How to Learn to do Bug Bounties: A Beginner’s Guide by a Beginner


Looking at the first screen for a CTF at Hacker101 just blanked my mind. How do you even know where to start hacking? This is what happened during my first attempt at the HackerOne CTFs. Even though they provided hints I tried not to use them. Felt like cheating for some reason. After a while I gave up. Remodeling the bathroom ended up taking all my time for months anyway. The new job took what time the remodel didn’t take so I moved on.

A couple of days ago though I decided to give it another try. I like the challenge of the puzzle! Along with resurrecting this blog having some problem solving challenges to write about sounded like a good idea. Logging into HackerOne I saw my account was still there so I headed over to their Hacker101 site to take another stab at the CTFs.

This time around I took a very different approach to the CTFs. Figuring the whole point of the site was to help people learn I decided to approach learning bug hunting the way I have had success learning other topics.

How do I learn best? Scanning, diving, doing, relating. Repeat.


Scanning resources like books, podcasts, videos, and articles is the first step. Head to your favorite search engine and start exploring!

Sometimes this is how I discover a subject I want to learn about in the first place! Always scanning the world for new things to learn is how I do life. When there is a specific topic like bug bounties I want to learn more about scanning gives me an overview and a framework for thinking about the subject. Building this scaffolding for my learning is really important even though it will probably have to be torn down and rebuilt again. The key is having some kind of structure to give new bits of information context.

Just as important, maybe more important, scanning allows you to find a passion point in a subject. A passion point is some aspect of a subject which makes you curious and want to learn more. Doesn’t matter what the point is that grabs you. When you find it you have found your entry point.

Scanning to learn about bug bounties was something I had started doing some years ago. Information security has been interesting to me for decades. While I never went very deep I had built some kind of context over the years for thinking about things like bugs, security, and applications.

The passion points in web app security which grabbed me were SQL injection and directory traversal. Directory traversal satisfied the explorer in me very directly. Exploring a site by roaming the directory structure is fun because who knows what you will find. I think SQL injection grabbed my attention because I have done quite a bit of SQL working in analytics. Transferring knowledge from one domain to another can be gratifying and benefit both areas of interest. New ways of looking at something you already know can give you deeper insights.


Do you have a type of bug you find really interesting? If so, it’s time to dive! If not just pick something. Dive until you are bored then pick something else. If you never find anything interesting look into your motivation for doing bug bounties. If it is money is money enough to keep you going? For some people money is the only motivation they need! I am not one of those people so I need other reasons to keep going.

Diving into the Hackeer101 CTFs I have two criteria at this point. First, I pick a level of difficulty appropriate to my skills. I am starting with easy and working my way up to difficult. My whole reason for doing these exercises is to learn how to do bug bounties. Building foundations with the easy CTFs will help me with the more difficult ones.

My second criteria in picking a CTF is looking for ones which appear to have SQL injection possibilities. Be guided by your interests and passions! One of the things I like about the HackerOne CTFs is so far I have been getting a mix of different types of vulnerabilities for each CTF. They appear to have a theme but they are not always just one type of bug. I get to do a bug which interests me then I am drawn into learning about other bugs too. Awesome!

CTF Hints

If you are doing the Hacker101 CTFs you are aware of the Hints available. On my first try at these CTFs I avoided the hints until I had spent hours sometimes trying to figure out what was going on.

My strategy this time is very different. I look at the hints immediately if I don’t see an obvious action to take. Here is why. Learning is the point of why I am doing the CTF. At this point in my development I often don’t even know where to start working. The hints will usually point me in the right direction.

If I spend 20 or 30 minutes and the hints haven’t helped I will Google for solutions. Looking for solutions isn’t because I want the flag. I am looking for more hints. In fact, I only scroll far enough to see some helpful tidbit then go back and try it out. On the other hand, there have been times I have had no clue about the point of the CTF. When I found solutions online turns out I was not alone.

How do I learn by looking up solutions? I study other people’s approaches and I make them my own. In one case, I may never have figured out the point of the CTF. Now that I see what the other people did I have a new thing to look for in the future. In another case, I modified the person’s solution and did it my way. In the process I was able to really explore nuances to constructing SQL for injection. In a flash of insight I cleared up how I was thinking about SQL and the errors thrown by the database.

Which brings us to our next learning phase!


