The player is loading ...
Sign up to get updates from us
Episode 80: In this episode of Critical Thinking - Bug Bounty Podcast Justin is joined by Sina Kheirkhah to talk about the start of his hacking journey and explore the differences between the Pwn2Own and HackerOne Events
Follow us on twitter at: @ctbbpodcast
We're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.io
Shoutout to YTCracker for the awesome intro music!
------ Links ------
Follow your hosts Rhynorater & Teknogeek on twitter:
https://twitter.com/0xteknogeek
https://twitter.com/rhynorater
------ Ways to Support CTBBPodcast ------
Hop on the CTBB Discord at https://ctbb.show/discord!
We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.
Today’s Guest: https://x.com/SinSinology
Blog: https://sinsinology.medium.com/
Resources:
Advanced .NET Exploitation Training
Timestamps:
(00:00:00) Introduction
(00:12:45) Learning, Mentorship, and Failure
(00:29:34) Pentesting and Pwn2Own
(00:40:05) Hacking methodology
(01:01:57) Debuggers and shells in IoT Devices
(01:35:40) Differences between ZDI and HackerOne
(02:02:27) Pwn2Own Steps and Stories
(02:14:06) Master of Pwn Title
(02:29:54) Bug reports
Justin Gardner (@rhynorater) (00:00.375)
Alrighty dude, I am hyped for this episode. I have wanted to do an episode with someone from Pwn2Own since the beginning of this podcast and finally we're having it happen. So, Sina, thanks so much for coming on the pod, man.
Sina (SinSinology) (00:11.937)
Thanks for having me man. I appreciate that I'm so delighted to be here and I really don't know why you chose me to be here.
Justin Gardner (@rhynorater) (00:18.687)
Well dude, you've been cranking out content like crazy lately and your bugs are amazing. So I'm sure we'll get into that a little bit as we go into the pod. dude, I have to compliment this setup before we get rolling. Homie's got the DSLR in play and you've got like the hat behind you and like it's looking fly, man. So thanks for putting all that effort into
Sina (SinSinology) (00:37.759)
Appreciate
Thank you. Yeah, I do a lot of photography and like productions and different kind of stuff. yeah, I sometimes use the same camera for these kind of cool meetings that we have, such as this one. And yeah, this is actually a hat from Pontoon. I've got it from there. And then I've had it signed by, I don't know if you can see it, but I've had it signed by Dustin Childs. He's a legend there. He works at Trend Micro Zero Day Initiative.
Justin Gardner (@rhynorater) (00:57.833)
nice, sick.
Justin Gardner (@rhynorater) (01:05.762)
really? Nice!
Sina (SinSinology) (01:11.349)
He's the head of Try the Baroness if I'm not wrong.
Justin Gardner (@rhynorater) (01:14.209)
Nice, nice. I actually reached out to him when I was trying to source people for this episode and I was like, hey man, I see that you kind of run Pwn2Own. Who would you recommend for this episode? And he gave me a couple names and you were on that list and I was like, all right, this is my man after I did a little bit of research into it. So shout out to Dustin as well for setting that up. All right, dude, so let's spend some time. Okay, so let me give a little context here.
Sina (SinSinology) (01:29.43)
I appreciate this.
Yeah, nice of them.
Justin Gardner (@rhynorater) (01:43.447)
I am a, I'm someone who participates often in the, in the hacker one live hacking event scene. And you are someone that participates often in the Pwn2Own scene, right? And I kind of wanted to do an episode where we discuss the differences of these two, these two worlds of Bug Bounty, right? Cause I feel like there's the hacker one, Bug Crowd, Integrity, that sort of group. And then there's like the Pwn2Own ZDI group. And we don't see a lot of overlap from them.
oddly enough. And I think there is some reason for that. I think some of the skill sets are a little bit different, especially with Pwn2Own and ZDI primarily focusing on RCE as a Vuln class, Pwning, as you would say, a specific target. So I'm excited to kind of iron out the differences between HackerOne -related live hacking events and Pwn2Own -related stuff.
But I also, before we jump into all that, I want to hear a little bit about you and how you got into hacking and how you ended up at the Pone's Own competitions.
Sina (SinSinology) (02:46.07)
I appreciate it. So first of all, let me just start saying English is not my first language. So if I kind of like do like a stutter or anything, I hope people forgive me for about that. I'm trying my best kind of. yeah, so about giving like a brief introduction about myself, I'm a full -time vulnerability researcher. I've been for the last, I don't know how many years now.
Justin Gardner (@rhynorater) (02:59.33)
Yeah.
Sina (SinSinology) (03:13.968)
And when I started, I've actually started as a developer. I was making commercial websites with my brother when I was a kid. And then he kind of taught me like web development, basic stuff. And then we were just making websites and then finding customers to sell them, e -commerce websites, very, very simple stuff back in the day. And then actually one of my websites one day got hacked and then it got defaced.
And Justin, can you see me? I just wanna make sure, all good?
Justin Gardner (@rhynorater) (03:45.353)
Yeah, yeah, you cut out for a second. So we're having a little bit of connectivity issues, but, no worries. said, so you're developing websites and then one of your websites actually got hacked into faced. Wow.
Sina (SinSinology) (03:51.872)
Yeah, yeah, actually one of my worksites got hacked and then after that happened.
Justin Gardner (@rhynorater) (03:58.679)
Was this a bigger customer? Was this a small site? like, what was the?
Sina (SinSinology) (04:03.36)
It was a small customer and then but the problem was so back in the day I wouldn't be I don't think people even do it nowadays but I would just like make like I don't know five backends and I've just changed the front ends for different customers because it was was e -commerce website right you have the shopping cart you have checkout all that stuff it's kind of the logic is the same right and then so I would just
Justin Gardner (@rhynorater) (04:20.109)
Mm, yeah.
Justin Gardner (@rhynorater) (04:27.607)
Yeah, very common components.
Sina (SinSinology) (04:29.377)
Exactly, the very, very common components, it would be like five different backends and then the frontends would be like hundreds of different kind of frontends. And yeah, one day one of my websites got hacked and then they would keep getting hacked like the guy kind of like dorked it on Google or something and then it was just like finding all of them and then just like blasting all of them. And then just defacing them and then just submitting them to these like kind of like.
know, defacing websites from back in the day. Maybe let's not name them. But anyways, they were just submitting them and I don't know, you know, reputation and it was just defacing them. And then when I saw it initially, I was like, wow, it was the first time that I was like seeing something that I made was being hacked. And then I was like so surprised by it. And then I thought it over and I was like,
Justin Gardner (@rhynorater) (05:01.493)
Yeah
Sina (SinSinology) (05:24.631)
let's actually reach out to the guy because he defaced the website and then he left out his email address down the page saying, I don't know, hacked by this kind of cool hacker handle and then some sort of a country flag was on it too as well, some blood dripping from the page, all this cool CSS stuff. then he, exactly. And then he had his email address there and then I reached out to him
Justin Gardner (@rhynorater) (05:32.908)
Wow.
Justin Gardner (@rhynorater) (05:44.307)
man, of course, very dramatic defacement.
Sina (SinSinology) (05:53.613)
He said, hey, I made the website on the day behind it. I do this for the living. And I was wondering if you can give me some pointers on how you did it so I can prevent it from happening again. So I can keep selling my stuff. And then the guy replied back to me and was like, I like your initiative that you reached out to have the problem solved in some sort of a way. So he was like maybe impressed or something. And then he wrote back to me exactly what the problem was. And he was using all of these complicated terminologies, which back in the day I didn't kind of understand. Like things like, like you had a SQL injection here. And then after I exploited your SQL injection, was able to, the user
was your website was being running on, was like a MySQL user with like root privileges. And I was able to like write to a file or something. And then after I write to a file, and then I managed to like visit the file and then get code execution with my web shell. And then the web shell from the old school back in the day, the ones that existed back in the time. And then, yeah, he did it that way. And then he
Justin Gardner (@rhynorater) (01:18.405)
Wow.
Sina (SinSinology) (01:37.667)
He was giving me my code snippets back, like marking them exactly where the bug was, which was crazy. And then I realized how far he was able to go just through like, from like an initial bug to another bug to another bug, but I didn't understand like chains or whatever back in the day. And then I was so like fascinated by like the things that he did. I've told him
Justin Gardner (@rhynorater) (01:43.773)
Right, right, wow. Yeah.
Sina (SinSinology) (02:08.116)
I'm so grateful for all the explanation that you did. I'm actually so interested in this. I will try to pursue it to make my website better. And then it kind of clicked from that way to doing a lot of searches. There wasn't any kind of a lot of resources, whatever. You had these, I don't know, Chinese forums or Russian forum or I don't know, forums up here and there. I think.
Justin Gardner (@rhynorater) (02:31.965)
Yeah, when was this in the timeline? Was this like, you know, early 2000s or like when was this?
Sina (SinSinology) (02:37.823)
This is, yeah, yeah, something like that. Something like that, yeah, exactly. Yeah, something like that. then, yeah, it was again, way more than like something from the 90s maybe, like way more, but you didn't have like payload all things or like something that it was like a centralized place that had you had all the links to the latest techniques and tools and tricks and.
Justin Gardner (@rhynorater) (02:41.425)
Wow, that's crazy man. So not a lot of stuff out there at that time to learn how to
Sina (SinSinology) (03:05.538)
bypasses and mitigations. You didn't have people dropping bypasses on Twitter that much as they do now. Every day there's like a new bypass, right? And I was actually very interested in it. And then I started like searching and searching and searching and translating. I had like this Babylon, I don't know if I'm pronouncing it right or wrong, this Babylon translator on my desktop, just like copy paste stuff to it and then just try to understand like different kind of languages, what they were.
meaning and then yeah, basically I've got it from there and then I was so interested in it that I've started like pursuing it and going after it and then trying to learn more and more and more. then shout out to one guy who actually like played like a key role in my learning curve. People don't know him that much because he's not like globally well known
I don't think even he's on Twitter or something. His name is Maysam, Maysam Monsef. He was a teacher of mine back in the day that taught me a lot about web development security. He was like one of these old school hackers who learned everything by himself. He was from the 80s or 90s something and then everything by himself. And he was this
Justin Gardner (@rhynorater) (04:24.263)
Wow.
Sina (SinSinology) (04:33.355)
So to this day, he was like a legend to me back in the day and he had like played like a very, very key role in my learning path and teaching me a lot of things. He helped me to build like a strong foundation in algorithm and understanding like coding and everything, not just copy pasting and like just like, he built like a really good foundation for me. And then I've took, exactly.
Justin Gardner (@rhynorater) (04:57.147)
skipping skipping that script kiddie stuff
Sina (SinSinology) (05:02.271)
I can't tell you how much of a strong foundation he had. He has even still to this day, I'm sure. that taught me a lot about if you understand the architecture actually, instead of just copy pasting payloads and just getting your way, if you understand how actually things work, that takes you a lot of extra mile. Yeah, but.
Justin Gardner (@rhynorater) (05:25.757)
Yeah. Yeah, absolutely. And, and, and I think, so I think it's really interesting that you started out from web dev and then you went to web hacking, right? And, and I think that's a pretty traditional flow for the, the people in like, in the hacker one scene as well is like, you know, now we're focusing on these, these web bugs and like IDOR and access control related stuff, right? But then, you know, instead of going down this path of like, let me identify all of these web bugs and do web related stuff quite as much.
Sina (SinSinology) (05:38.551)
Exactly.
Justin Gardner (@rhynorater) (05:54.941)
you end up somehow in the binary exploitation scene as well. So what was that progression like as a hacker? When did you start switching from, all right, I'm finding SQLs in PHP code to, all right, let me load this thing up in Ghidra or whatever and start reverse engineering
Sina (SinSinology) (06:16.75)
That's actually a great question. So exactly back in the day at that time that I started working on web stuff, the same guy that I knew, he was actually an expert in low -level exploitation. And he was very good at it. He was this C++ guru, and then he was able to craft exploits for kernel drivers and everything. He was just genius. then we were actually, so we didn't have access to
Justin Gardner (@rhynorater) (06:37.179)
Mm. Mm.
Wow.
Sina (SinSinology) (06:46.849)
IDA and GIDRA wasn't a thing back there and like a lot of these assemblers that you see nowadays weren't a thing. So we were just like using like OliDBG, if I'm pronouncing the name right. So it was, it's like one of these like, you know, like one of these like really ancient powerful, very, very, very powerful debuggers that I still see to this day people use. So he told me, he told me that, listen, like you can use this like tool and.
Justin Gardner (@rhynorater) (06:56.552)
Yeah, yeah.
Justin Gardner (@rhynorater) (07:05.789)
Mm -hmm.
Sina (SinSinology) (07:14.346)
I don't have time, he didn't have a lot of time in his hand. He wasn't like a personal tutor or something. He was more like a friend. And then he kind of encouraged me to go learn assembly. he was very like...
he was very strict with foundation. So he wasn't like, okay, you just open this up, you just drag and drop something here, you look for this and that and click, click, click, done, or like copy paste stuff. He was very strict with building a strong foundation. And then that's why I went out and then started buying books and stuff about learning assembly, like Hello Vort. We had some sort of a local hacker
Justin Gardner (@rhynorater) (07:38.668)
Mm -hmm.
Justin Gardner (@rhynorater) (07:52.851)
How did you meet this guy?
