AMA with @darkieduck

Thank you for doing this interview! Can you please introduce yourself?

I’m DarkieDuck, I am from the Netherlands and I have been hacking for the last 15 years or so. I started getting into hacking pretty soon after getting my first PC, being curious how everything works and trying to break things of course,also the movie Hackers might have had some influence in this ;)

I have known about bug bounties for a while but never started doing it myself until I decided to jump onboard around a year ago. I am mostly active on Bugcrowd.

Q: How do you manage your personal life, work, and bug bounties? Do you do bug bounties as a job or a hobby?

At the moment bug bounties is hobby but I am considering switching to full-time Depending on how the situation is at my work I try to spend around 1-2hrs a day on bug bounties and a bit more in the weekends.

Q: How much time do you spend on Hunting for Bugs? On average, how many bugs do you think you report per month?

Around 1-2hrs a day. Again this depends on my job but I try to submit 20-30 bugs a month.

Q: How long did it take you until you found your first significant/high impact/payout vulnerability?

Not very long at all I believe it was within my first month that I found a P1 bug on a public program on Bugcrowd.

Q: Of all the bugs you’ve found, what was your favorite/most interesting?

Unfortunately I can’t really go into too much details about this because of policies. My first high impact bug was pretty interesting. I found a LFI but there was a WAF in place that kept me from accessing anything decent. Then I found out that I could actually read the /etc/motd which contained instructions on how to recover the server in case of disaster. These instructions lead to a “/path/serverbackup.tar.gz” file that contained a full server backup which I could access with the LFI

Q: When and how did you have your breakthrough? When did you realize hacking and bug bounties was something you wanted to dedicate your time to? Please share your insights and the problems you faced to becoming an established bug bounty hacker?

About a year ago I started getting into it for the sake of learning/keeping up After I found my first major bug I got a big motivation boost to find more and more bugs.

As for problems I think most hunters have this problem and that’s getting burned out It can be pretty overwhelming and after not finding a bug for weeks you start to lose motivation also. It’s best to just take a break if you reach that point.

Q: What do you do to keep up with all the new trends?

I used to read some mailing lists but most of them aren’t active anymore. I would say my main source for information these days is Twitter/IRC/Slack

Q: Do you collaborate with other hackers? Can you name a few?

No not really, it’s somewhat difficult because I mainly work on private programs and I can’t really share any details about that with others.

Technical Questions

Q: How do you approach a target? What is your routine like? What is your recon process like? What kind of information do you seek in your information gathering process? And how does this information help you?

This really depends on the scope but let’s say it’s a * scope

  • dnsbrute the target to find as many domains as possible.
  • Scan all domains found with nmap for a custom list of ports (or just take top1000)
  • Google dork any interesting endpoints for *
  • Check Github for endpoints/keys/codes/anything that gets your attention.
  • If the program allows it dirbust with customlists that are tailored to the frameworks you found.

After that’s done we got a pretty nice list of things we can access within the scope, this is when the manual testing starts. Then I visit each website I found to see what it is running, try out as many functions as I can on it. Gather as many endpoints as I can find and start poking at them.

Make sure you keep some kind of documentation for yourself where you store any interesting requests you have come across specially the ones you don’t understand yet I just keep all interesting GET and POST requests in a text file because Burp has crashed on me a bit too often and I lost all this information. The longer you spend on a application the better your understanding of it will become and these requests you saved earlier might be useful.

Q: Do you always look for all vulnerabilities types when you approach a website?

No I only look for P3 or above based on the Bugcrowd VRT

Q: Do you use any tools? Do you have your own tools that you have written to automate/facilitate your work? What Burp extensions do you use? Is there a tool that not a lot of people use that you think they should?

Most tools I use are mentioned above. I also use sqlmap for SQL injection ofcourse.

For Burp extensions I use the following - Authmatrix: Great for testing authorization with different roles - Backslash Power Scanner: For detecting possible server side injection points - Error Message Checks: Will keep track of any errors that the server might have given you,sometimes you might miss a error if its commented out but this extension will still find it - Java Deserialization Scanner: Used for handling deserialization in java applications - Reflected Parameters: Keeps track of parameters that got reflected back - Wsdler: Can read wsdl files and make soap requests based on that.

Q: This is one of our most popular questions: How do you test for Server Side vulnerabilities such as RCE, SQLi, etc?

I don’t think there is a one way solution to test for this. Most important thing is you need to figure out why an application is responding in a certain way. For SQLi it’s also important that you try and think of how the SQL query will look within the application and how you could abuse that. For RCE you can of course try the ones that are known like ImageTragick,Template injections,XXE

It all depends on what the application is made of, which language is used? which framework? Read up on these different aspects and one day you will find a RCE.

Q: How often do you find a bug that has been overlooked after a bounty program has been established and a horde of researchers have been digging?

This happens pretty often, I like to go back to some old programs every once in a while. Code gets changed all the time and not many people look at older programs.

Q: Do you think being a pentester, web developer, or being in a related field, helps you with bug bounties? Where should they start?

Yes it does, having basic understanding of what is happening behind the application you are trying to hack is a big help.

Time to wrap it up!

Q: What kind of music do you listen to?

Depending on my mood of course but when hacking I like to listen to some Chillstep Selection/Collection,Trap Nation or allot of Nightcore (mix) When not hacking I can listen to the most random playlists.

Q: What do you do when you aren’t hacking?

I like to play squash,play videogames or watch some series.

Q: What kind of impact/role have bug bounties played in your life?

Pretty big impact in terms of financial. Skill wise it keeps me sharp

Q: What is an advice you received as a beginner that helped you with your bug bounty career?

Not bug bounty related but in short: RTFM

Q: What is one area of hacking (web, mobile, hardware, etc) you wish you knew more about / plan on focusing your learning on?

Hardware hacking for sure, I plan to learn more about this once our days are 40 hours long instead of the 24 we got now.

Q: If someone with basic technical background asked you, “where should I start?”, what are 3 things you would recommend they do before diving into bug bounties?

  • Read other people’s reports
  • Understand the application you are trying to hack
  • Practice, do challenges, CTFs or even get yourself a DVWA and go wild on it Documentation! When you start out there won’t be much data for you to process but you will find out pretty soon you are getting overwhelmed with data. Make some sort of system that works for you were you can store data per program/scope/target/framework/whatever.

Q: Someone was eager to know, what do you put on your toast?

Cheese of course.

Q: What’s your worst bug bounty story/experience?

Besides some very long waiting times on a few programs I had one program with a limited scope were they wanted us to test only one application, I found a pretty bad bug in the login process and it was marked out of scope by them because the login process wasn’t part of the application they said.

Q: If you had to pick one hacker to collaborate with, who would it be?

The legend from congo aka mongo

Q: What’s the one feature you would like to see in the platforms?

I guess some kind of feedback option would be nice.

Q: What’s your favorite text editor?