Doing is where I get my the learning really takes place. Reading will only take me part way. In actually creating and testing SQL code I am able to get feedback about my thinking and approach. Getting my fingers to type code brings into my body.

Fast feedback is very important. Knowing whether or not I am correct helps me figure out what I don’t understand.


How do you really get all this new information to stick so you can use it later? Relating it to what you already know is helpful. Another way is to share what you are learning with others. Helping others as you are learning makes your learning even stronger.

Other people have perspectives or even just different ways of expressing a question. The act of understanding their question is by itself powerful for your learning. Attempting to explain SQL injection in a way they understand will stretch your own understanding.

I also find writing to be very helpful. Thus this blog! Writing out what you are learning can help you clarify your own thoughts. Seeing your words in front of you gives you feedback on your thinking. The only caution I have is don’t let your internal editor run amuck. You are better off having the words out of your head and needing editing than never out at all.


Finally, the process above gets repeated indefinitely. Each time you scan a resource you find details you weren’t ready to catch during prior scans. Every dive takes you deeper or in new directions. You find new ways to relate what you are learning as you uncover new information and have new experiences.


There is a difference between learning bug bounties and doing bug bounties. Knowing where to start is by itself a big challenge. This is why I have changed my approach to CTFs on Hacker101. Applying the process of scanning, diving, doing, and relating I incorporate hints from others who have solved a CTF to make my learning more efficient and effective. Don’t let frustration derail you!

Fizz Buzz in Python 3

Programmer's Bookshelf

I got home today from my day job slinging SQL code with a small
project in mind. Thought I would take a crack at Fizz Buzz in Python 3 after coming across an article by John Sonmez at Simple Programmer.

Though I am pretty sure I originally saw it at Jeff Atwood’s blog Coding Horror via Hacker News or something.

Fizz Buzz is a simple way for an employer to see if a programmer can, well, program.
The task is for every number from 1 to 100:

  1. If the number is a multiple of 3 print the word ‘Fizz’,
  • If the number is a multiple of 5 print the word ‘Buzz’,
  • If the number is a multiple of both 3 and 5 then print ‘FizzBuzz’.

First, I admit I totally blanked on using


to count from 1 to 100. I kept wanting to do

for 1 to 100

Must have been a long day with SQL Server bringing back up old muscle memory from my BASIC days. Anyways once I got that reboot for my brain the next thing was getting print function to not insert the new line when printing ‘Fizz’ and ‘Buzz’.

Here is what I came up with:

for i in range(101):
print(str(i) + ': ', end = "")
if i % 3 == 0:
print('fizz', end = "")
if i % 5 == 0:
print('buzz', end = ""),

The main reason I went through this exercise? I want to start writing and publishing to this blog regularly, again! Momentum is key! First step is write something.

Since I am no longer using WordPress I also wanted to experiment with my workflow and get used to writing in Markdown, including using code blocks, with Emacs. I think there is a lot of potential with being able to use text files to compose on the fly. Eventually, I am going to see about using org mode and code blocks for creating Hugo ready blog posts.

Changing Fonts on Your WordPress Site

EDIT: 04/03/2020 The name of this blog changed today.  No more problems with zero and ‘O’ being confused!

This week I decided to change the font I use on this web site. Why? When I first showed the site to my wife and a few other people they thought the domain name was pronounced ox-craft. As in oxen.

Oops. My attempt at a cleverly geeky domain name didn’t go quite like I planned.

Nope, this site is not about oxen related arts and crafts.  At least not yet. Of course, who knows what the future holds?

The domain name is an incorporation of the notation for hexadecimal integers zero-x,  0x, pronounced “hex” and the word “craft” which would be pronounced “hex-craft”. (More info on zero-x  here.)

A big source of confusion has to do with the fonts available in WordPress. The number “0” and the letter “O” look very similar on most screens in commonly used fonts. This is one reason zero-x is used frequently in computer programming. The slashed zero is a much clearer representation of zero than the slash-less version.

So, I thought I would experiment. Maybe using a font with slashed zeros would be less confusing?

I found one of the fonts I was looking for at and the other hosted on the creator’s Github page. Make sure to check the licenses. Fonts are protected legally. Some you have to pay for and others are freely available.

When it comes to changing fonts in WordPress the first thing you have to do after finding a font you like is figure out how to access the font files.