Sina (SinSinology) (07:59.512)
kind of thing back in the day that, yeah, exactly. And then I was trying to like connect with people to learn from stuff. And then I didn't end up making any friends, but I did end up meeting this guy. And then the way that I met this guy was actually through like, initially I thought he's just a web dev guy, but he was way more to what I thought he was. He was super humble, super humble, super humble guy that he didn't
Justin Gardner (@rhynorater) (08:00.446)
that's awesome. Very cool.
Sina (SinSinology) (08:29.046)
start like blabbering about, okay, I know this, I'm like the jack of all trades or whatever. He was actually like, he was actually very, like he was a ninja. Like he is still to this day. And he was also a great teacher, which not everybody can teach. You can be great at what you do, but.
Justin Gardner (@rhynorater) (08:40.059)
Hahaha
Justin Gardner (@rhynorater) (08:47.121)
Yeah, that's a rare overlap. If you have the ability to, especially be a jack of all trades, have such a high amount of knowledge and then be able to teach and then furthermore, to be able to teach in such a way that you give the student the right foundation and allow them to almost learn for themselves, teach them how to learn how to get some of these skills along the way. that's, man.
Sina (SinSinology) (09:06.732)
Exactly.
Justin Gardner (@rhynorater) (09:13.294)
What a blessing this guy was to you and it seems like he was really key in your
Sina (SinSinology) (09:15.724)
Yep.
Exactly, yeah, he was like a high booster for me in if I am anything today. I haven't reached much today, but if I've reached anything that you can count it, it goes back to the roots of meeting with him. basically, yeah, he encouraged me with building the foundation and then after I started reading about exactly at the same time, so I would divide my day.
to doing like, I'm gonna do web stuff. I'm gonna learn about like SQL injection, like I don't know, I don't know, local file inclusion, remote file inclusion, this, this and that, then serialization and whatever, back in the day. And then I would be also doing, dedicating some like three, four hours to reverse engineering, building up the foundation, like learning assembly and learning all of that. And then there wasn't, again, there wasn't much resources, but the ones that were available were actually good enough.
Justin Gardner (@rhynorater) (10:07.709)
Wow.
Sina (SinSinology) (10:18.308)
And you know, like at least for me,
Sina (SinSinology) (10:24.686)
I think it was pretty important that things were more difficult back in the day and that kind of helped me to struggle more and to try more. nowadays when I, nowadays that things are, I think pretty much even, think it kind of, don't want to, I don't want to, exactly, it's more developed, right? Maybe using the word easier will like offend someone. Not easier, but it's like more accessible to people.
Justin Gardner (@rhynorater) (10:40.209)
It's more developed, for sure.
Justin Gardner (@rhynorater) (10:51.538)
Absolutely.
Sina (SinSinology) (10:52.854)
Yeah, and then that helps more into finishing something. And then I think not having a lot of available things as much as today compared to back then, it kind of helped in developing that kind of intuition to not give up and then just keep trying and keep trying and keep studying and keep studying and keep studying without thinking that when does it get over? Because it never gets over. It's just endless. Yeah.
Justin Gardner (@rhynorater) (11:18.023)
Yeah, exactly. That's one of the things I always tell to the students that I work with is like, listen, you you can read all these tutorials and you can go out there and like you said, a lot of the content is made really accessible nowadays. But the real learning is going to occur when you get out there and you fail and you fail and you fail and you fail and you fail and you fail, you know, but there's a finite number of failures between, you know, now and the next time that you pop a crazy bug, right?
And so you just got to get out there and start knocking those out of the way because experience is going to be the best teacher in a lot of these scenarios. You you see some of these newer guys just looking at HTTP requests and they're like, man, I have no idea what all of these headers mean, you know? And I'm like, all right, well, just look it up real quick, you know? And you got to pay the price to know, you know, what these things are. And then once you've started knocking them out, once you started doing some reps on it, you know, you'll sort of get a sense for what's interesting and what's not interesting. And I think...
it's we've kind of inversely switched into a different problem now, which I see a lot of a lot of people fall into, is what we call education procrastination, which is you're just constantly learning, reading, reading, learning, learning, and you never get to the actual doing part. And I think it's so important for beginners to get out there, even if you don't feel like you know what you're doing, even if you're just stabbing in the dark, to just get out there and fail and have that be a key part of your education process.
Sina (SinSinology) (12:46.484)
I don't wanna sound like a guy who was just gonna say exactly, yes, I agree with that, but sure speaking facts, exactly, I agree with that. And then as corny as it sounds, like when you tell people nowadays to try harder, go at it, like as you said, do the reps or like fail and fail and fail and all of that, it sounds like all of these
Justin Gardner (@rhynorater) (12:57.775)
Thanks man, that's great.
Sina (SinSinology) (13:12.78)
because nowadays there is like all of these motivational videos or like people trying to like sell you a course to help, how to become a billionaire and using the same actual sentences as we are saying right here, it might kind of like cancel out in some people's mind that, okay, we're just trying to make it sound difficult, even though it isn't. like, if you wanna do like cool shit, like you gotta do the reps, you gotta, you know, you gotta, you gotta,
Build this, right? You gotta fail and fail and fail and debug and debug and debug and then look at that to develop that. I think you gotta start another separate channel for bodybuilding stuff for bug bounty hunters. Yeah, exactly. Rep session. Okay, yeah, hopefully.
Justin Gardner (@rhynorater) (13:48.083)
Just like these muscles, right? Yeah.
Justin Gardner (@rhynorater) (13:57.097)
for the bodybuilding, my gosh, well, I know you said you hit the gym right before this episode, so maybe you and I will do a gym episode in Vegas or something like that. All right, so you said, so you met this guy and he really helped you with a foundation of, okay, so we're working on SQL injection and then we're switching over to reverse engineering for a couple hours and we're really kind of a great foundation in place.
And so I'm curious, know, as this foundation starts going in place, one, how are you feeling as you're building all this, right? Because you're not actively out there like popping exploits and stuff like that. You're building a lot of this foundation. So are you feeling antsy or are you just kind of like, you're like, maybe this isn't the right path. Or are you kind of trusting that this is the right path and just kind of being really interested in the stuff that you're learning at the
Sina (SinSinology) (14:52.271)
This is a question for at the time, right? Back in the day, right? As I was doing it, yeah. So I didn't have any perspective of what I'm gonna do. Like I didn't think there would be a job, even there is like a cybersecurity job, a vulnerability, nothing. I just wanted to get like shells, just wanted to get rush when you exploit something and that...
Justin Gardner (@rhynorater) (14:56.337)
Yeah, at the time. Yep.
Justin Gardner (@rhynorater) (15:07.529)
Sina (SinSinology) (15:20.512)
And also the pause between these rushes that you're spending time to find a bug. So that pause kind of like would build that expectation. And then when you will like satisfy the expectation of, I hit it now. I've got a shell. I popped the cow. I popped MS paint, whatever. Like I just wanted to do it. I didn't have any idea. Like it's addicting. And then at a time, one might ask that, okay, then how would you were like making a living? Like you couldn't just
Justin Gardner (@rhynorater) (15:39.781)
It's addicting.
Sina (SinSinology) (15:49.583)
stay at home and just doing this. So I had like my developer geek and then I would just like try to like make money out of that and then I tell you like 24 seven, like 24 seven, I would just get like the client project done or whatever and the good thing with the development jobs, like I told you, you had like, I don't know, like 10 backends and you just like change the frontends, whatever, and then sometimes like minor modifications in order to like sell that kind of like a CMS or whatever the product you had at the time.
Justin Gardner (@rhynorater) (15:50.269)
Right, right.
Justin Gardner (@rhynorater) (16:18.407)
Right,
Sina (SinSinology) (16:19.647)
And then, yeah, would just like be like, my whole work like was just that, just to reverse engineer or do source code review and just find bugs. And I would just go on like any kind of like a website that would say, okay, this is a trial of our product. This is a demo of this like open source, closed source, whatever. Just take it, just test out everything, like fail and fail and just.
go into this different rabbit holes and I literally didn't, I kid you not, I would just install the software and I'd be like, okay, what am I gonna do next? what am I even going, attack surface? Attack surface was a joke. I didn't know what an attack surface was. couldn't even, I would just install it and I'd be like, okay, I'm just gonna interact with this thing and then understand if shit can go wrong at a certain point, just like that, right?
Justin Gardner (@rhynorater) (16:58.793)
Hahaha
Sina (SinSinology) (17:14.871)
And then as I was doing this and just reading and reading and reading and all of that, and kind of like, you know, it goes kind of like those like, you know, it's like the classic, classic story of background story of everyone else. Like they started from somewhere, they did their time, they paid the dues or whatever. And then after a while they, exactly. And then they build it up, I did this, I did. And then after a point, like your skills just get sharper and sharper at the time.
Justin Gardner (@rhynorater) (17:33.105)
Yeah, exactly. Paid their dues,
Sina (SinSinology) (17:44.175)
And then, yeah, I remember like, I have tell you like, it was 24 seven, like I would just like work until like 12 or 1 PM and I would just sleep until like six, seven and I would just wake up, same screen, same screen, just looking at, just like reversing, testing. Yeah, like.
Justin Gardner (@rhynorater) (18:02.825)
We just, you love it, right? I mean, I think one of the common themes that we see is, in the beginning, you didn't know that this was a job, right? And I think that's one of, I love bug bounty. Bug bounty is one of the most amazing things in my life, for sure. But I do think that there's been a con to bug bounty a little bit, which is people focus on the bounty. People focus on my delimiter for success with learning hacking is whether or not I'm getting bounties or not. And that's not how it's supposed to be, right? You need
You need to love the process of growing and hacking. You need to love the process of seeing this piece of software and just understanding how it works and understanding its little nuances that you can break. And not to say that people can't just do bug bounty as a job. People can do bug bounty as a job. And if you're not super mega passionate about it, I'm not trying to gatekeep bug bounty from you. I think to get to this level where you're
finding super crazy stuff and you're just absolutely loving your job, there has to be that focus on hacking as a passion first, and then you're like, wait, this can be a job too. So I always try to tell people to release that whole expectation of bounty in the beginning, and just more focus on hacking as an art and as a craft,
Sina (SinSinology) (19:25.55)
You got a pointer and let's say, let me also mention this, right? So at the time when I was doing it and a lot of other people, the whole thing was like a dark path that you didn't know where you're going.
like you didn't have like a centralized place with all the attack surfaces and all the attack lists and all the kind of like the what's available or whatever. It was kind of like a dark path when we're just like going and then you try to like light up the whole like different alleys and different like the streets and whatever on this path just slowly. But nowadays, I don't know if what's it called in like what's the right term, but it's like when you have a huge amount of information available now and then when you wanna start,
you kind of get shocked, right? You get scared. You're like, there is so much to learn. you're like so, exactly. You get overloaded and you're like, my God, like, I don't know if I can, I don't know if I want to start this because it's too much. how am I supposed to like learn all of this? But which adds a different kind of difficulty to today's people that like are starting it or haven't started it.
Justin Gardner (@rhynorater) (20:18.447)
Overwhelmed and overloaded,
Sina (SinSinology) (20:40.311)
Back in the day, different problems, now different problems, right? And then you have a lot of competitors and different kind of stuff adds up to it as well. I think just start, just keep doing it, just learn as you go, just learn. Don't think about all the possible, all the what's available, just try to learn it slowly, building it, just go with a normal pace and going and going and just build it up and.
Don't get distracted a lot and then I don't know how to put it. I think at a certain point I just keep repeating myself.
Justin Gardner (@rhynorater) (21:19.303)
Well, I think you're repeating yourself because this is a part of the process, you know, is just going down that pathway and like you said, figuring out as you go. And I love that you acknowledged that there's difficulties to modern day education in Buck Bounty too, because I think that's a really fair assessment of it, is that, you know, back in the day we had too little information, but now we've got too much information and it's hard to balance those two, right? And so the only way to balance those two is get out there.
and do it. And so that's why I always talk about, you know, I've got pinned to my Twitter profile, sort of like a blueprint for how to get started in Bug Bounty. And essentially what I say is, in the beginning, you know, do 80 % learning, 20 % hacking, you know, and then you move up to 60 % learning, 40 % hacking, and then it's 60 % hacking, 40 % learning, right? But notice how there's always some hacking involved in there, you know, like, you have to be out there actually doing the hacking for you to get reps.
I think that's really important. So, okay, so that's a little bit of your background. You kind of started with this really rigorous training and you were doing it for the passion of it and you didn't even know that this could turn into a job. So when did that web development scale out and when did you start working as an offensive security expert or vulnerability research?
Sina (SinSinology) (22:39.375)
So I was just doing this, just doing it for myself, just trying to exploit stuff and just having my exploit Python files in my local drive and just looking at them and feeling like I rule the world or whatever. then just getting high on that. then after going again and again and again, just exploiting different kind of stuff.
Justin Gardner (@rhynorater) (22:56.817)
Hahaha
Sina (SinSinology) (23:08.813)
At a certain point I started like hearing, interacting with other people and then like hearing about, okay, like there's a thing, like cybersecurity roles, like pentester roles and all of that. So it wasn't like vulnerability researcher or whatever. We had this only one title back in the day, pentester. Are you a pentester or not? That's it. Yeah, so I started like I said like a pentester and then just like normal stuff, like I don't know, attacking active directory.
