We are very excited to announce our most recent winner from our Winter Hack4Levels winner, Mohamed Sayed! Mohamed started the competition at Level 0x01 and leveled up to Level 0x02 (while also making a lot of money!) during the 30 day time period. For more about this Hack4Levels challenge and to read tips from other top competitors, you can read our recap here. Read our Q&A with Mohamed below:
Q&A with Mohamed
Q: What was your favorite part of the Winter Hacking challenge?
A: The competition was great, well-organized and the Vuln Ops team was very responsive and helpful. I liked the challenge of hacking to level up. My favorite part was when I received the weekly leaderboard update results.
Q: Do you have a favorite vulnerability discovery from this challenge that you can share and dive into some of the details of your approach?
I reported several vulnerabilities in the winter challenge so it’s hard to choose, but I prefer the logic attack and business function misuse vulnerabilities. One of my favorite vulnerabilities was in a target with no credentials provided and no registration. After some digging and recon, I was able to bypass the authentication of the application by collecting information about a certain user from OSINT. Then I found hidden pages that were vulnerable to authorization bypasses and cross-site scripting and leaking sensitive data which impact confidentiality and integrity of the application.
Q: What do you think contributed to your success for this Hack4Levels challenge?
A: The Community and the Vuln ops team helped me by motivating and pushing me to do my best for each submission, which really helped me a lot in the competition. I kept my focus on challenging myself and doing my best, not worrying about the person beside me.
Q: Did you feel your skills increased during the Hack4Levels challenge? If so, which ones?
A: Yes definitely. These are the skills I think improved the most during the challenge:
- Exploitation techniques
- Chaining attacks to get the most severe impact
- Time commitment and dedication
Q: What type of testing did the Hack4levels challenge motivate you to do, that you otherwise would not have done?
A: Challenging myself to win 1st place came with sleepless nights and very hard work that I probably wouldn’t have done if such a challenge was not there to motivate me.
Q: What tips do you have for other SRT to be successful on the Synack platform? On a Synack competition?
A: Focus on vulnerabilities that other SRT may not think about. Spend a good amount of time analyzing the application components to understand the target business well before starting to find vulnerabilities on it.
Q: What motivated you to become a hacker?
A: Hacking is doing what I love to do. Solving challenges and working in a blue team environment were the biggest motivation for me to try red teaming activities and become a hacker.
Q: How do you learn new hacking skills?
A: Working as a full-time security consultant, participating in bug bounty programs and reading other hackers write-ups are the keys to improving and sharpening my skills.
Q: What has the vulnerability discovery discipline taught you outside of hacking?
A: Focus on the details, analyze everything and think about why things happen. Apply the best solution to prevent the root cause from happening again.
Q: Did you have a mentor when you first started hacking? If so, how did they help you?
A: Hassan El Hadary, penetration testing manager at SecureMisr Company, was the one of my best mentors and I still consider him a mentor today. He has helped me a lot in focusing and discovering vulnerabilities as well as sharing good techniques and ideas to break and bypass applied security controls.
Q: Is a mentor required to be successful?
A: No, I believe that the success comes from passion and motivation. They are the biggest and most important mentor to anyone.
Q: Do you consider yourself a mentor or leader in the field now?
A: This is a hard question..I think the learning curve never stops because of the variance of technologies. Today I’m a mentor but tomorrow I will need a mentor to learn a new technology. With that said, I would love to share my experience and techniques to newbie hackers or anyone who needs a help.
Q: What advice would you give up-and-coming hackers?
A: Focus less on $$ and more in learning. When you decide to start research on a project, try to stick with it as much as you can to understand every business function and analyze each request parameter. Try harder and never give up- that’s the key to success.
Q: What was your motivation for joining the Synack Red Team?
- Synack platform assesses hackers’ skills before letting them joining the platform
- Very responsive support
- Fast payouts for accepted submissions
- The Analytics section of the platform helps save time for me so I don’t submit a vulnerability already reported by another SRT
Q: What amount of your time is spent on recon versus discovery?
A: Usually, I spend about 20% of my time with the target in recon and mapping to understand the target business implementation and the communication protocol between components.
Then I spend 60% in the discovery phase and the last 20% for exploiting what I have discovered.
Q: Do you have a research/hacking specialty or look for specific types of challenges (web, mobile, IoT, etc)? How did you choose your specialty?
A: Mainly, I like to do application research and hacking, since I come from a software and secure coding background. However, I’m trying to spend some hours each week to learn new techniques in different domains.
Q: What are your goals for the future/2019?
A: My main goal for 2019 is to sharpen my hacking experience in new categories like Hardware hacking.
Researchers on the Synack platform are presented with opportunities to work on unique targets and challenges, the fastest payouts and highest level of support in the industry. Synack’s innovative technology optimizes the Synack Red Team’s (SRT) efficiency in vulnerability discovery.
Synack provides initiatives to help foster the researcher community and to recruit top talent. SRT Levels is a program that rewards SRT members for their increasing contributions to the Synack platform, and incorporates hacking competitions and specialized challenges.
If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.