You have two choices:

Tell your visitors web browser to import the fonts from a remote server every time they visit,

-OR –

 You host the font on your server with your website.

The first option is pretty easy. One of the readily available plugins will have you up and running in minutes.  Accessing a remote server

though can really bog down your site. Slow loading web site are bad for reader experience.

Then there is the privacy thing. Google sees enough of our lives as it is, they don’t need to see when you read this site. (No, I don’t use Google Analytics anymore either.)

Good news!

Hosting fonts is pretty straight forward. I was going to write up the whole process for you. Instead go to Elegant Themes. B.J. Keeton did a really nice write up here.

The short story is you:

  1. Download the font files you want to use,
  2. Upload the font on your web server using FTP or with a file manager through cPanel.
  3. Copy and paste some bits of css code into your style.css and custom.php files,
  4. and, you are done!

After you get a font you like check out your web site with different browsers. Get some help from your friends. Different device and browser combos can display your font differently.

In my case, the fonts I decided on are Inconsolata and  Inconsolata-LGC. Unfortunately, the slashed zero doesn’t show in all browsers. For example, the Silk browser on my Kindle and the browser on my Android phone don’t render the zero with a slash. The font though still looks appropriately geeky .

Learning to Break Encryption with Python

Lately, I’ve been giving cryptopals ( another shot.  Spring 2016 was my first try and I had made my way to Challenge 6. Not completely happy with my progress I took a break. A long break.

Why am I doing these challenges?

Cryptopals is one of the ways I am using to expand my knowledge in the information security realm. Big take away so far, as I work my way through the challenges I am developing an appreciation for how easy something like writing your own encryption is to screw up.

As they say on the web site:

People “know” this already, but they don’t really know it in their gut, and we think the reason for that is that very few people actually know how to implement the best-known attacks.

Anyway, now I am back at it and getting ready to play with Challenge 11 after starting over from the beginning. I am using Python this time.  I may do these challenges yet again to learn a new language. Not sure which.

Compared to last year this time through is going much smoother. The math and related logic was straightforward for me conceptually or implementing the first time.  My biggest stumbling block was getting confused by what Python modules to use to work with the text data and what they were doing. It was pretty bad.

Going back and forth between Base64, Hex, and ASCII in Python ended up being a mess the way I was going about things. I don’t even want to remember how convoluted my code was at the time.  With a little clarity of thought, really don’t know what I was smoking last time, using the base64 module from the Python Standard Library and bytes() method has really cleaned up the messy bits.

To see my progress:

Why am I REALLY doing these challenges?

Patterns.  As you can see from this website I am mixing some rather diverse interests. Software engineering, databases, computer troubleshooting, meditation, mystical experiences and practices, tarot cards, and more.

The world is information.  Patterns of information.  DNA, matter, communication, art, whatever we want to conceive in our minds or can observe is all a pattern made up of some deeper something. Something more fundamental.

Learning to break encryption, or compromise websites (I like to play on hackthissite as well), or software or who knows what is just another way to explore and learn about an observable pattern. Encrypted data is a pattern.  The plain text data is the pattern under the observable pattern.

Windows 8.1 Taskbar Freezing or Unresponsive

Are you having problems with your Windows taskbar freezing? This is a rather perplexing problem.  In my research I found out freezing taskbars are both somewhat common and appear to happen randomly.  After helping a client with a freezing workstation I wanted to share what we found.

There are a few common symptoms you may experience when your taskbar freezes:

  • The clock might have stopped updating the time.
  • The taskbar icons are non-responsive even though you can click the icons on the desktop to launch programs.
  • Hovering your mouse over the taskbar icons won’t shift focus to the icon you’re hovering over.

My client had a Windows 8.1 workstation with a frequently freezing taskbar. The taskbar would become unresponsive at least once an hour or more. Typical times it would freeze:

  • After startup,
  • During account login at any time of day,
  • If the taskbar hadn’t been used for a while, and
  • If the computer was idle for some period of time.  Idle time could be 5 minutes or longer though typically 20 minutes.

Getting Your Windows Taskbar Working Again, Quick Fix

After doing quite a bit of reading online and some experimenting I found the following helped our situation.