Justin Gardner (@rhynorater) (23:25.725)
Pentester,
Sina (SinSinology) (23:34.497)
different kind of like attack and active directory and network scanning, like vulnerability scanning, different kind of tools, this and that and that, and then just like what like usual people do, nothing fancy, just like, but I always try to like do like that extra mile, would just like bring, even though I don't recommend it to people, like this doesn't sound right to people and people just prohibits doing this, but I did it back in the time.
because I didn't do it for the companies that I work for, I just did it for myself. I just like bring work home and just trying to go that extra mile to like find something fascinating or find something interesting. If it was just like a network pentest, maybe I can find some sort of a custom software that I could like find like a heap of reflux in it and then I just like craft an exploit for it. How hard could it be? It's a Windows XP, it's not like a Windows 11 or whatever, which is like all the mitigations or like...
Justin Gardner (@rhynorater) (24:14.441)
Mmm.
Justin Gardner (@rhynorater) (24:28.124)
you
Sina (SinSinology) (24:32.352)
even there's ways to this, but it was way easier, right? I would just try to go that extra mile to try to apply my, I would make shit up, I would make targets up. My boss would have told me, okay, just test this software and that software and that software. That's what we're being paid for, right? You can test these as well, but we're not getting paid for. I was like, okay, I wanna test those as well, I'll just bring it home. I'll just work on them and work on them and all of that. then, yeah.
Justin Gardner (@rhynorater) (24:56.585)
Yeah, that's great. Yeah, I mean, that was sort of the same sort of thing that I had, which was like, okay, first you get in that pen tester role, right? And then the next step is like master that and like get it so that you can get very satisfactory results quickly. Let's say it's a 40 hour test, you're popping everything and getting it done in like 20 hours, right? And then that extra 20 hours you've
is like additional value add to the client. Okay, and by the way, here's a zero day in this library you're using or like, you know, here's, that's perfect, man. And that's exactly what I did as well. I think that's a really good takeaway is like, you know, go for these, go the extra mile on these engagements. But I think a lot of people try to skip that first step, which is first master what you're supposed to do. know, master that initial pen test where you can get the results, you
Sina (SinSinology) (25:27.032)
Exactly.
Justin Gardner (@rhynorater) (25:50.685)
that you need for the client quickly. And then you've got that margin either at work or like you said at home to go the extra mile and build out these extra exploits and apply the knowledge that you're getting through your own study to these targets that you're working on. That's awesome, man. Okay, cool. So then you're in that pen testing environment, you're growing, you're growing.
And then do you stay as a pen tester long term or are you switching into vulnerability research and where does Pwn2Own fit into this whole equation?
Sina (SinSinology) (26:20.579)
Yeah, so I was just doing these pentacerols and then just going through the ranks, so then I had a junior, senior, mid -year, whatever, just going up. And then at the same time that I was learning all of these, Bug Bounty was being promoted a lot and all that, and people were getting more into Bug Bounty, even though there were people doing it way back. People were doing it exactly the same day Hacker One was launched and then like,
Justin Gardner (@rhynorater) (26:28.327)
Mm -hmm.
Justin Gardner (@rhynorater) (26:50.173)
Yeah,
Sina (SinSinology) (26:50.508)
people were doing it like all that, but it was getting like more promoted and like all that. And then I kind of started trying it and then I wasn't good at it. I did make some money. I did make some money and then like I was just like targeting different kinds of things. the good thing, to be honest, maybe if I would have like pursued back then, like it would have been better instead of like giving up on it because people
there wasn't much automation back there as is today. So if you would have been clever enough to make some sort of automation back in the day, you would have been maybe drowning money or whatever. it just didn't work for me, even though I did make some, and if you were clever enough to, okay. And if you were clever enough to make some sort of automation, like in a day you would be like drowning in money. And, but I, I kind of like, I didn't like, I didn't click with the whole concept. wasn't probably because I wasn't like.
Justin Gardner (@rhynorater) (28:25.8)
Yeah.
Sina (SinSinology) (28:35.)
pretty much good at it. But I did make some money. was like reporting to Microsoft and all of that. then which was good. was like making good money. Microsoft was paying, Microsoft was paying a lot of money back in the day. I think compared to today, maybe, I don't know. But what happened was to answer your question, one day as I was like any other day that I was just like watch five or six conference videos from different kinds of things that would come up to try to like find my own niche or whatever.
Justin Gardner (@rhynorater) (28:49.361)
Mm, mm.
Sina (SinSinology) (29:04.751)
I saw a video of a Hack in the Box conference from Steven Sealy. I think you know him. I saw one of his talks and when I saw it, it was so fascinating to me. I was like, I've gotta do exactly what this guy does. And I started Googling his name, reading whatever he wrote and then.
Justin Gardner (@rhynorater) (29:12.998)
Mmm. Yeah, classic.
Sina (SinSinology) (29:32.958)
get familiar with his blog and all of that, reading all of his exploits and all of that. And then one thing that I learned as I was doing all of this stuff was trying to reproduce other people's work. I can't stress how important it is today, even though it's easier today to do it, but I don't think much people are doing it. You have Docker images that people will set up.
Justin Gardner (@rhynorater) (29:47.268)
Mm, mm, very important.
Sina (SinSinology) (30:01.742)
10 minutes after the CV comes up, you can just do like a Docker start and then you have the already vulnerable image set up, port exposed, you have a sample of the payload and then you can just like fire it and test it, right? And then people like start like making all like nuclei stuff and like just like a spray through the whole internet or whatever, right? And a lot of other stuff that I'm not aware of, right? That's just the thing that I know. But back in the day, right, people just like publish the exploit and then people weren't doing like end day analysis and all of that,
And to be honest, nobody told me to do it. I was just thinking, okay, I want to do exactly what a Stephen Sealy does, right? I want to get to his level, even though he's like way, way farther that I can even look at, right? He's just like on this whole, like a different mountain. And then I was like, okay, okay, maybe the best thing is if I read these blogs and I don't understand it, I will just write down everything that I don't understand, even from a
word that says, don't know, something like, I don't know, whatever. Just write it down and then just like, it it's sort of like slowly building up my foundation to understand his blogs. And then let's, let's install the same software. Let's try to find same bug. Let's, let's just try to do the same thing as he did and keep failing at it and just keep doing it and keep doing it. I've tried to reproduce as much as advisories and exploits that he had published. And then,
And then I've kind of like, I was feeling that I'm stepping in the same shoe as he has. I was just like stepping in the same shoe and then I started like developing that kind of like intuition, just like close, not exactly just close, just trying to like be like him, right? A well -known, expert vulnerability researcher.
Justin Gardner (@rhynorater) (31:50.147)
Mm. Mm.
Sina (SinSinology) (31:58.91)
who has done anything you could think of. Back in the day, was making heap exploitation plugins to do crazy stuff. So he's not just this high -level guy who's only doing this one area. He has done it, everything you can think of. He has done low -level exploitation, hardware embedded, high -level stuff, exotic architecture, whatever you could think of. He has done it.
Justin Gardner (@rhynorater) (32:17.683)
Right.
Sina (SinSinology) (32:28.566)
like he became and he is still to this day, my role model, even on my blog, if you go there, like there's like an about page. On top, I put his name saying like, this is one of the guys who had like direct, direct like impact on what I am today, even if I am anything today. But yeah, basically, I've kind of like started following his path, just going after what he did and all the things that I just said before and then got to the point.
Justin Gardner (@rhynorater) (32:44.531)
Yeah.
Justin Gardner (@rhynorater) (32:54.185)
That's great. Yeah, that's really great, dude, because I think when you see somebody like that and they're inspiring, it's easy to be like, yeah, I want to be like that. And then just think about get sort of fixated on the end goal. Wouldn't it be cool if I was a vulnerability researcher, if I did this for a career or whatever? And then instead of focusing on that end goal, you start reverse engineering it. You say, OK, well, in order to get to where he was, he did all these bugs.
So I'm gonna go back and try to reproduce all these bugs and make it so that I could have found these. So I like how you reverse engineered Stephen Sealy as well, that's great. You apply that reverse engineering stuff to your role model there in that capacity as well. And that's great. So I guess where I wanna go from here is I wanna talk about, I wanna do one more section in the...
you know, about you area and talk about your favorite bugs and how those have evolved over the years as you've gained more capabilities. And then I kind of want to move into your hacking methodology specifically and how you've been popping all these bugs on all these targets nowadays for Fertpone to own and even outside of that. And it's very source code analysis heavy. So I'm excited to talk about that as well. So start with what are your favorite bugs that you find a
and then kind of move into your hacking methodology.
Sina (SinSinology) (34:25.544)
Nowadays, the more stuff that I find that are more interesting to me are more memory corruption kind of stuff. Either it's between a kernel driver, mostly Linux -based, or is it an embedded device or something else, right? More memory corruption -oriented kind of stuff are like...
my top favorite kind of stuff to do. But the things that I'm allowed or able to blog about is mostly the high level stuff that I find, which are either deserialization, path traversal, your simple stuff, non -memory corruption kind of stuff, everything that all the other people are finding. I just love to explain code and just go through that.
and just build it up from there. it's exactly like projecting the way, at least I'm trying to, I'm basically copying. That's why I'm saying, maybe projecting is not the right word, but the work that Stephen has been doing over years and years, that he puts the source code, exactly, he puts on the source code and then he just starts building up saying,
Justin Gardner (@rhynorater) (35:35.65)
Mm Yeah, because he's dabbled in both. Mm -hmm.
Sina (SinSinology) (35:43.13)
I don't know, the source is from here and then we reach the sink, right? We go to this whole path and then I've tried to like do the same thing as he was doing and he has been doing. But my favorite kind of stuff are like memory corruption stuff, but one of my also other favorite kind of things to do is like any .NET related vulnerabilities.
And I'm not just saying that to promote my own training, even though I have a training, people are like welcome to do. And I'm so happy, I haven't announced it yet, but I'm so happy to say like, I have like August training coming up and it has been like filled up, right? I've had, thank you, like it had like 25 seats, 24 seats have been filled up and I'm so happy about it.
Justin Gardner (@rhynorater) (36:19.081)
That's amazing, yeah.
Justin Gardner (@rhynorater) (36:31.301)
No way, dude, congrats.
Justin Gardner (@rhynorater) (36:38.547)
Wow.
Sina (SinSinology) (36:41.441)
like it's crazy. when I started like making the training, I thought like, you know, you get, whenever you want, whatever you want to start, you think like, I don't know, like maybe, maybe nobody likes it or maybe nobody can, but you know, like if you build that, they'll, they'll show up or whatever. And then I've, I've tried to like give it as a workshop, different places and just like going to different countries and different conferences and doing it. And then people, people were nice enough to, to post like feedbacks and stuff. And that feedback helped on,
promoting the training for other people to show up. And then I've had like 15 registrations, 15 or 14 registrations until like, I don't know, three weeks ago or something, two weeks ago. And then after I published, I dropped like three exploits at the same time, three blog posts with a privilege escalation. After I dropped those three blog posts,
saying that I'm doing this to promote my training and then people started like 14, 13 other people signed up for the training, which was really cool to me.
Justin Gardner (@rhynorater) (37:47.015)
Yeah, man, that's perfect. So you found a nice way to get publicity to that and you found a way to add value to the community. you you drop this blog post, everyone's reading through this. like, wow, this rocks. And then, you know, you've got, let me check out this guy and his course. So that's really exciting, man. And, know, this pod is going to drop soon. So you need to get another class that people can sign up for or maybe like a wait list or something, because I'm sure a lot of the listeners to this podcast would love
Sina (SinSinology) (38:08.344)
Thank you. Appreciate it. Yeah, I appreciate
Justin Gardner (@rhynorater) (38:14.727)
to sign up and check out this class, especially if you want to get into this a little bit deeper realm, right? Like lot of the stuff that we talk about here is some web -related vulnerabilities and stuff like that, but one of the things we stress all the time is if you can get your hands on source code, man, that is so sweet. Like if there's any possibility of you remotely being able to get your hands on source code, it's amazing. And with .NET stuff, that's more and more possible.
And so yeah, definitely check out this course if you're interested. We'll link it down in the description. And so I guess when you're dealing with .NET stuff, how do you approach that? Give us a little bit of insight into your methodology for
Sina (SinSinology) (38:50.478)
appreciate
Sina (SinSinology) (38:58.044)
Yep, so
What I do is no magic. Like I just do the same thing as many other people have been doing for years and years and years. There is, to be honest with you, like the reason, the reason completely like there isn't much of a secret sauce. It's just, it's just doing the same people do, but I just, I don't do it like once. I do it a thousand times and then out of those thousand times, maybe five targets are vulnerable and then people only see the end result of the blog post coming up, right? But I just like keep doing the same thing and
I started picking up things. With .NET, after you acquire the software, whatever, that you think worth investigating, either it's a well -known, I don't know, if it's well -known software such as Exchange or SharePoint or a SolarWinds product, these are well -known products.
you get them, you acquire them, and then you install the software, and then you start to map out the attack surface. But in order to map out the attack surface, you need to understand you're working with a .NET target. The good thing with .NET is when you can decompile .NET and get almost the exact code that was written initially to decompile it, which is amazing. Like Java, it is, you can decompile it.
Justin Gardner (@rhynorater) (40:11.591)
I love that man, I love that.
