Seeing as I recently got my first bug report resolved and was even rewarded a bounty for it, I thought I’d tell how I got started on bug bounty hunting. Hopefully my story can serve as inspiration for other newcomers, and show that it is very much possible to become a bug bounty hunter these days, even without a background in IT.
About 3 years ago (beginning of 2017) I started learning programming after being given the book Python Crash Course. Before that, programming seemed like black magic to me (yes, I was a noob!) even though I’d been using Linux for 10+ years and was very comfortable with the command line and editing scripts. I have no background in IT; my career is in aviation.
After becoming proficient with Python and even writing a few simple arcade games, I started learning the basics of a few other languages: Java, C++ and ARM Assembly. Not enough to be proficient, but enough to read and understand simple programs written by others. I even developed a couple very simple Android applications for myself.
It was at this point that I got interesting in ethical hacking and got the book The Basics of Hacking and Penetration Testing. Looking back, this book is VERY basic but at that point it seemed incredibly 1337 to me. Around the same time I started reading news articles about bug bounty hunters earning good money hacking the web. I started thinking ‘can I learn this too?’ My conclusion was, maybe in 10 years. There was just so much knowledge to accumulate and I doubted if I could learn this stuff by myself. The way I saw it, to be a hacker I needed 10+ years of experience in the IT field.
Nonetheless I got more serious about it and decided to give it a try. Not to earn money but because I really like learning new stuff, especially about computers and technology. In April 2018 I started reading “The Web Application Hacker’s Handbook”, considered the ‘Bible of hacking’. That book presented so much stuff that was totally new to me, but reading it slowly chapter by chapter and practising what I read about using the Damn Vulnerable Web Application (DVWA) it began to make sense to me. After having taken the DVWA apart I hacked on the OWASP WebWolf which introduced me to more advanced concepts.
It was at this time that HackerOne created their first CTF on hacker101. Signing up, I started solving the levels but got stuck on the medium/hard levels. I’m not going to lie, I tried googling for hints, even solutions, but luckily instead of spoiling it for me, I came across a Discord channel created by the hacker Nemesis. Signing up, I was helped by other users to solve the levels I was stuck with and was encouraged to try the hardest levels too. Finally I had found like-minded people and no longer had to study all by myself! I think this was the most important development in my hacking journey, and I owe a lot to my fellow H101 discorders.
One thing led to another, and suddenly I was a moderator on the hacker101 Discord channel. In February of 2019 I subscribed to Pentesterlab and did about 70% of the exercises there, which incremented my knowledge enormously. Then, around spring 2019 I took my first tentative steps at hunting bugs on a live target, hacking on a couple private programs.
I found nothing. Spending hours and trying all the techniques I’d learned in the past year lead me nowhere. Obviously I needed to get better. Especially I felt I needed to know the impact of the different security vulnerabilities; having never been a malicious hacker (nor will I ever be!), I didn’t really think about the impact of, say, an XSS. Sure, I could pop up an alert box, but what could that really lead to?
HackTheBox was my saviour here. By legally hacking on a server to get root access helped me understand the impact, which was an eye-opener for me. Now I understood why these different vulnerabilities are so devastating to companies world-wide, and how for example a local file inclusion (LFI) can potentially lead to a complete server takeover.
I spent about 2 months doing HackTheBox exclusively. At this point it was summer and too hot to do much (37C daily), so I took a pause. Then in September I started bug hunting again, but this time for real. I was at vacation at that time and so had plenty of time to hack. I choose AT&T as my first target mostly because they had a large scope which I hoped would allow me to find a web server no-one had hacked on yet.
Within about a week I suddenly found my first bug! I nervously reported it, and after some back and forth with the triager it got triaged. Yes! Finally I could call myself a bug hunter! I unfortunately can’t disclose the bug type since it has yet to be resolved at the time of writing this.
Within a couple of days more I found my next bug, an XSS (Cross-Site Scripting). Sadly this was a duplicate, but that did not deter me. Less than a week after that I found my third bug, another XSS. This was also the bug that got me my first bounty.
As of writing this I’ve reported more than 10 bugs, most of them to the US Department of Defence. I’ve also been doing some paid security checks which are a great way to perfect my report writing.
The morale of this story is: anyone with the will to study and learn can become a bug bounty hunter. You don’t need to be an experienced programmer. I had been programming amateurishly for little more than one year before I started learning hacking. As long as you keep your expectations realistic and are prepared to study, study and study, you can do it!
Also, come join us on the Hacker101 Discord server. That place helped me so much in my learning, and I hope to return that favour to new people.