First, getting the taskbar working again quickly:

  1. Ctl-Alt-Del -> Task Manager -> Restart explorer.exe worked to unfreeze without rebooting the workstation.
  2. Double tapping the Windows key, between Ctl and Alt on my keyboard, would also unfreeze the taskbar.

Fixing the Problem

As for actually fixing the problem we needed to do some cleaning, repairing, and settings changes in the system.  While we weren’t technically removing malware a recent third party software update apparently installed a search engine toolbar and possibly other programs which were unwanted.  More importantly this extra software was taking up quite a few resources. Enough to cause noticeable problems on the workstation, certainly for the taskbar.

The following were what we needed to do to get the taskbar to stop becoming unresponsive:

  1. Malware – We used Malwarebytes to find and remove some unwanted software which was installed during a product update.  The new software was using up resources and possibly contributing to the problem.
  2. After cleaning up the malware and unwanted programs using Malwarebytes I used’s Windows Repair tool to look for and repair problems. Malware and other unwanted programs can make changes to systems setting which can cause problems even after the software has been removed.
  3.  Task Scheduler – Two settings in some of the tasks needed to be changed to keep the taskbar from freezing.  This appears to have been the primary fix needed.
    • Configure For – There were tasks configured for operating systems other than the OS on the workstation.  We changed those to match.
    • Triggers – Some tasks had triggers to check for updates.  Some also had errors in the XML files defining their update schedule. One in particular, Microsoft Office, had an error in the configuration file and was checking for updates. A lot. Every 30 minutes during the day in addition to an overnight check. I deleted the daytime task from the scheduler leaving the overnight task.



Making My Emacs Start Fast(er)

In the choice of editors to use I finally decided to go with Emacs. (I really like Vim, too!) As I wade back into the deep end of the software and databases pool Emacs looks like a good fit for me. I like the idea of being able to work with Python, SQL, Matlab, check my email, write blog posts and organize my life all from one application. Especially, now that I have some key bindings that make sense for me!

With that settled I got hit by the start up time optimization obsession. There’s something very attractive about vim/vi’s instant start up time. As I followed the path of spending hours to cut 1/2 second I discovered something. I was learning to use Emacs better while learning how to make it start fast.

Two Basic Approaches For A Faster Starting Emacs

In my quest for a fast starting Emacs I came across two basic approaches. Optimize various aspects of your .emacs or run Emacs as a service (see Resources below.)

Which works pretty well. This approach is definitely fast! All the time consuming parts of starting are done when your computer boots. The only thing I didn’t like was that the buffers were the same for each frame started. I could probably adapt. Maybe down the road I’ll try it again.

The second approach is what I’m lumping all the different ways to optimize and construct your .emacs file. In this approach a tool I found really helpful is Profile-DotEmacs (see Resources below.) Profile-dotemacs highlights the slowest parts of your .emacs load process including garbage collection (GC). I also used emacs-init M-x emacs-init for comparison.

What popped up immediately was how (require ‘) really slowed down things. Lazy loading to the rescue. Using autoload and with-eval-after-load in your .emacs you can defer loading packages until later in the startup process or when they are needed. Using Emacs Package is handy here because it handles autoload for you.

There’s a trade off because package-initialize takes quite a while relatively to load. Using use-package is supposed to help with this by loading only specific packages. Except it looks like you miss out on some of the convenience of allowing Package to manage things. I’m still working out whether or not I want to give up the convenience and use use-package. Sounds pretty effective though.

How Fast?

Here are my start up times. for Emacs 24.5 . Start ups times were checked when the cache was cold right after booting the computer and after Emacs had been loaded a few times.

Emacs Start Up Times
Timing Tool Cold Warm
Profile-DotEmacs 1.71 sec 0.49 sec
emacs-init 4.1 sec 1.5 sec

System details: GNU Emacs 24.5.1 (x86_64-redhat-linux-gnu, GTK+ Version 3.17.8) with ~ 30 packages. Toshiba Satellite, AMD A6-3420M APU , 6Gig ram running Fedora 23

The top 3 things that made my Emacs start faster:

  1. Deleting packages! Packages were loading that I didn’t need or were redundant functionally with other packages.
  2. Minimize use of (require ‘…) I was using require for packages that were already being loaded by default! All I needed to do was adjust settings for those packages with Emacs. Saved quite a bit of time. Autoload and eval-after-loading are also helpful.
  3. Raised the garbage collection (GC) threshold from 800k to 20M. Emacs garbage collection happens when the threshold is reached. Raising the limit saves a lot of time that was spent on GC. At the end of my .emacs I set it back to the default value.