Sina (SinSinology) (40:19.116)
given that it hasn't been minified or obfuscated, which is sometimes a problem, but there are ways for that as well. But yeah.
Justin Gardner (@rhynorater) (40:26.461)
So what are you using for that? So like, are you using .peak or?
Sina (SinSinology) (40:33.602)
Yeah, so there are lot of softwares that you can use. You can use .peak, Rider from JetBrains, can use ILSpy, Dnspy, Visual Studio, you can use all of those. And I sometimes switch between them, sometimes for some reason one of them doesn't work and they're like, okay, let me try the other one or whatever. But I...
Justin Gardner (@rhynorater) (40:51.146)
Do you have a preference that's your first go -to?
Sina (SinSinology) (40:54.498)
Yeah, I usually go with the most generic one people use, DN Spy. That's my favorite. But I know lot of experts who use Visual Studio. It's a bit, maybe it's a bit
Justin Gardner (@rhynorater) (40:58.729)
D &Spy, okay.
Sina (SinSinology) (41:08.335)
it takes just like a, if you haven't done it before, it maybe takes you like an hour to figure out how to do it, but just the first time. But you can use like Visual Studio 2, but I use like usually DN Spy has always worked for me. The latest version of DN Spy is called DN Spy X because DN Spy was abandoned. then, yeah, DN Spy X. And then it's funny on a like a non -related kind of thing.
Justin Gardner (@rhynorater) (41:26.063)
Okay, DN Spy X.
Sina (SinSinology) (41:34.478)
The guy who's been developing the NspyX for the last, I think, four years, maybe five years, he's like 19 -year -old, 20 -year -old kid who, yeah, he's like a self -taught .NET developer. His name is, his handle is electrokill, if I'm not wrong, and he's this genius kind of dude who's been adding a lot of features to the project and just taking the project by his own. People commit, but.
Justin Gardner (@rhynorater) (41:44.838)
No way.
Sina (SinSinology) (42:02.53)
the majority of the crucial commits are from him, things that are involved around the engine.
Justin Gardner (@rhynorater) (42:05.779)
Dude, love people like that. Love people like that, that do that massive service to the community. And when you said Dnspy, I went to the old repo and I was like, man, this hasn't been touched in like four years. I'm kind of surprised you're still using this, but yeah, no, it makes sense that with Dnspy X, and that's EX by the way. I searched Dnspy just the letter X and it didn't come up. So Dnspy EX, very cool. Yeah, and I know that Joel is a little bit more of
Sina (SinSinology) (42:29.217)
EX,
Justin Gardner (@rhynorater) (42:34.705)
of a fan of .peak and that whole family of products over there. But I think it's definitely worthwhile to switch between the two because there are some weird things sometimes where one will reverse it and the other one won't. And I've seen this in Java plenty of times as well, because there's so many Java decompilers as
Sina (SinSinology) (42:52.045)
Yeah, so usually giving out some pointers to people, this is couple of well -known things. This is not something that I only know or like a secret knowledge or whatever. But with .NET sometimes you try to debug a process and then for some reason either you're not, you attach to the process and then you start putting breakpoints and then in the inspire or whatever kind of thing that you're using and then.
the breakpoints won't be set. The software kind of like gives you such an error or something that I can't set a breakpoint here. Or you do set a breakpoint on different places and then you go and in these like debuggers, right? Whenever your breakpoint hits, you can look at the local variables, global variables, whatever, right? It's called locals. And then you can start looking at them, but.
for some reason you get errors when you try to find their value. Like the software is looking into the memory to find the value of whatever, doing some sort of things behind the scene. But you're not able to see it. That's because with .NET at least, there can be different reasons. But one of the reasons which happens like 70 % of the time is because the image, so we call .NET executables like images, right? We can call anything image, but this .NET executable or image,
Justin Gardner (@rhynorater) (44:11.433)
Mm -hmm, mm -hmm.
Sina (SinSinology) (44:14.592)
or select DLL or whatever, it has been optimized. When you execute a .NET project, .NET runtime will optimize this DLLs and make them in a way that the debugger isn't able to peek into the values, so you need to deoptimize this kind of deoptimize this, like the images. And in order to do so, there's a lot of like, not a lot, but there's
three or four blog posts out there that says how to do it. Basically, you create a INI file next to the image name, and then you just put some sort of allow optimize and some other things in there, and you switch their values to disable them. And then you just kill the process or restart the process, and then now the next time that it comes up,
the image isn't optimized anymore and then the debugger can easily break point anywhere, work with multi -threaded applications, look at locals and everything because dotnet has a lot of concepts of optimization, global assembly cache and some other stuff called ngen, next generation ngen images which basically all kind of, it can be explained way more but just to put an end to the concept is the image has been optimized.
Justin Gardner (@rhynorater) (45:17.498)
Mm -hmm.
Sina (SinSinology) (45:34.532)
run faster or run more efficient. So the debugger can't really work with it for some reason. You need to de -optimize it by putting the INI file next to it and then you all sort it. You can start debugging this target.
Justin Gardner (@rhynorater) (45:44.809)
Wow, dude, that's awesome. And I just want to shout out as well, just some of the copy that was in your in your sort of description for your course. was like, hey, listen, this is 80 % stuff that's that's out there and 20 % stuff that's special to me. But, you know, why should I pay for something that's 80 % public and 20 % not? You answer that question so eloquently, is like, like
This is how people learn about stuff is getting all of these, that 80 % squared away. And there's a lot more than just that 80 % out there. So if you're swimming in this sea of knowledge, And what you're doing with this course is giving them that 80 % that they need, right? And I think that's absolutely pivotal. When you come against this scenario and you're just trying to set up a debugger on this thing and you're like, oh, I can't get it to set the breakpoints or whatever.
Sina (SinSinology) (46:19.536)
exactly.
Justin Gardner (@rhynorater) (46:36.423)
That sort of knowledge is absolutely pivotal. So what you're paying for with this course is a way to lower, to narrow in on the stuff that you need to be more high performing in a .NET environment, which I think is very high value. So I think that's really cool.
Sina (SinSinology) (46:49.102)
Yeah, and one thing, I apologize for jumping in, but one thing I wanna say, I always say that I kinda like do these small workshops, which are a couple of hours, is the sample of the training of what you will get when you come up for the training. To try to promote my training, just like many other people have been doing for years, right? You gotta start doing it, promote it yourself. And then I tell this,
Justin Gardner (@rhynorater) (46:53.94)
No.
Sina (SinSinology) (47:18.448)
to people a lot. Genuinely, the course is expensive and I really don't recommend it if you're some sort of a student or like a solo person who's making an earning by himself to come up to the course. though I would love saying that, come up to my course, I'll teach you everything. Doesn't matter who you are, but I genuinely say this. If you're an individual, it just doesn't add up.
spending that much money for a training, even though who doesn't love a students? For me, it's generating money, right? But it's, I think it's mostly preferred if you're working for an organization or a company that the company is investing in these like employees and these vulnerability researchers to come to somebody's training who is advertising that he can like take you from the basics to pretty, pretty, pretty advanced in data and exploitation. For that company,
The price makes sense, but for an individual or for a student, it doesn't. And I get a lot of emails from people are students, sorry, I get a lot of people from, email from people sending me emails saying like, they're kind of like a student and can you give us a discount or whatever? And I have given them discounts for those people and they've actually signed up. But I always say this, like, you can learn all of these by yourself. All of this yourself,
Justin Gardner (@rhynorater) (48:21.331)
Well then, mm.
Sina (SinSinology) (48:44.868)
don't think you have to come to my training or anybody's training. You can learn all of this yourself. That's how I learned it. You can just search the titles, go to the blogs, each blog will at least have one or two references to other blogs. And this just goes like a whole web of stuff and then just keep following again. And then after you follow these kind of stuff, next thing you know, like eight months later, nine months later, you're like,
you have like a pretty, pretty good foundation now on all the things. Exactly. Yeah.
Justin Gardner (@rhynorater) (49:17.543)
Yeah. So this is just the fast track, you know, like if you're trying to do, if you're trying to get it quickly, if you're trying to understand exactly what you need. And I like also that it makes me trust. haven't taken your course and, and, you know, we haven't done any deals on like, you know, promoting your course for this podcast, but I think I'm much more likely to take your course because of what you just explained about foundations and like, and, how much this guy helped you and how, how much that was a part of your learning experience, because what you want out of these fast track courses is not
Solve all my problems. What you need is like, give me the tools that I need to solve my own problems, right? When I go up against these targets. So I think that's really encouraging. But I do wanna push back a little bit on something you said, which was that this is for organizations because, I mean, how much does this course cost?
Sina (SinSinology) (50:05.553)
It costs like 3000 pounds, British pounds, which yeah, you need to, yeah, and then you need to like, and then when people go and start paying, they see the tax as well on the money and then they're like, oh, this is too much money, which makes sense. yeah, sorry.
Justin Gardner (@rhynorater) (50:08.905)
3000 pounds so what $4 ,000 maybe
Justin Gardner (@rhynorater) (50:24.156)
Well, what I wanted to say with this, sorry to interrupt, but what I wanted to say with this was like, if you're a bug bounty hunter and you're just a solo bug bounty hunter, I do this full time, I would have no qualms paying for this course out of my own company, my own earnings, right? Because I know that if I use the techniques in this course and I apply this and I get just one RCE out of this on some of these more enterprise grade targets, that pays out
much more than this $4 ,000 that I'm paying. And I have just walked away with all those skills, right? So not only do I get ROI, but I get the skills as well. So I just think, you know, from my perspective, think bug bounty hunters are a little bit, I don't know, I think there's something about them that makes them want to go this route of like, you know, learn it all yourself, build all the tools yourself, that sort of thing. And I think that's excellent. But for the people that are wanting
are getting frustrated with their bug bounty journey and they want to expedite the process a little bit and then maybe pivot out of a job where they're unhappy or something like that. Doing something like this, paying the money upfront and then expecting to see an ROI I think is a great move and a move that I don't see enough people do, invest in their own education.
Sina (SinSinology) (51:43.248)
Yeah, like four days, 32 hours, like you understand like 90%, 95 % of what you need. And in the training, it is a long course and like all the targets are like real world softwares that I've like exploited or like other people have exploited. I'll bring it in the class, we'll have set it up and then we'll just go through the whole chain.
Justin Gardner (@rhynorater) (51:55.241)
It's a long course, dude.
Justin Gardner (@rhynorater) (52:05.897)
That's awesome.
Sina (SinSinology) (52:10.513)
like lot of bugs, more than like 25 bugs, a lot of chains and like all the areas, like you fully understand all the serializers that are out there for .NET, not just like running by so serial and if it fails, if it fails, whatever, actually being able to like craft chains, gadget chains and like making exploit chains and all of that and going through that, to be honest, like it is pretty, pretty much, as I said, valuable.
And I understand you saying like bug bounty hunters, I don't know if it's the right word to use, but might have the luxury to be able to afford such trainings to get that ROI. again, and I love students, who doesn't love the students? love anybody who wants to sign up. I'm happy to, I'm making a living. I will do my part to give the training and I'll also make getting the money out of it. But if you're like, if you're a person,
Justin Gardner (@rhynorater) (52:47.355)
Mm -hmm. Yeah.
Sina (SinSinology) (53:07.598)
watching this, listening to this, whatever, right? If you open the website, because back in the day, this is what happened to me and I feel for these people, right? Because this happened to me. You open up the website, you see the syllabus, you see the guy who's teaching it, you're like, okay. First, you need to get convinced if the guy knows his shit, right? And then you're like, okay, he might know something, right? I believe he knows something. I wanna go to his training, sounds interesting, but.
this is too much money, I can't afford it. Don't let that to stop you from pursuing .net exploitation. Just do it. Just copy paste the syllabuses that I have and just keep searching. You have a problem, you don't understand it, I put my email out there. Just copy paste it, send an email saying, can you give me some references that I wanna understand this topic or that topic? I'm happy to do so. I don't wanna hold it back because you're not taking out anything from me.
Justin Gardner (@rhynorater) (53:41.745)
Mm. Mm.
Justin Gardner (@rhynorater) (53:59.453)
That's awesome,
Sina (SinSinology) (54:05.973)
it is something that I learned from other people as well. I'm just giving you references to go learn it. It will take me five minutes to give you that link to go learn it. And people have, and I've said, this is not the first time I'm saying this, I've said that in different classes and conferences that I've been to. And this has actually impacted people. And they have been writing me emails saying, we want to understand how to exploit this kind of serializer that has been implemented in .NET. Can you get, can it afford the training?
Can you give us some references on places that we can go read about this, whatever, right? And I've sent them links, I'm happy to. don't let that to stop you. You can do it, absolutely. Nine months, eight months, one year, if you do it constantly, you do it like that. It's nothing, it's easy. It's not black magic, it's not secret knowledge. I've learned that by Googling. You can do it too, yeah.
Justin Gardner (@rhynorater) (54:41.107)
Dang dude.
That's a great offer.
Justin Gardner (@rhynorater) (54:58.905)
Mm. Mm.
Justin Gardner (@rhynorater) (55:04.647)
Yeah, no, that's a great offer, man. I think that you kind of open up the floodgates a little bit there. So be careful because what will end up happening is you'll start getting people messaging you. That's great. Well, hey, man, take advantage of this offer while it lasts with him because at some point he's going to get to the point where he can't reply to all of them.
