, I deploy tasks on different servers and Dockerize them. I prepare exploits for each task and test all steps before running the CTF. Finally, I create hunters accounts.
I get my inspiration from many CTFs and bug bounty programs I participate in. I try to create new and funny challenges based on latest CVEs or bugs. My goal is to encourage hackers to learn new techniques and to challenge their abilities.
I also read write ups about bugs, or check public reports on bug bounty platforms.
Securing challenges is the hardest part. When you play with hackers, you have to think about every possibility of how they could hack your platform or tasks 😉 I make sure that both the platform and the challenges are secured so that hackers don’t spend time trying to break into the platform ; the CTF’s purpose is to test hackers on specific challenges.
Before launching a CTF, I code my own solution (exploit). During the challenge, I always check the status of each task, and I try to help hunters by adding hints and answering their questions by email.
I love CTFs ! I have participated in more than 50 CTFs (local and remote). Here are my favorite ones :
• C3CTF (or any CTF managed by Eat, Sleep, Pwn, Repeat)
• Google CTF
• Facebook CTF
My favorite type of CTF is Attack-Defence, but it’s quite rare. I think it’s more exciting and challenging because each team has its own servers and vulnerable services. They have to attack each other’s apps while protecting their own from being hacked. I also enjoy playing jeopardy CTF. (jeopardy CTF is a kind of CTF where you just have URLs to test and no access to servers).
My best CTF was when my team qualified to play in the CSAW finals. We missed our flight for Dubai and had to wait for the next day to take a plane. We didn’t get any sleep, and one of our team members was missing – I know it doesn’t look like a great experience for now.
When we finally arrived in Dubai, we started playing right away. We began by the most difficult task, and received the first blood. This encouraged us to continue, even though we had to take turns to sleep to survive this challenge !
In the end, we won this competition, and were really thrilled about it. As for my worst CTF, it was a local CTF in my country. We had almost solved all tasks and were ranking first. During the final hour, we realized that some teams had collaborate and share flags (which is forbidden), without leaving any proof.
The organizers didn’t tell us that the flags were fixed, so we lost a lot of time trying to win something that was already won. In the end, the team who cheated stole the 1st place. It’s really frustrating to work so hard and to experience cheating like this.
If you want to become a bug hunter, you have to learn basics that will help you understand how each application works. If you want to go further, you can learn a useful programming language that you can use to automate your POC.
Reading and understanding other hackers write ups is also very helpful. When you start Bug Hunting, try working on small programs to find your first bug faster and keep your motivation.
Here is a list a cool websites to learn & train :
Find Chamli on :
Thanks to Chamli for this interview !
You can join Yogosha‘s private community by filling this form. You will receive an email from us when we release a new challenge, and if you pass it, you will be invited to our bug bounty programs.
Find all the news and cybersecurity trends directly in your mailbox.