There were some other approaches I used or at least experimented with during this process. Offloading some the GUI settings to X, adjusting cache pressure, and a couple others were interesting to experiment with but didn’t give as much return.

My current major bottlenecks:

  1. package-initialize
  2. Loading the theme.
  3. Whatever happens after .emacs loads. I turned off default.el which loads after .emacs. Somehow working with .Xresources might be helpful here though I’m not sure I want to customize outside of Emacs.


I’m happy with the time I’ve spent reducing load time for Emacs. Some benefits I got from the exercise:

  • I learned a little about how Emacs works under the covers. Including see lots of code other people have written is very helpful in beginning to develop an intuition regarding Emacs.
  • And I got to practice using Emacs to make Emacs faster. My Emacs keyboard skills have definitely improved and I’ve got some reasonable key bindings to work with now.
  • Lastly, there’s a psychological factor involved in start up time for me. I feel better not having to wait. Even 1 second can interrupt flow if I stop and restart Emacs. Granted, I can go all day before shutting down. Knowing I can restart fast though does feel good.

Additional Resources:

Advice on Reddit for Speeding up Emacs. Great advice in comments, too!
Running emacs –daemon
Emacs and .Xresources

Retro Mac Mini Headless Server Hack

One of my projects this week was to put a Mac Mini I bought in 2006 back to work. It’s been taking up space in a box in the garage for a few years. Okay, the Mini doesn’t take up much space. There’s a lot of computer in a small form factor. Feels kind of wasteful not to be using it for something.

The Project

What am I going to do with the Mini? I’m not sure. Some ideas I’ve been tossing around:

  • Printer and Backup Drive Server – Give everyone access to one printer and have a central computer to run remote backups to a removable hard drive.
  • Remote Database Server
  • Development Server – A place to test web sites, software projects …?
  • Home Security Monitor – Attach some wireless cameras and sensors then get texts or login from Istanbul to see what’s happening around the house.
  • Base Station for Roaming House Drones – I have dreams of autonomous blimps monitoring (with video feed) Peanut’s whereabouts.

As you can see he even looks like trouble!

Most of these ideas mean I need access to the Mini remotely. Remote could mean from a smart phone in the bedroom in the middle of the night checking on the garage or front door. Or logging in from Hawaii. Having some flexibility to place it in an out of the way location or a small space would be handy. Next to the printer or in a closet. For most situations I’m thinking about a monitor, keyboard, and mouse would be inconvenient space-wise.

Headless Mini Software

The Mini needs to be accessible remotely from a laptop, tablet, or smart phone. And I don’t want the machine trying to upgrade software everyday either. No need for iTunes, Word, etc….

I decided to go with Linux. Debian has an installer specifically for old Mac Minis. Apparently there’s some bugs or something in the firmware. The Debian installer worked flawlessly. I was very impressed.

For remote connection I did some experimenting and decided to go VNC4server. I don’t have it setup yet for secure connection with SSH tunneling. Doesn’t look too hard though. Starting the server with the -localhost option is important. All the details are being put in shell scripts. I’ll log in and start the server manually for security purposes with the scripts.

The only real trick to this whole thing was getting the Mini to boot without a monitor attached. I banged my head on this for a few hours! The darn thing would reboot when I sent the command on a remote connection. It was working with the monitor attached and not rebooting when I disconnected the monitor. After doing some Googling I discovered Apple designed the machine so it had to have a monitor attached to it to boot!

The solution has been floating around the Internet for a while. Depending on the model you just need some tape and a resistor. A friend suggested using a gum wrapper and duct tape. I went with a 100 ohm resistor a friend gave me instead. The ends go into pins 2 and 7 at least for older models. I did see people using pins 1 and 6 also. For newer Macs I think. The picture shows pins 2 and 7 on my Mini being used. Pins 1 and 6 are the next pins over to the right.

After trying it out I trimmed the leads a bit, stuck them back in and taped the whole thing down with packing tape. Well, at one point I did fumble the resistor. Those buggers are invisible on carpet!