Sina (SinSinology) (55:04.877)
Yeah, sorry.
Sina (SinSinology) (55:13.136)
Yeah.
Sina (SinSinology) (55:17.602)
It's fine to be honest. It's fine. Yeah. Yeah.
Sina (SinSinology) (55:29.561)
reply
Justin Gardner (@rhynorater) (55:32.061)
While he's offering this, take advantage of it. yeah, so Sina, I wanna move over to a topic that you sort of mentioned before and then something you also have in the notes saying that a debugger is super important to you. And I have a little confession to make here on the pod. I have not set up a debugger, like an active debugger on a target that I've worked on before. I've done so much, know, white box, you know, source code review, that sort of thing, but it's always been me looking at the code,
Sina (SinSinology) (55:32.42)
Yeah. Yeah, come on in,
Justin Gardner (@rhynorater) (56:01.745)
me crafting an exploit, me sending it in, and then being like, you know, why the frick isn't this working? You know, and not having any introspection into it. And when I think about the luxury of having a debugger, I'm like, man, that would make this process so much easier. So for those of us that haven't actually had that experience before, can you talk a little bit about what that adds to you and then how, just at a high level, how difficult it is to set it up in various environments, like a Java environment or a .NET
Sina (SinSinology) (56:33.058)
That's actually a really good question. Even I was the same back in the day, I would look at the source code if it was like a web app. And I'd be like, okay, this is a function. It's taking two,
input arguments from the query string or maybe the post body or whatever or maybe a header. I can see it clearly in this code and then it's, I don't know, passing it to like a SQL query without sanitization. Okay, I understand it. I just need to hit the same point with my prep suite or whatever and provide these arguments and then I will hit it, right? And most of the times it works, right? But at a certain point in time, you come across applications which are
Justin Gardner (@rhynorater) (57:05.937)
Mm -hmm,
Sina (SinSinology) (57:12.858)
far more complicated and then for some reason you're trying to send those parameters or whatever, either it's a TCP server which has been written in CC++ that you need GDB to attach to, it's a compiled binary, or it's a .NET target which you need to attach Dnspy to it, or it's like a Java target which you need to attach like its own debugger to it. Either it's, I don't know, like you can use like JetBrains products or any kind of other product you wanna use.
to debug it. And then for some reason, you're not hitting that endpoint. The Bepstri is, I don't know, you're giving like a 404 or an unauthorized or whatever. If you're doing only source code review and it's like a huge application, you might think, why doesn't it work? Should I move on? Maybe the code is dead or whatever, or maybe something. You don't know that thing, right? That's something, you don't know the thing.
Justin Gardner (@rhynorater) (58:04.903)
Now somebody's inside my brain. That's exactly what I say in my brain. I'm like, why is it this working? I could see the source code. Like, why?
Sina (SinSinology) (58:10.231)
Exactly. You say like I'm seeing it like I do see my decompiler disassembler or whatever I'm seeing it like why isn't it being hit but when you attach a debugger to that like to that target if it's say like a Java target you like use the cap many people just Java but like I usually use like JetBrains product for Java targets you you attach to it and then you understand okay there is a filter or an
or a middleware, is like way, way, way before this route gets called, and that's looking for a certain header that I'm not sending it. And that's why, for example, I'm not reaching the sync, reaching this function or whatever. That helps. Or sometimes you wanna bypass mitigations and you wanna keep testing for it or fuzz the behavior or whatever. When you attach a debugger, can, in most of these debuggers,
you can start writing expressions, right? You can write Java code or .NET code or like peek into the memory or change stuff and then call a function again and again and again and then that kind of like speeds up your analysis and your understanding exactly and which is perfect. I've actually started with debuggers like with like GDB, I was just mostly debugging like low level stuff.
Justin Gardner (@rhynorater) (59:23.953)
Yeah, I'd say so.
Sina (SinSinology) (59:37.06)
just like picking to the memory, no extension, no Jeff, no PwnDVG or PwnBag, whatever you want to call it, no WinDVG or WinBag, whatever, none of those. I was just using pure classic GDB for embedded exploitation, most of that. And then I was doing more web app and .NET Java. was setting up PHP debuggers, .NET debuggers, Java debuggers, and all of that. then setting up a debugger helps a lot.
it is painful sometimes and people choose to move on. I have chose to move on sometimes. But as I grew, I've learned to don't move on and whatever it takes, just have it set up. I kid you not, in some of the point -to -one targets that we worked on, there were some like exotic architectures.
that they don't have, it's called an RTOS, like a real time operating system. So it's not like a Linux or whatever that you can get a shell and then you can upload a debugger or whatever, right? It's a real time operating system. And you need to, when you want to debug stuff, you got to like open up the device and like attach some sort of like a physical device and all of that. And just like, it's pretty, pretty painful. And then when you go through that, you're like, okay.
Justin Gardner (@rhynorater) (01:00:36.409)
Mm -hmm. jeez.
Justin Gardner (@rhynorater) (01:00:49.412)
no.
Sina (SinSinology) (01:00:58.641)
that takes like 10 hours, how long it's gonna take me to like set up this Java debugger. Okay, one hour, two hour, let's just do it, right? It works. Yeah.
Justin Gardner (@rhynorater) (01:01:07.453)
So, okay, I'm sold. I'm sold. You sold me on the debugger thing. That's great. But the next thing is kind of what I want to ask about is how does this work with various targets, right? Because you're attacking these IoT devices. You don't have access to the firmware specifically. You don't necessarily have access to this Docker container of the operating system or anything like that. And you want to get one of these things set up. How do you get that set
And then also, in a scenario where you're dealing with a .NET application or whatever that has its own Docker image or something like that, how are you reaching into that Docker image and setting up this debugger versus something in the IoT world where you've got a physical device that you don't have an image
Sina (SinSinology) (01:01:55.263)
Yeah, okay, I think I understand the question. Please try to jump in if it wasn't the right answer or if you felt like this is not the answer to your question. Most of the time, I don't know if it's like a Java target, if it's on a Windows or a Linux, you need to understand how the Java process is being started and then you can provide arguments to that command that's starting the Java process and then when you provide arguments to it, can enable
Justin Gardner (@rhynorater) (01:02:03.14)
Mm. Mm.
Sina (SinSinology) (01:02:23.738)
like Java debug wire protocol like JDWP or like other stuff to enable debugging, which exposes a debugging service that you can connect to with your debugger. Most debuggers allow remote debugging. So that's what Java with.
Justin Gardner (@rhynorater) (01:02:35.235)
okay, okay. So for Java, let me just echo this back to you so I can make sure that I understand it. You know, for Java, let's say we've got a Docker container, it spins up this Java app or whatever with the jar file. You find whatever like .sh file or whatever that's being run that triggers that Java command, know, Java -jar, whatever, right? And then you modify that file and you say, okay, now I'm gonna turn on debugging and then maybe you gotta open the port in Docker or whatever.
Sina (SinSinology) (01:02:51.622)
Yeah. Exactly. Yeah. Usually.
Justin Gardner (@rhynorater) (01:03:04.411)
and then you can connect to that debugging port via your debugger and it will allow you to just jump right in and control that flow of the application.
Sina (SinSinology) (01:03:29.274)
Yeah, exactly. Yeah. You got it right. You have this Docker image. You will try to get a shell on the Docker image, modify it in some sort of a way to enable some sort of arguments to the Java starter command or whatever, a bash script or whatever it is, in order to enable debugging. That's what Java, usually, that's the trick, right? There are some special cases too, but usually, that's the way to do it, as far as my knowledge goes. Can you hear me right?
Justin Gardner (@rhynorater) (01:03:59.037)
Yes, yeah, absolutely. So for something like .NET, I imagine it's a little different. Are you loading up a DLL or something like that, or how are you addressing
Sina (SinSinology) (01:04:00.506)
Okay.
Sina (SinSinology) (01:04:06.759)
Yeah. Okay. Yeah, so with .NET you just like, you have different kind of debuggers, but with Dnspy, usually what happens is, is yeah, you use Dnspy to, Dnspy has like a debugger feature. You can attach to processes or launch a process. When you launch a process, you can start immediately debugging from the program start. When you attach to a process, you attach to its current state, whatever it is at the time that you're attaching to.
Justin Gardner (@rhynorater) (01:04:26.711)
cool.
Sina (SinSinology) (01:04:36.09)
attaching to it and then you attach to it and then you can start debugging. But sometimes when you start debugging that target process in .NET, you start seeing, okay, my breakpoints are not even hit. So you need to do that the optimization trick that I told you about that you just place an INI file next to it with some sort of a value and then you just restart the process and then you attach it again. There are some special cases too, but these are the usual things that happen.
Justin Gardner (@rhynorater) (01:04:49.91)
Mmm, mmm.
Sina (SinSinology) (01:05:00.974)
with IoT stuff, like embedded stuff, most of the times, it's a device which is like Linux -based, has like an operating system or whatever, you wanna push GDB to the device, so you have like a statically compiled GDB client or a GDB server, you push it to the device, you upload it in some sort of a way, considering you already gained a shell on the device, because with IoT stuff,
when you get the device, first you need to acquire initial shell on the device through a different kind of way.
Justin Gardner (@rhynorater) (01:05:31.965)
Yeah, so let me ask about that process really quickly. I also want to go back to the .NET thing for a second, because I would like to ask about remote debugging with .NET, because in the scenario that you had, we're in the same environment. We can just attach to the process or whatever. But if we're doing, let's say we're running this .NET application in a different environment, is there some way to connect from a remote context for that?
Sina (SinSinology) (01:06:01.307)
As far as I know, this is as far as my knowledge goes, I don't know if it's possible to debug a .NET process remotely. With Java, it exposes a port that you can connect to it remotely. So basically it runs a listener, but with .NET, as far as I know, Dnspy attaches to a process and uses Windows debugging APIs and MS Coralib, which is Microsoft Library for .NET, like CLR.
Justin Gardner (@rhynorater) (01:06:09.691)
Okay. Yeah. Okay.
Justin Gardner (@rhynorater) (01:06:18.13)
Sure.
Sina (SinSinology) (01:06:29.639)
the common language runtime, are like dotnet specific technologies and engines and uses those to debug into that process, to attach to that process, to debug it. But I haven't heard about somebody debugging a dotnet process remotely.
Justin Gardner (@rhynorater) (01:06:46.077)
Yeah, that makes sense. Okay, so moving to the IoT side then, you kind of need to get a shell, right? That's step number one. So let's say you've been given a new Pwn to Own target, you've got this IoT device, and you're like, all right, now I need to Pwn this thing, right? So I mean, normally are you taking hardware hacking approaches to getting that first shell where you connect via JTAG or UART or whatever and try to get a shell, or are
Sina (SinSinology) (01:06:54.022)
Yeah.
Justin Gardner (@rhynorater) (01:07:14.141)
trying to find some sort of vulnerability where you can get that initial shell and then use that initial shell to debug the system and get other shells. Also, once you've pwned the system, you're getting diminishing returns for that target, right, in a pwn -to -own environment. So how does that work? Like, does it make more sense for you to continue to focus on a specific target after you've already gotten the shell, or does it make more sense to move on to the next target?
Sina (SinSinology) (01:07:43.235)
You asked a lot of good questions. So I try to stay on track. Please, I talk a lot. So please, whenever it's enough, just like do a kind of like a sign language. It's like it's enough. So yeah, so you can just go on. Yeah, okay. You kind of like gave out the answer for it, but yeah, you have this device, you want to get an initial shell on it.
Justin Gardner (@rhynorater) (01:07:56.073)
I'll hit you up. You're doing great. You're doing great.
Justin Gardner (@rhynorater) (01:08:01.447)
So initial shell, how do you get the initial shell?
Sina (SinSinology) (01:08:10.309)
assuming it's a Linux based target, not like an RTOS or whatever kind of other device that can be, usually it's a Linux system, right? And then you want to get a shell. In order to get a shell on this device for Pwn2Own Mobile, it's called for mobile devices, IoT, you either use like a hardware technique, JTAG, GUARD, like maybe you dump the chip, you can do glitching or whatever. You kind of like find a way to interface with a device in order to like
to interface with this console or whatever if it has one. And then one way could be through that and then sometimes this console that you connect to from like UART or whatever have been protected, you need to like bypass the protection. Sometimes it's like a default password in order to get a shell on the device. Sometimes you can use techniques such as glitching in order to, can you see me?
Justin Gardner (@rhynorater) (01:11:24.413)
I feel like there's only two approaches to this. There's hardware hacking techniques, where you've got your UART, you've got your JTAG, you've got glitching related stuff, that sort of thing. Or you gotta go black box, and you gotta try to pop it without actually having the source code or whatever. I guess there's one third option as well, which is if you can get your hand on the firmware, then you can sort of be white box, but still not have a debugger.
What is your go -to flow with that and how do you address all of these three possibilities?
Sina (SinSinology) (01:11:56.017)
Yeah, that's a great question. So in order to like start researching like an IoT device, basically first you need to like get the device after you got the device, you want to interface with the device, right? You want to get a shell on it, assuming it's a Linux based system, not some sort of R TOS or whatever. And then you can use some sort of like a UART, JTAG, whatever to interface with the device. Once you do interface with a device, if it has like some sort of a console, try to like, usually after the console, have unlimited shell, like you have like a root
or whatever and you want to around it. Basically what I'm answering is the usual answer. There can be different scenarios, special cases as well, which happen often. But in order to bypass that kind of like a console, either you get the password or you can get the password or whatever. Sometimes the password has been public by someone else or whatever. It's like a like a route 123 or a vendor name or whatever. And then if you can't get around it, then you can like
Justin Gardner (@rhynorater) (01:12:31.869)
Mm -mm.
