03 November 2017

Secret Keys

Andre Gerard

He secured a Top 10 spot in our latest SRT Levels Hacking Challenge, and he’s a top level Synack Red Team member who has earned SRT Levels 0x05 status. A security professional by day and seasoned hacker by night, this SRT also balances his family life throughout. Meet Nikhil aka “niksthehacker” who openly shared with us his insights, personal hacking experiences, and advice to up-and-coming hackers. Read on to get a glimpse of how he builds up the necessary bug hunting skills that help him earn success on the Synack platform.

The main reason I participate is to learn, and with a variety of challenges, I am continuously learning new things.


Q&A with Nikhil

Security by obscurity is not security.

Q1: Tell us a bit about yourself.

I am Nikhil Srivastava and I’m from Ahmedabad, India. I received my Bachelor’s degree from Rajasthan, India and I am currently Vice President of Research for a security company.

Q2: At what age did you start getting interested and what motivated you to become a hacker? Did you have a mentor?

About 7 years ago, I discovered my interest in penetration testing and hacking while pursuing my Bachelors degree. When I first started hacking, my mentor was Aditya Modha (@oldmanlab). However, in order to further explore and gain maximum knowledge, I decided that I needed to emphasize self-learning. Once hacking caught my interest, I had a strong motivation and desire to learn as much as I could.

Q3: What do you find interesting about participating in bug bounties?

It’s no secret that making money is a popular reason to participate in bug bounty programs, but to me, it’s really just an additional advantage.

The main reason I participate is to learn, and with a variety of challenges, I am continuously learning new things.

Q4: What is your “day job” outside of being a hacker? Does your job lend its skills for bug hunting?

Yes, I work as a VP in security research for a security firm in Ahmedabad, India. My job helps me a lot in sharpening my skills and learning new things.

Q5: How do you balance your time?

Outside of my research and hacking, I am also a husband and father (to a beautiful daughter). Obviously, I have to manage my time in a way that I can pursue my passions and achieve my dreams without taking away important time from my family. Normally, I dedicate late-night hours for my hacking and research activities. Work-life balance is a must for me definitely.

Q6: How do you sharpen your skills, and what set of skills are you looking to sharpen within the next 6 months?

There are a lot of resources in a lot of different mediums that I use. I’ve read a couple of books that were really helpful (like The Web Application Hacker’s Handbook and The Tangled Web). Twitter is a great place to find other researchers and follow their blogs and and what they’ve been working on. Bug Bounty Forum is also a great medium to learn from.

Also, whenever Synack dispute’s a vulnerability report they provide a good learning opportunity, by asking us to prove out how we would exploit it and take a step further. Since Synack primarily accepts only higher risk vulnerabilities, it is always challenging to test the targets in search of high impact vulnerabilities.

Personally, I want to focus on sharpening my recon skills over the next few months and I want to automate a couple of my techniques, which will save me time while bug hunting.

Q7: Do you have a specialty and/or look for specific types of challenges?

I love web challenges more than anything else. I always start by looking for privilege escalation, IDOR, or business logic flaws.

Q8: Can you share your favorite vulnerability discovery and dive into your approach?

A few months back, I was working on a private bug bounty program that was about 2-3 years old. Since it was so old, I thought it was pretty obvious that all of the low hanging vulns would have been reported and mitigated already. I started looking for some new subdomains using Sublist3r (a tool for subdomain discovery by @aboul3la). Luckily, I had found a subdomain, which was a new service started by the company recently.

I had discovered that the application was using an s3 bucket. The s3 bucket was open to the public and contained some of the application’s backup files. I also discovered that the company had all of their code in open source on Github, so I suspected that these backup files should have sensitive data of the production environment. I downloaded one of the backup files and started to go through the source code in hopes that some sensitive information would be disclosed. After some time, I found an .env file inside the backup files which contained their AWS key ID and a secret access key to their s3 bucket deployed on production. I wrote up the report, sent it over to the client, and they patched it quickly.

Q9: Any advice or insights for CISOs that you’d like to share from your experience as a security researcher? What industries do you see have the most vulnerabilities?

Security by obscurity is not security, and I’d say from my experience, the IoT and Energy sectors have the most security vulnerabilities..

Q10: For those just starting out as new hackers, do you have any advice for them? If you were to start today, how would you go about learning how to hack?

  • Start with the basics by reading a couple of books that I highly recommend (like The Web Application Hacker’s Handbook and The Tangled Web).
  • Get some hands-on experience with vulnerabilities with some of the vulnerable software such as DVWA.
  • Keep a close eye on Twitter. You can use the #bugbounty and #infosec hashtags to find great write-ups and blogs from some of best researchers around the world.
  • Take a closer look at the Cure53 XSS challenge wiki for some great challenges and their solutions.

Q11: What do you like about the Synack Red Team and SRT Levels?

There are a lot of things to like!

  • First of all, the vulnerability analytics. A researcher doesn’t have to waste any time in reporting a duplicate vulnerability, because he/she can look into “Vuln Analytics” on the platform to see if the vulnerability was already reported.
  • The second is payout. The payouts are always very quick and you have an option to store it in your account or to request it at any time. I also like that researchers get paid to retest vulnerabilities.
  • Third, report writing. The Synack standard of writing good reports has helped me become a better researcher
  • I also think the introduction of Synack Levels has been a great addition. It motivates us to keep finding issues to achieve and maintain ranking at Level 5. That’s fun!

I would like to thank Jeff Cariker for quickly answering all my questions each time I have one. Compared to other programs, I believe Synack support has pretty fast support response times. So, thank you!

Synack provides initiatives to help foster the researcher community and engage top talent; technology to optimize researcher efficiency and accelerate vulnerability discovery, opportunities to work on unique targets, personalized support, and skills development. We do this through the Synack platform and our SRT Levels program which includes fun competitions, gamification, mentorship, and specialized projects.

Apply to join the Synack Red Team and become one of the chosen few. We provide the best support for our researchers, and put the highest quality, most relevant features into our platform  – it was designed by hackers for hackers.

If you’re up for the challenge, apply today, and use code “SRTBLOGS” in your application.