Maximizer CRM Database Export Project Notes

This month I helped a client export data from his legacy installation of Maximizer 11 into Gmail. I’m going to post some of my process for my own future reference. Might help save you some time and frustration, too.

First, I didn’t know anything about Maximizer when I started. So I went on a treasure hunt to find where the data was kept. I would have used the backups but they weren’t current enough. After a bit of research I discovered Maximizer was using MS SQL Server and keeping the databases in the SQL Server DATA directory. Which was very handy. All I needed to do was transfer the databases from my client’s laptop to my system. Then I could export the data using MS SQL Server on my laptop. I could have used my client’s computer but I didn’t want to install MS SQL Server on his system.

  1. Each address book in Maximizer has its own database. In order to load them onto my system:
  2. I copied both the mdf and ldf database files from my client.
  3. (Using Management Studio) If you don’t have the ldf files for some reason it is possible to create the ldf using the following code I found at sqlauthority
    USE [master]
    -- Method 1: I use this method
    EXEC sp_attach_single_file_db @dbname='DatabaseName',
  4. On my system, I created databases with the same names as the databases I copied from my client.
  5. Stopped SQL Server
  6. Deleted the newly created databases in C:Program FilesMicrosoft SQL Server……DATA.
  7. Copied the client Maximizer address book databases to the DATA directory in place of the created databases.
  8. Started SQL Server
  9. Refreshed the new database.

As far as loading the data:

  1. Once the data was loaded I was able to export the table using a SQL query (built in Management Studio) to join the People view and the email tables and export the data to a CSV file.
  2. I loaded the contact info in the CSV into my client’s Gmail account.
  3. Each Address Book loaded into a time stamped Gmail group name.
  4. All I needed to do at that point was rename the group to coincide with the Maximizer Address Book name.

This process worked really well. Very efficient.

Salesforce Explorations for Non-profits

A couple of weeks ago I started working with a local non-profit. They needed help with customizing Salesforce to keep track of their various volunteers, donors, event participants, and such. Salesforce is one of those SaaS apps I’ve been interested in getting my hands dirty learning. Perfect for both of us!

The first thing that struck me was how much access the developers have with the database. Pretty cool. At least for someone coming from a database admin/developer background. On the other hand I could see why my client found the application so confusing. There is a lot of functionality being exposed.

I did have to do some experimenting (nice to have sandboxes to play in!) Figuring out what table were being used for what data was a big one of course. And for some reason it took me a while to get myself clear on when I was looking at a field list for a page and a field list for a table.

The other confusing thing I ran into had to do with an add-on package for non-profits using tables for data that didn’t quite make sense. Auction items and values being stored in the Opportunity table. Basically, it was the result of an adaption of a database designed to support data needs for sales and marketing professionals.

I think a new table for non-profit donations might have made things clearer. It’s workable though and I don’t have a lot of hours to devote to a comprehensive customization so we’ll make it work. And I’ll just have to keep suppressing my urge to normalize the base tables and put the custom fields in new tables with easier to recognize names.

It is fun to be wading back into the world of databases! Looking forward to figuring out how they work with Quickbooks. Thankfully, Salesforce has pretty good documentation online.

Quick Tip – Fixing a Dim Screen on my Toshiba Satellite

Late, the other evening I was working on my computer. Since I didn’t expect to be using it for long I didn’t plug it in. Of course, I got distracted and ended up going to bed without shutting it down. No biggie, right? It will just put itself to sleep.

Yes, kind of.

For some reason the battery still ran down over the course of the night. Okay, I must not have had my sleep settings etc. right under Linux. (I dual boot Linux Mint Debian Edition and Windows 7 on this laptop.) Still, no big deal, I’ll plug it in and boot it up, letting the computer charge the battery while I have breakfast.


The battery charged okay but the screen was so dim as to be nearly unreadable on my initial boot into Windows 7 and all my boots into Linux. Strange.

After changing settings and doing some research I finally found someone who had a similar problem. Their fix worked like a charm.


  • Unplug Power Cord
  • Remove Battery
  • Hold Power Button Down For 60 Seconds
  • Plug in Power Supply
  • Turn On Computer
  • Put Battery Back in Computer after doing all of the above.

Yep, it was that simple! On the way to this solution I had run into various posts about scripts and modifications to make. All of which can be a potential headache to remember maintain over time and future upgrades. Haven’t had a problem since.