Sina (SinSinology) (01:12:55.89)
glitching, sometimes glitching helps almost all the time glitching works. Glitching is super powerful. If you master it, the sky's the limit. And then you can use glitching to get around that protected shell. If you do, that's one way. Sometimes the firmware is available on vendor website. You can just get the firmware, backdoor the firmware, and install the firmware on the device and just get a shell. That's it, right? Sometimes it can happen.
Justin Gardner (@rhynorater) (01:13:19.133)
Mm, mm.
Sina (SinSinology) (01:13:21.358)
Sometimes you just gotta like YOLO it and then you're like, okay, I just take the chip off and then just read the chip and then write to the chip, backdoor the firmware or whatever, repack it and then just put the chip back, you need to like no disolder, like soldering, soldering like all that. And sometimes the chip on the device is not like a simple normal flash chip or whatever. It's like an EMMC or a BGA, which you usually see on your phones. So when you like disolder or like take it out,
to know how to do reballing which not anybody can do reballing exactly you gotta have like steady hands and like do a clean job sometimes there is some sort of wiggle room for you to like mess up just a bit you don't need to you don't need to be perfect in doing it but sometimes it which I've tried it actually for for point one twenty twenty four point two in Japan I had to we were targeting this infotainment systems which are like refotainment for cars and then most of the times
Justin Gardner (@rhynorater) (01:13:53.966)
Mm. It's hard, man, it's hard.
Sina (SinSinology) (01:14:21.186)
you couldn't actually fight like.
You had to like desolder it and this for me like for a lot of them I had to desolder them and then The device is so expensive like I don't know two grand three grand four grand. You can't just buy two or whatever So you need to like desolder it and you need to do no reballing to put the chip chip back and then to use your shell or whatever to go on the device and start working on it, but it's guys the limit as I said sometimes and then Maybe maybe maybe sometimes even you don't need to make it more difficult. Maybe sometimes black
Justin Gardner (@rhynorater) (01:14:34.298)
Ugh, man.
Sina (SinSinology) (01:14:53.544)
you can find a command injection in the application and just get it which out that's it right so maybe maybe try to go with the easier approaches
Justin Gardner (@rhynorater) (01:14:59.593)
So question about the IoT thing though, man, that's a two grand device. I know that I've only had one or two experiences hacking an IoT device where I actually have to like pull the chip off, get it read, pull the firmware, that sort of thing. But the first time I did it, I was literally like, I was shaking, and this is like a $60 device that they gave me for free.
And so, do you guys have to buy your own devices for these competitions or are they like comping you for the devices at all afterwards if you find a valid bug?
Sina (SinSinology) (01:15:30.866)
Yeah.
Sina (SinSinology) (01:15:36.85)
Usually with 99 % of the targets, you need to buy them yourself and then sometimes the device is only available in the US and you're in another continent or something and then the device is only sold in US. So it goes to your imagination how difficult it is. How difficult it is to get the product to you.
Justin Gardner (@rhynorater) (01:15:49.321)
Jeez.
Justin Gardner (@rhynorater) (01:15:56.679)
And you gotta hack the system to even get your hands on the device.
Sina (SinSinology) (01:16:04.059)
Yeah, it gets difficult, but worth mentioning for like targets like Tesla, right? So you wanna target Tesla, right? If you're a well -known researcher or you have done Tesla exploits before for zero -day initiative, Pwn2Own competition, Pwn2Own will provide you with another car. They don't send you the car, right? Yeah. Yeah, not another car, but they will...
Justin Gardner (@rhynorater) (01:16:25.853)
I was gonna say, all right, extra incentive here.
Sina (SinSinology) (01:16:33.976)
send you the correct ECUs that you need, the computer in the car, the ECUs that you need that are part of the attack surface that are accepted. So you need to wire the ECUs and whatever and make sure when you plug it into your outlet, you don't burn the ECU or whatever. And then you can set it up and then just start finding bugs on it. But that's not for someone who just wants to come to Ponto on the first day and
they will give him like ECUs or whatever, give him or her whatever. It depends on that kind of like relationship that you have with the organizers and Tesla knows you and all of that kind of stuff. But the answer is yeah, yeah.
Justin Gardner (@rhynorater) (01:17:14.537)
Wow, that's crazy, That's nuts. And I wanna ask, so, you know, this is a high -risk environment for you. You're buying these things. I know that I burned through four chips, I think, the first time I was trying to pull a chip out, you know, just from lack of experience. And I did better afterwards. You know, I bought, think, like 10 of the devices or whatever, and I was able to finally get it consistently. But, you know, when you're going into it, it's a pretty high investment environment.
How much of the time would you say that you're dealing with, I can just connect to UART or JTAG and get a shell versus I have to pull the firmware via pulling the chip, the EMC chip and getting it into a reader and getting it to read versus like a black box approach versus like firmware. Like what is the distribution of those for? What is most common and what is least common?
Sina (SinSinology) (01:18:12.474)
Let me think how to, you're asking pretty solid questions. That's why you're getting me hooked on it. So basically like in the first, I think in the first 12 hours or 10 hours, I'll kind of like exhaust all the possibilities that I can get a shell, except the black box kind of thing. in the first eight or 10 hours, I'll exhaust all the.
Justin Gardner (@rhynorater) (01:18:17.395)
Mm -mm.
Sina (SinSinology) (01:18:38.386)
hardware related kind of techniques that I am aware of that I can maybe launch against this target. 10 hour, is it enough? Isn't it enough? I don't know. It's just the way that I do it. And then after, if I don't get a shell in that like 10 hours, or I conclude that, okay, after this 10 hours, I've exhausted all the simple tricks that I could do. Now it doesn't work in the 10 hours. Either I'm gonna go black box.
Justin Gardner (@rhynorater) (01:18:52.264)
Mm -hmm.
Sina (SinSinology) (01:19:08.446)
Maybe if I would have gone with BlackBox, I would have found it in the first five minutes. Who knows? You don't know. That's just me. Or I would be like, okay, I will invest more time on glitching it at the right time. Because you might say, why don't you always just take the chip off? Because sometimes the chip is encrypted and then the keys are stored somewhere else. Or you need to talk to the system on chip, so see, or whatever. Or it's in an enclave or something.
Justin Gardner (@rhynorater) (01:19:15.389)
Mm, mm.
Justin Gardner (@rhynorater) (01:19:28.498)
Mm -hmm. Yep.
Justin Gardner (@rhynorater) (01:19:32.603)
secure enclave or whatever.
Sina (SinSinology) (01:19:38.677)
And it's not as easy as that. sometimes, kind of like in the first 10 hours, I'll conclude either I want to go fault injection fully, or I would just want to be like, okay, I can't do anything. I just got to black box it somehow and then find a way in. Which this kind of
Justin Gardner (@rhynorater) (01:19:56.88)
What's your intuition on the order of how often these work? to like, 50 % of the time, UART gives me a shell. what's your intuition on how often these various techniques
Sina (SinSinology) (01:20:11.459)
The most often way that I use, just use UART. I just use UART and then I combine it with glitching and then you get a shell. You definitely get a shell. At least for me, I don't represent all the people who have done this kind of research. This is just my answer. For me, just combine, I just connect with UART. Sometimes you have a shell which you don't see it often happening, at least for point -to -one targets anymore.
Justin Gardner (@rhynorater) (01:20:20.335)
Mm. Mm.
Justin Gardner (@rhynorater) (01:20:30.547)
Sure, sure.
Justin Gardner (@rhynorater) (01:20:39.161)
Mm -hmm. Mm.
Sina (SinSinology) (01:20:40.508)
they're like high value targets. So they've been well tested kind of. The easy doors have been closed. And then I just combine it with like glitching and then most of the times they don't have any protection against glitching. then just, that's my way in. That's my usual go -to. And then if that doesn't work, I'll go for the chip. If that doesn't work, black box.
Justin Gardner (@rhynorater) (01:21:04.305)
Okay, gotcha. Wow. That's pretty cool. So a lot of times, you know, I think it might be worthwhile for me to invest a little bit into understanding how glitching works a little bit better, glitching and fault injection, because yeah, once you go that route with the, when you're pulling the chip off, I've never soldered a chip back on successfully, you know, and gotten it to read. That's very hard to do. And I think you need some more advanced equipment than what I've got as well. I've just got a, you know, beginner's hardware.
hacking setup here with my hot air gun and a shit ton of flux and that sort of thing. So that's really interesting to hear that fault injection and that sort of thing is a more common approach for you to get through there. Okay, cool. So now we've gone through that path. We've got a shell on this device. Now we're getting a debugger setup live on
that actual device. So you're kind of looking through the file system, you're trying to figure out what is starting the web interface or the whatever TCP interface or whatever, and then you're hooking into that. Is that the idea?
Sina (SinSinology) (01:22:00.124)
Yeah. OK.
Sina (SinSinology) (01:22:13.031)
Yeah, so once you have a shell now, hopefully you'll start like understanding what's available as the attack surface, right? The goal is getting remote code execution without user interaction on this device. And one other thing that you need
Justin Gardner (@rhynorater) (01:22:24.669)
Mm, mm.
Sina (SinSinology) (01:22:26.353)
you need to consider is sometimes, sometimes Pwn2Own says, for example, these kind of services are out of question, right? We don't want, if an exploit is impacting these, we don't want it. Even though you are achieving remote code execution, but if it's targeting this service, we don't want it. Because these, this has kind of like recently came up in Pwn2Own in the last,
Justin Gardner (@rhynorater) (01:22:35.865)
Mm, mm.
Sina (SinSinology) (01:22:51.961)
few years, you wouldn't be dealing with it as much as it might sound, but it can happen that, for example, if they say, I don't know, this router, any exploit on the UPnP service, universal plug and play, we don't want it because UPnPs are in these targets are not made by the vendor, they're made by the third party. Even though you might come and say, okay, doesn't matter, the client is using it, but for some reason,
Justin Gardner (@rhynorater) (01:23:13.255)
Right, right.
Ridiculous, yeah.
Sina (SinSinology) (01:23:22.165)
They have their own reasons, right? And they're the organizers. So it's their rules, it's their game, right? They say like, we don't want it, right? They have their own reasons. And then, so you might not want to be looking at it, but basically you find services, exclude the ones that should be excluded, and then you start working on them.
to see if you can trigger anything remotely. Basically, what are the open ports? Sending a packet to each port, what does it do? What does it trigger? What service does it work with? You take the service, you try
Is it decompileable? Do you decompile it, disassemble it, whatever. You set up a debugger, you attach to it, you start analyzing all what's available. You find for dangerous, you look for dangerous behaviors. You utilize your static analysis. You set up a fuzzer. It can be a black box fuzzer, a dumb fuzzer. You kind of like develop your intuition on making a faster and better fuzzer. You make like a snapshot based fuzzing with like emulation. You make a grammar for your fuzzer. You make it better and better.
Justin Gardner (@rhynorater) (01:24:22.835)
Wow.
Sina (SinSinology) (01:24:23.269)
to start harvesting memory corruption vulnerabilities. And when I said that, I said the sentence maybe in one or two minutes, having emulation set up in your local server or in your remote server to fuzz the same binary that was. So you have this target which has, I don't know, one gig of RAM or whatever, two gigs of RAM or maybe megabytes, right? You have this device and you wanna take, which has its own tool chain, which has its own operating
or whatever, you want to take this by architecture, right? Everything like, and it's not like using the word saying everything on it is living in an harmony together. It's just some sort of a shit glued together, which is like some sort of abomination that they've managed to like just make it work. And then you just want to take like one piece of that abomination and put it on the latest Linux version on your server. Of course it's not going to work.
Justin Gardner (@rhynorater) (01:24:53.807)
architecture, everything like that.
Sina (SinSinology) (01:25:20.515)
Of course. you need to, you need to, it usually never happens. So you need to set up like your own emulation with like chemo or whatever you want to use, unicorn, chemo, chilling, whatever, these are all frameworks. Yeah. Yeah, yeah, yeah.
Justin Gardner (@rhynorater) (01:25:20.935)
Right, of course. We pray, but it never happens. Yeah?
Justin Gardner (@rhynorater) (01:25:32.135)
Okay, that's great. Okay, hold on, hold on, hold on, hold hold hold So you just, so I've heard of QEMU, right? Q -E -U. But what were the other ones you mentioned?
Sina (SinSinology) (01:25:41.28)
Yeah. Unicorn, it's unicorn engine. Same thing for emulation. The other one, it's written killing, which is Q -I -L -I -N -G. But as far as I know, the author of it, the guy who wrote it says chilling. So I'm saying chilling as well, but it's killing or whatever.
Justin Gardner (@rhynorater) (01:25:45.467)
Unicorn engine,
Justin Gardner (@rhynorater) (01:25:54.607)
okay.
Justin Gardner (@rhynorater) (01:26:02.939)
Okay. Okay. Gotcha. Yeah. Okay. I see
Sina (SinSinology) (01:26:07.187)
It's also, it's a wrap around unicorn engine which you can utilize to write emulation and even a snapshot based fuzzing. But the most powerful one that I recommend people to go after is using things like just like being able to like use like AFL with a combination of keymo if you can like slap those together and then make it work. Libafl is a pretty powerful library, written in Rust.
