31 August 2017

Hacking Up the Synack Leaderboard with Levels

SRT Community

“Every system is vulnerable…keep digging!”

Synack presented a summer hacking competition to challenge our Synack Red Team (SRT), and as the kick-off event for our “SRT Levels” program, we presented our SRT with a chance to join us for an adrenaline-filled day in helicopters and on the gun range during the DEF CON week in Las Vegas. Our SRT stepped up to the challenge and put in extra hacking hours to make it our most competitive competition yet. We chatted with one of our Top 10 winners today — Julien Ahrens. Read on for an insightful perspective on his personal hacking experiences and how he built up the bug hunting skills that helped him earn success in our hacking challenge!

Name: Julien Ahrens
Twitter Handle: @MrTuxracer
Nationality: German
Hacking Experience: 7 years (5 professionally)
Synack Red Team Level Earned: 0x05
Designation: Exploit developer, Bug bounty hunter, Freelancer
Skills: Web, IoT, Recon, Reverse Engineering


Q&A with Julien Ahrens

“ In a world of quickly changing technologies and defenses, it is ultimately important to stay up-to-date with hacking techniques and improve your own creativity.”

Q1: What are the most important things you’ve learned about bug hunting?

  1. Every system is vulnerable. While I mostly concentrate on a few single programs, I nearly always find at least one critical bug in every program I participate in, even in long-running ones. That said, keep digging!
  2. Report vulnerabilities to open source or closed source projects. Although you’re usually doing this for free, it helps a lot in building relationships with talented developers, and sometimes you might receive a separate paid project or unique swag!
  3. It’s about documentation quality for the customer. The purpose of reports is to communicate vulnerability findings with the customer. I’ve read a lot of bug bounty reports that cover interesting vulnerabilities, but they are terribly written. Synack solves this problem by requiring high documentation standards from the very beginning.

Q2: Did you have a mentor when you first started hacking? If so, how did they help you?

I haven’t had a mentor, at least not a human one. When I started hacking “publicly” around 6 years ago, I directly jumped into the world of reverse engineering and memory-based exploitations, because it was (and still is) simply a very fascinating topic. This somewhat hard path into security brought me to the point of starting my own blog at www.rcesecurity.com to share and reflect upon my learning curve, while at the same time giving back in a way to the security community. My blog forced me to keep my work at the highest possible quality, which became a self-mentoring process and also led to some very good contacts in the industry. In addition, my Offensive-Security OSCP certification challenge taught me to think creatively, which is critical in order to be successful in the bug bounty world.

Q3. Do you consider yourself a mentor or leader in the field now?

I would consider myself a mentor because of the way I’m contributing to the security community. I always try to write my blog articles so that they read at an intermediate hacker level, but are also understandable for a beginner.

Q4. What advice would you give up-and-coming hackers?

This has probably been said a million times already, but there’s no other statement I could agree more with than: “Read, read, read”. Start following #security people on twitter; read blog posts and Reddit, and sign up to Full Disclosure and Bugtraq. In a world of quickly changing technologies and defenses, it is ultimately important to stay up-to-date with hacking techniques and improve your own creativity.

Q5. What are the learning references that you would share with new hackers, e.g.tutorials, website references, books, tips, etc?

I would strongly recommend doing one of the Offensive-Security courses (offensive-security.com). They are quite difficult, but you will quickly recognize its value to your bug bounty career. The second valuable resource is Twitter! Start following #security and #bugbounty, and you will quickly come across a lot of good write-ups and tutorials by very talented hackers (ie: @yaworsk, @emgeekboy and @zseano…mentioning them all here would probably break the Synack blog ;-). The third valuable resource are communities like the Bug Bounty Forum – join them to get in touch with other hackers and exchange ideas. If you want to start with memory-based exploitations, then you should definitely have a look at the great tutorials provided by Corelan Team, www.corelan.be!

Q6: Are there any particular skills that you personally are looking to sharpen within the next 6 months? Where do you go/what do you do to learn more about your craft?

Although I’m already doing a lot of reconnaissance for each target, my past bug bounty experiences have shown that even more can be found when using the right word lists. Therefore I will invest even more time into further automating and improving my reconnaissance strategy. I also want to dig a bit deeper into the exploitation of browser vulnerabilities, but that’s more a year-based goal.

Q7: Do you have a research/hacking specialty or look for specific types of challenges (web, mobile, IoT, etc)? How did you choose your specialty?

While I’m currently doing web-based hacking with most of my time (since most bug bounty programs are focused on it), I’m still more interested in memory-based exploitations on IoT devices. Unfortunately it is rare for programs to pop up that pay bounties on such things – I have participated in a few and always found at least one buffer overflowing. And that’s it – the complexity chose me. Memory-based vulnerabilities are by far the most complex and most interesting vulnerability class. You nearly always have a million different ways to exploit them, plus there are good defenses to overcome such as ASLR and DEP. This complexity is what motivates me most, because it requires you to think creatively. To be honest, writing an exploit which bypasses ASLR and DEP to get code execution on a system is really more fun than exploiting Cross-Site Scriptings!

Q8: What was your motivation for joining the Synack Red Team?
Synack initially reached out to me, and after a really intensive, but necessary, on-boarding process, I quickly learned that Synack takes care of its researchers and upholds the core values of bug bounty hacking.

  1. Triage: The triage and payout times are usually under 12 hours, which keeps you motivated, because you can financially calculate the payouts.
  2. Payout: The reward directly depends on your report quality, which motivates you to keep your report quality as high as possible to get the highest possible reward.
  3. Support: Their support always answers any problems or questions I have instantly and has been really helpful to me so far.

Q9: What are the perks of living the bug bounty hunter/hacker lifestyle?

Because of bug bounties, my girlfriend and I are able to engage in our common hobby: traveling the world. We’ve been to a couple of awesome countries already (just recently Japan) and are currently planning a long-term trip around the world, which has always been one of my big dreams. This wouldn’t be possible without bug bounties, especially Synack!

Q10: How do you balance your time- for example, how much time do you spend as a bug bounty hunter, your consulting company, your day job vs other things?

Since I’m not a full-time bug bounty hunter, my day job keeps me busy for most of the day. When it comes to my spare time, I’Il always try to keep a healthy balance between bug bounties and other work – however my girlfriend and family always have priority over anything else. I usually set myself year-based bounty goals, which I try to reach in my spare time.

Q11: Anything else you’d like to share with us?

I’d like to send out special thanks to Jeff and Aigerim on the Synack Ops team for always answering all my questions and the quick triaging!

Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery; opportunities to work on unique targets; personalized support, and skills development. We do this through the Synack platform and our SRT Levels program that includes fun competitions, interactive gamification elements, mentorship, and specialized projects.

Apply to join the Synack Red Team. Become one of the few and fully experience our platform – it’s designed by hackers for hackers. If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.