Looking at the first screen for a CTF at Hacker101 just blanked my mind. How do you even know where to start hacking? This is what happened during my first attempt at the HackerOne CTFs. Even though they provided hints I tried not to use them. Felt like cheating for some reason. After a while I gave up. Remodeling the bathroom ended up taking all my time for months anyway. The new job took what time the remodel didn’t take so I moved on.
A couple of days ago though I decided to give it another try. I like the challenge of the puzzle! Along with resurrecting this blog having some problem solving challenges to write about sounded like a good idea. Logging into HackerOne I saw my account was still there so I headed over to their Hacker101 site to take another stab at the CTFs.
This time around I took a very different approach to the CTFs. Figuring the whole point of the site was to help people learn I decided to approach learning bug hunting the way I have had success learning other topics.
How do I learn best? Scanning, diving, doing, relating. Repeat.
Scanning resources like books, podcasts, videos, and articles is the first step. Head to your favorite search engine and start exploring!
Sometimes this is how I discover a subject I want to learn about in the first place! Always scanning the world for new things to learn is how I do life. When there is a specific topic like bug bounties I want to learn more about scanning gives me an overview and a framework for thinking about the subject. Building this scaffolding for my learning is really important even though it will probably have to be torn down and rebuilt again. The key is having some kind of structure to give new bits of information context.
Just as important, maybe more important, scanning allows you to find a passion point in a subject. A passion point is some aspect of a subject which makes you curious and want to learn more. Doesn’t matter what the point is that grabs you. When you find it you have found your entry point.
Scanning to learn about bug bounties was something I had started doing some years ago. Information security has been interesting to me for decades. While I never went very deep I had built some kind of context over the years for thinking about things like bugs, security, and applications.
The passion points in web app security which grabbed me were SQL injection and directory traversal. Directory traversal satisfied the explorer in me very directly. Exploring a site by roaming the directory structure is fun because who knows what you will find. I think SQL injection grabbed my attention because I have done quite a bit of SQL working in analytics. Transferring knowledge from one domain to another can be gratifying and benefit both areas of interest. New ways of looking at something you already know can give you deeper insights.
Do you have a type of bug you find really interesting? If so, it’s time to dive! If not just pick something. Dive until you are bored then pick something else. If you never find anything interesting look into your motivation for doing bug bounties. If it is money is money enough to keep you going? For some people money is the only motivation they need! I am not one of those people so I need other reasons to keep going.
Diving into the Hackeer101 CTFs I have two criteria at this point. First, I pick a level of difficulty appropriate to my skills. I am starting with easy and working my way up to difficult. My whole reason for doing these exercises is to learn how to do bug bounties. Building foundations with the easy CTFs will help me with the more difficult ones.
My second criteria in picking a CTF is looking for ones which appear to have SQL injection possibilities. Be guided by your interests and passions! One of the things I like about the HackerOne CTFs is so far I have been getting a mix of different types of vulnerabilities for each CTF. They appear to have a theme but they are not always just one type of bug. I get to do a bug which interests me then I am drawn into learning about other bugs too. Awesome!
If you are doing the Hacker101 CTFs you are aware of the Hints available. On my first try at these CTFs I avoided the hints until I had spent hours sometimes trying to figure out what was going on.
My strategy this time is very different. I look at the hints immediately if I don’t see an obvious action to take. Here is why. Learning is the point of why I am doing the CTF. At this point in my development I often don’t even know where to start working. The hints will usually point me in the right direction.
If I spend 20 or 30 minutes and the hints haven’t helped I will Google for solutions. Looking for solutions isn’t because I want the flag. I am looking for more hints. In fact, I only scroll far enough to see some helpful tidbit then go back and try it out. On the other hand, there have been times I have had no clue about the point of the CTF. When I found solutions online turns out I was not alone.
How do I learn by looking up solutions? I study other people’s approaches and I make them my own. In one case, I may never have figured out the point of the CTF. Now that I see what the other people did I have a new thing to look for in the future. In another case, I modified the person’s solution and did it my way. In the process I was able to really explore nuances to constructing SQL for injection. In a flash of insight I cleared up how I was thinking about SQL and the errors thrown by the database.
Which brings us to our next learning phase!
Doing is where I get my the learning really takes place. Reading will only take me part way. In actually creating and testing SQL code I am able to get feedback about my thinking and approach. Getting my fingers to type code brings into my body.
Fast feedback is very important. Knowing whether or not I am correct helps me figure out what I don’t understand.
How do you really get all this new information to stick so you can use it later? Relating it to what you already know is helpful. Another way is to share what you are learning with others. Helping others as you are learning makes your learning even stronger.
Other people have perspectives or even just different ways of expressing a question. The act of understanding their question is by itself powerful for your learning. Attempting to explain SQL injection in a way they understand will stretch your own understanding.
I also find writing to be very helpful. Thus this blog! Writing out what you are learning can help you clarify your own thoughts. Seeing your words in front of you gives you feedback on your thinking. The only caution I have is don’t let your internal editor run amuck. You are better off having the words out of your head and needing editing than never out at all.
Finally, the process above gets repeated indefinitely. Each time you scan a resource you find details you weren’t ready to catch during prior scans. Every dive takes you deeper or in new directions. You find new ways to relate what you are learning as you uncover new information and have new experiences.
There is a difference between learning bug bounties and doing bug bounties. Knowing where to start is by itself a big challenge. This is why I have changed my approach to CTFs on Hacker101. Applying the process of scanning, diving, doing, and relating I incorporate hints from others who have solved a CTF to make my learning more efficient and effective. Don’t let frustration derail you!