Justin Gardner (@rhynorater) (01:26:16.198)
Okay, that's great.
Sina (SinSinology) (01:26:34.501)
So you gotta know how to code in Rust. That's kind of like a showstopper to a lot of people, but it's definitely recommended to be able to do it. as far as you can, yeah, if you can get QEMU and AFL working, that's a decent option. There are better options too, why not? But that's good enough, as far as modern knowledge goes.
Justin Gardner (@rhynorater) (01:26:44.135)
lib AFL, okay.
Justin Gardner (@rhynorater) (01:26:54.913)
Yeah, that makes a lot of sense. Okay. So I'm diving into your whole flow here. Okay. I'm breaking apart the whole brain. So we get a hold of a shell somehow, likely via hardware hacking, but potentially via dumping the firmware and then finding a bug with just code review and then popping it and then getting a shell. Then we're taking all the binaries, taking all the different pieces of the environment, decompiling it if we can, whatever. We're getting
Sina (SinSinology) (01:27:00.913)
Yeah, yeah, yeah.
Sina (SinSinology) (01:27:07.037)
Yeah.
Sina (SinSinology) (01:27:22.535)
disassembly it, yeah.
Justin Gardner (@rhynorater) (01:27:24.069)
Exactly. And then we go Kimu and then we go or any of these other emulation softwares to get the correct environment, get the correct libraries or whatever in the...
Sina (SinSinology) (01:27:36.979)
you don't have to, but for fuzzing or like having your local setup for like, because, because you, so why do you do it? I said before, you want to fuzz this abomination, but it's running on a device which is too slow. So if you want to blast it with like a million requests, either it's going to just like die or reboot or whatever. So if you manage to take it out and put it on a, on your own machine, which has like 128 gig of RAM,
Justin Gardner (@rhynorater) (01:27:52.019)
Right.
Justin Gardner (@rhynorater) (01:27:59.219)
Mm -hmm.
Sina (SinSinology) (01:28:06.407)
or like, don't know, a ton of cores and it's like fast, all of that. You can just like, because I'm gonna say this, you're an expert obviously, but I'm gonna say this for people who don't know, right? So you have this binary, which is a, I don't know, imagine this device is a smart speaker, right? This is smart speaker understands parsing MP3 files, right? And the way it works is,
the web server will receive an mp3 file and then will somehow pass this mp3 file to this executable. You want to fuzz this mp3 parser because you know maybe you can find a memory corruption in this mp3 parser so you can find a memory corruption in the speaker and get code execution that way. Either you can go by uploading mp3 files to the web server which the web server needs to process your HTTP request.
Justin Gardner (@rhynorater) (01:28:55.325)
I see, I see.
Sina (SinSinology) (01:29:02.406)
take the mp3 file, save the mp3 file, pass the mp3 file to the mp3 parser. mp3 parser goes to the initialization phase to come up as a process to allocate some memory, load its libraries and all of that, basically an active process. then it opens the file, reads the file, starts parsing it. You went through, I don't know, nine steps to get to the parsing. But with snapshot -based fuzzing, you can eliminate all of those eight steps, take the file,
Justin Gardner (@rhynorater) (01:29:31.13)
Mmm.
Sina (SinSinology) (01:29:32.274)
wrote a snapshot based fuzzer, it can easily be set but it's not easily done. You can set up your snapshot based fuzzer to tell your snapshot based fuzzer to... if this is the function which is... again this is a compiled binary, it's not source code, it's compiled. If at this function in this binary, this offsets in memory, if this function, subroutine starts
Justin Gardner (@rhynorater) (01:29:52.957)
Right, right.
Sina (SinSinology) (01:30:00.88)
and it starts parsing this mp3 file and it ends here and there's a thousand other functions before and after it. We just want to fuzz this. So I want you to change the flow of execution to here and go until here. then when it reaches end here, you go back and then you revert the snapshot, revert the state of the memory to what it was because you got to understand either you're fuzzing a stateless or a stateful kind of like function.
Justin Gardner (@rhynorater) (01:30:05.651)
Just this set. Mm -hmm.
Mmm.
Sina (SinSinology) (01:30:27.987)
Because maybe when you're fuzzing this like a subroutine or whatever, maybe it changes something global. If this is what you want to fuzz, maybe it changes something above it, right? Above it, outside of your area. And then if that thing changes a lot, it causes a crash, which doesn't happen normally. It only happens in your local testing environments, right? Now I'm getting too technical, but that's
Justin Gardner (@rhynorater) (01:30:49.857)
Mm -hmm. No, no, no, no, no. This is exactly what we need to know. So for these snapshot fuzzers, you're isolating a specific block of this compiled code, right? So you're doing this, looking at assembly, and you're just essentially priming the environment that this is run in with the memory offsets, et cetera. And you're just running it over and over and over again with different inputs to see what's triggering the breakage. And now I want to ask you this, okay? Because my intuition as a web hacker would be,
Sina (SinSinology) (01:30:55.994)
Yeah. Exactly. Yeah.
Sina (SinSinology) (01:31:12.498)
Exactly.
Justin Gardner (@rhynorater) (01:31:19.303)
shell the device, get the source code, look at the web interfaces or any of the external facing services, right? That would be my first thing. Whereas it seems to me that you use the external interfaces like, okay, this web interface, and then you just skipped over the web interface and you're like, and the web interface calls this binary with the MP3, and now I'm gonna grab this binary and fuzz the heck out of it. Is that because you are more interested in fuzzing as a hacker? Like that's the thing that you're interested in right now?
Or is that because you've seen more success in this environment going after the lower level things, the lower level binaries, that sort of thing, in the sort of abomination of a setup of an IoT device, Versus going after the web interface stuff.
Sina (SinSinology) (01:32:00.016)
Yeah.
Sina (SinSinology) (01:32:04.305)
Yeah, I just want to build up on what you said. It depends on you, but with Pwn2Own usually, the more difficult your exploit is, the better chance it's not going to get duped. skipping the web server, I won't skip it, to be honest. writing the snapshot -based fuzzer, to implement the snapshot -based fuzzer idea, I need to skip
Justin Gardner (@rhynorater) (01:32:21.417)
okay, okay.
Sina (SinSinology) (01:32:33.351)
But while it's, okay, the fuzzer is done now, it's fuzzing, I have time now. I can spend it on looking at the web server, right? And I do find, and then I found a command injection in the first request of the login page, right? Obviously, it's gonna be found by everyone, and obviously, it's gonna be patched the last second. So I shouldn't stop at that. I should find as many bugs as possible, hoping that at least one of them will survive.
It is a cruel kind of way to look at it, but that's just a fact because I'm ready until the last second of the competition. I'm ready. My full chain is ready. I have three bugs in my chain. I'm catching a flight. I'm in, I don't know, Vancouver, Toronto, whatever, right? I arrive 10 minutes before the competition, the vendor pushes the over the air update, either killing one of the bugs in the chain or killing all the bugs.
Justin Gardner (@rhynorater) (01:33:30.192)
Savage.
Sina (SinSinology) (01:33:32.306)
killing all the bugs in the chain or even sometimes what happened to me was they didn't kill any bugs. They just added a feature or added even a string. Doesn't matter. Added something to the binary that will shift the offsets in a way that my exploit will fail, right? Because my exploit is like using some sort of, I don't know, like a rob chain and it's relying on some sort of offset or something aligned at some place, right? So exactly, right? So.
Justin Gardner (@rhynorater) (01:33:43.314)
No!
Justin Gardner (@rhynorater) (01:33:47.492)
offsets.
Justin Gardner (@rhynorater) (01:33:56.805)
no. You must be furious.
Sina (SinSinology) (01:34:00.786)
That's why it gets difficult
Justin Gardner (@rhynorater) (01:34:02.825)
That's kind of bull actually. I feel like they should give you a version of the app. okay, the product as it exists, know, July 15th at 11 57 a .m. You know, like as it exists in that moment, that is what you're going up against, but they don't do that. They say the most current patch of the device and they can patch the device leading up to the competition day. Wow, is ZDI aware of this? I feel like ZDI would like, cause for HackerOne, you know, when we have
Sina (SinSinology) (01:34:25.638)
Yeah, exactly.
Sina (SinSinology) (01:34:31.772)
This is a ZDR roll.
Justin Gardner (@rhynorater) (01:34:32.381)
weird situations like this, wow, it is a ZDI role. So for HackerOne, when we have situations like this, they intervene for us. They come in and they say, hi, all up, listen, guys, clearly, Justin had an RCE here because he just handed you your Etsy password file. Even though it got patched, he shelled it, so you still owe him a bounty, right? But maybe that isn't the case in the ZDI
Sina (SinSinology) (01:34:35.707)
So with
Sina (SinSinology) (01:34:53.689)
Exactly.
Sina (SinSinology) (01:34:59.459)
No, so all of these rules aren't made by the vendor. It's made by ZDI and the motto is we want to make this as real world as possible. We're targeting real world software at real time. We're not, it's not a done deal with the vendor. So the targets that you'll see in ZDI, they haven't accepted to be in Pwn2Own. They haven't chose to be in Pwn2Own. They've been brought to Pwn2Own.
ZDI just puts up the targets. The vendor doesn't have a saying that we want this to be there or we don't want this to be there. They can take the initiative to approach ZDI saying, can we have our devices tested or whatever? Yeah, they can take the initiative to approach ZDI with putting something there, but they can't take the initiative coming saying, we don't want our product to be tested. It's not their call to make.
Justin Gardner (@rhynorater) (01:35:31.177)
Justin Gardner (@rhynorater) (01:35:34.938)
really?
Justin Gardner (@rhynorater) (01:35:40.989)
Very interesting, I didn't know
Sina (SinSinology) (01:35:55.243)
ZDI will test it, ZDI will purchase the bug if there is a bug and will immediately report it to the vendor whether the vendor likes it or not. So the ZDI wants to get the bugs fixed whether the vendor wants to or not. Yeah, wants or not.
Justin Gardner (@rhynorater) (01:36:11.133)
So is there any meta strategy when it comes to this then? Because I imagine the people that are not actively involved in the competition, the person that doesn't have a rep in the Slack group or whatever, they are probably gonna be more malicious towards the hackers, where it's like, okay, we're looking at our logs, we're determining, okay, somebody's got a command injection over here, so we're gonna patch that now and pushing updates over the thing versus the people that are actually in the
Sina (SinSinology) (01:36:35.9)
Great question.
Justin Gardner (@rhynorater) (01:36:39.197)
or whatever, or whatever you got, however you guys do it, and interacting with the people that are actively researching their products. So is there any strategy there? Do you wanna go for the... There's no communication. Wow. Geez, this is so whack.
Sina (SinSinology) (01:36:48.571)
There is no communication. There is no communication with the zero, the only communication that you have is with ZDI either. this is how it works. The researcher will, you see the targets, you choose what you want to work on, you go work on it. If you have questions, you say this is ZDI. If you have any questions, is this service out of the scope? I have this question or assumption. Is this considered zero click? Is this considered zero interaction, whatever. ZDI will,
as fast as possible, as missed as possible, we'll get back to you immediately answering your question. And then whatever, right? You do that and then you just find your bug, write your exploit chain, you show up at the competition, you execute it and done. If it's done, you immediately, you and ZDI employees will immediately like, two seconds later, you're sitting in a room talking to the vendor directly, like.
like a webcam or whatever, right? You're talking to the vendor directly and you're disclosing the bug to them with ZDI, right? And you're getting the bug patched, right? So all the communications that you have is with ZDI, if there is anything to be made sure of, ZDI will contact the vendor kind of on behalf of you, kind of. And yeah, that's
Justin Gardner (@rhynorater) (01:37:49.353)
Wow, that's crazy.
Justin Gardner (@rhynorater) (01:38:03.869)
Wow, that's a very different world, man. Just to give you some introspection into the live hacking event, because we do want to kind of discuss the Pwn2Own versus HackerOne live hacking event sort of flow here. You when we get the invite for the live hacking event, there's a scope call that happens, and that scope call is actually the person, the target, saying like, hey, this is what we want you to attack, this is what our bounties are, here's what our bonuses are, whatever, right? And we're here to help whenever you have any questions, right? So then they spin up this Slack
Sina (SinSinology) (01:38:26.074)
Yeah.
Yeah. Yeah.
Justin Gardner (@rhynorater) (01:38:33.489)
And they've got employees in there, they've got like channels where it's like, hey, you know, if you got any questions about the architecture, if you have questions about like, you know, are you seeing this SSRF hitting your internal servers or whatever, like that sort of thing. They've got all that set up and available for you to help the researcher as much as possible, find the vaults within their system. And sometimes, you know, some of these programs are more responsive than not, you know, and vice versa. But at the end of the day,
Sina (SinSinology) (01:38:54.897)
Makes
Justin Gardner (@rhynorater) (01:39:01.981)
Typically, the program is on your side and they are like trying to help you along the way as much as possible. And they wanna pay out as many bounties as they can because that means that their attack surface is getting more secured and they want to, you know, they wanna get budget to do these events again so that they can, you know, get more bounties and get more bugs submitted and get their attack surface more secure. And that's very different, it seems, from the Pwn2Own environment. And I imagine a lot of that is because of the fact that Pwn2Own...
competitions are not optional for the vendor. It's like, we're gonna hack your shit and you have to allocate a resource to it. Yeah, that's crazy.
Sina (SinSinology) (01:39:34.139)
Not optional.
Yeah. If you're lucky or not. Yeah. Yeah, exactly. So you said something good, right? You said that the vendor wants to spend the budget to make stuff secure and everything. So that thing, that kind of like the goodwill, right, is in point on as well. But the vendor is not spending money. It's ZDI's budget who's being spent on making these products.
safer. It's not like they're charging the vendor or they're getting money from the vendor or the vendor is providing budget to them. No, they can do a sponsorship. Like Google is nice enough to show up and sponsor. Sometimes, I don't know, Samsung, think, I don't think Samsung is like Synology. I'm sure they did. Synology is another company. That's like a network equipment, routers and stuff. Like Synology has sponsored Google and I think Tesla as well. They can sponsor.
Justin Gardner (@rhynorater) (01:40:27.109)
Mm. Yep.
Sina (SinSinology) (01:40:36.838)
But I don't know if it's like a Lexmark printer or a TP -Link router. TP -Link is not paying any money or like, or someone else as far as I know. They're not paying any money and then ZDI is spending the budget. And one might ask then why ZDI doing such a thing? Like, is it just doing it for that's it, the goodwill? So ZDI is a organization, a part of Trend Micro, right? So it's called Trend Micro Zero Day Initiative.
Justin Gardner (@rhynorater) (01:40:43.262)
Mm -mm.
Justin Gardner (@rhynorater) (01:40:55.91)
Exactly. What's their incentive?
Sina (SinSinology) (01:41:06.915)
and then Brian Gorance, who is the director of the Zero Day Initiative, which basically manages Zero Day Initiative, what he does is, they make a product that Trend Micro does, that Zero Day Initiative work with Trend Micro, they can make a product, I think I forgot the product name.
but I can find it, they make a product, I think it's called Tipping Point, if I'm not wrong. Tipping Point is a intrusion detection system that Trend Micro makes that has actual zero -day protection. I'm not talking about jokes, I'm not talking about just saying that you have zero -day protection or whatever. So they have immediately, when they purchase the box from Pwn2Ord, immediately, minutes later, the signatures are already pushed to the device.
and ready to defend against that attack. And that's their goal as far as I know. That's the golden product kind of that's called Tepinpoint that is being sold to like high value organizations and important customers. And it's very crucial. then that's the way that this whole thing goes. And Zero Day Initiative is also interested in the techniques that the researchers use. Because the robching the time make.
Justin Gardner (@rhynorater) (01:42:16.414)
Very cool.
Sina (SinSinology) (01:42:31.353)
is different than the rob chain the other guy makes. And maybe in my rob chain, I use a technique which is not that well known and that's interesting to zero day, zero day initiative researchers to kind of learn that knowledge and apply it to different kinds of targets and stuff. So you're selling your exploit and your research knowledge both at the same time and your exploit is being, gone.
Justin Gardner (@rhynorater) (01:42:42.439)
Mmm.
Justin Gardner (@rhynorater) (01:42:51.163)
And you said, you mentioned before that when you, I think this was off air, but that when you submit a bug, you have to submit a white paper along with that bug describing the vulnerability, right? So the techniques that you use need to be documented. Is
Sina (SinSinology) (01:43:02.178)
Exactly. Yeah. If you're participating remotely.
Yes, so at the end you need to provide a white paper and your exploit fully and you need to explain your exploit and your white paper, sorry for the bad English, but you need to explain both of them to the zero day initiative researchers and sometimes the vendor as well, but it all gets done in exactly the same day when you do the exploit. There is nothing going back and forth. With zero day initiative researchers,
Justin Gardner (@rhynorater) (01:43:15.644)
Wow.
Justin Gardner (@rhynorater) (01:43:19.89)
No, you're fine.
Sina (SinSinology) (01:43:36.132)
They're beasts. Even if you don't explain anything, they understand it. I can't emphasize how talented they are. I think one of the most talented researchers that exists, vulnerability researchers, I'm not saying they're the only one, but they are truly one of the ones that are truly talented and they work there and then they can understand your exploit like a cake. It's easy to them. So, you need to, at the end,
Justin Gardner (@rhynorater) (01:43:56.477)
Wow, that's really cool.
Justin Gardner (@rhynorater) (01:44:01.201)
Yeah, that's amazing.
Sina (SinSinology) (01:44:04.89)
provide a white paper with your whole walkthrough of what you did, why you did it, how does it work, everything. Yeah.
Justin Gardner (@rhynorater) (01:44:12.357)
Okay, gotcha. Wow, that's great. So yeah, there are some differences between these two competitions here and that's what I kind of want to go through now, you know, and continue going through that. So there's no interaction sort of before the actual event with the actual team besides getting the scope and that comes from ZDI. And then, so how much time do you normally have before the event occurs? So they release, okay, here are the targets, here's the scope or whatever. How much
before you're on site demoing your X -Blade and what does that pre -event
Sina (SinSinology) (01:44:46.331)
So two to three months is usually what you have, if I'm not miscalculating stuff, which I'm really bad with dates and stuff, timeframes. But I think it's like almost kind of like around something near two months to three months. That's your kind of timeframe before the competition deadline reaches and then you're at your stage and you're launching your exploit or whatever.
If you're participating remotely and if you find a bug and you want to apply to attend the competition, you participate remotely, you will send your white paper and your exploit to vendor, sorry, not the vendor, to ZDi Initiative, to ZDI, yeah, and then they take it and then they make sure you're legit because you're coming remotely. You can be like an imposter or whatever. Because they're allocating time.
Justin Gardner (@rhynorater) (01:45:28.713)
to ZDI,
Sina (SinSinology) (01:45:40.241)
But if you come in person, you can just provide just enough details and then you show up and you launch your exploit.
Justin Gardner (@rhynorater) (01:45:51.239)
How far in advance do you have to register for that? is that, like, you can do that up to like two weeks before the competition or when do you register?
Sina (SinSinology) (01:45:59.235)
It's usually up to one week before the competition. think one week.
Justin Gardner (@rhynorater) (01:46:02.269)
wow. Okay. And do they sponsor travel for people that have, you know, that are coming in person or is it self sponsored?
Sina (SinSinology) (01:46:06.865)
Sometimes, sometimes, this is sometimes, they try to sometimes they pay for the travel and the way that they do it is they say that if you're a previous pontoon winner, winner doesn't mean number one. So pontoon calls a win when you have a successful exploit, if you can pull off a successful exploit on this stage.
and there is no dupe with anyone, they call it a full win. That's a full win. If you can be the number one at the competition, then you're the master of Pwn. So those are different things. If you manage to have a successful attempt with no dupe with anyone, previously at Pwn2on, like the competition before the one that is going to be happening, they say, okay, as a token of appreciation for you putting the time in, again,
Justin Gardner (@rhynorater) (01:46:40.411)
Hey, that's awesome.
Sina (SinSinology) (01:47:02.99)
give you this amount of money to support you to come to the competition
Justin Gardner (@rhynorater) (01:47:08.381)
Wow, very cool. So this is a similar system a bit to HackerOne, which is there are two types of invites. There's first tier invites, I guess, and then there's second tier invites. These second tier invites are normally the result of a first tier invitee plus oneing you. So anyone who gets a first tier invite gets their travel sponsored, their hotel and their flight and that sort of thing.
Sina (SinSinology) (01:47:25.99)
Yep. Yeah.
Justin Gardner (@rhynorater) (01:47:33.117)
And that doesn't necessarily mean they've performed well at a live hacking event before. It just means that they have performed well on the HackerOne platform or against this target and were selected for this competition. And then the tier one invites can say, all right, I'd like to also take Sina with me on this trip, right? And then they select you. If they select you from the plus one list, then you get an invite as well, but you have to sponsor your own travel. And so there's that sort of setup, which I think is really cool. The difference between
Sina (SinSinology) (01:47:33.948)
Yeah.
Sina (SinSinology) (01:47:40.88)
Yeah.
Sina (SinSinology) (01:47:54.352)
Wow, that's cool.
Sina (SinSinology) (01:48:01.892)
Man, see the, listen, let's point you on, it's like Mortal Kombat, right? It's like, it's, you go there, you got to fight for the last breath, right? You don't have, you don't have, it is professional, it is professional as much as possible as I could think of. But, let me just say, it's harder. It's harder to pull off.
Justin Gardner (@rhynorater) (01:48:08.081)
You
Justin Gardner (@rhynorater) (01:48:28.573)
Yeah. Yeah.
Sina (SinSinology) (01:48:29.795)
I think maybe that's the right word in my vocabulary to put it together. It's harder, right? You don't have that grace period on this specific version or whatever. It's harder because they're trying to say that what we do is targeting real world at real time the second that their exploit is being run. The guy shows up at the competition.
Justin Gardner (@rhynorater) (01:48:42.76)
Right, right.
Sina (SinSinology) (01:48:56.462)
exploits Safari, Chrome, Firefox, Edge, the same day, the latest version, and you can't disable over the air update on a browser, It's getting the update, right? At exactly the same second, it just exploits all of them. That's like elite as it gets, as far as I know. And yeah, exactly.
Justin Gardner (@rhynorater) (01:49:02.072)
Insane.
Justin Gardner (@rhynorater) (01:49:17.065)
Yeah, it's insane and it makes sense too why you need more time because for these HackerOne competitions, we are attacking production environments as well and they can submit patches and stuff like that and sometimes that does happen. But these are hardened bug bounty apps that have been running a program for a long time. But the timeframe is also much shorter. For us, it's only like 10 to 14 days between when you get the target to when you are standing there working in the environment.
So I think one thing that's a little bit tricky about this is in the Hacker One live hacking events, you don't have as much time to craft these sort of masterpieces of exploits. And there are still people that do it. For example, Shubs, almost every event that he goes to, Shubs from the Asset Note team, almost every single time he has like opponent to own -esque, he is, he almost has opponent to own level chain RCE.
Sina (SinSinology) (01:50:07.064)
He's a crazy guy.
Justin Gardner (@rhynorater) (01:50:14.345)
at every single event that we go to. mean, it's just mind boggling. And he does that in 10 to 14 days from scratch. It's nuts.
Sina (SinSinology) (01:50:21.134)
He is one of a kind. He is one of a kind and what he does is truly remarkable
Justin Gardner (@rhynorater) (01:50:31.665)
I totally agree. There's definitely this aspect of if you're looking for an environment of more collaboration and stuff like that with the team, but also think with your fellow competitors, HackerOne has a lot of places for that and accommodations for that. What does it look like to collaborate with a team in a point -to -own
Sina (SinSinology) (01:50:56.21)
With Pwn2Own, usually you need to understand that the money that you're going after has a lot of conditions that you need to be careful about. If a target has been put up on ZDI on the reward list, if you read the rules carefully, it says like 50 ,000 for this target, but it's 50 ,000 for the first win.
Justin Gardner (@rhynorater) (01:51:09.427)
Hmm. Yeah, could you explain those?
Sina (SinSinology) (01:51:25.168)
What does that mean exactly? Imagine person A and person B and person C go to the competition and they want to hack this target. First they do a random draw, They randomly put the names of people in like a hat or some sort of a wheel. They spin it and then they take out the names. And then let's say the order goes to A, B, and C, three guys, right? Three people, whoever.
Justin Gardner (@rhynorater) (01:51:50.8)
Mm -hmm. Sure.
Sina (SinSinology) (01:51:52.722)
And then they go on and then person A manages to exploit the device successfully since he's the first guy or she's the first guy. They get full money for that device. They get the 50 ,000. Then person B goes, person B can have three outcomes, kind of. Three or four outcomes, I'll go over it. First, they can have a unique buck or completely unique buck chain.
If they do it and they finish the exploit, so a full win is called, they get 25 ,000. They don't get the 50 ,000, they get 25. Only the first person gets the call. Even if it's a totally unique bug, yeah. Yeah, they get 25. They only get 25. Only the first person, so you need the factor of luck, that's what. But I'll go over more detail now.
Justin Gardner (@rhynorater) (01:52:32.265)
Wait, wait, so even if it's a totally unique bug, just against that same target, they still only get the 25, not the 50?
no.
Justin Gardner (@rhynorater) (01:52:46.725)
man, yeah.
Sina (SinSinology) (01:52:51.251)
So, but the person, now let's say the person B goes and the full win 25 ,000. The person C goes, it's if it's a full, if it's completely new box, like, so if they manage to find box that the person A didn't find, person B didn't find, and the person C is so special, it's 25 ,000 again. But if it is a duplicate with those two other guys, it doesn't matter which one of them, they get half of the half.
So they get half of the 25 ,000. So 12 .5, if I'm not wrong. Yeah, they get 12 .5. That's the money they get. But there are some wiggle rooms and some additional ideas to put out there. So each time for a target, you have two things. You have monetary reward and master of pawn points. So a target is 50 ,000. It also has five master of points.
Justin Gardner (@rhynorater) (01:53:23.785)
Okay, right, exactly.
Justin Gardner (@rhynorater) (01:53:29.853)
Wow, dude, that's very
Sina (SinSinology) (01:53:50.291)
master of pwn points. So I just call them points now because there is a lot of P's and I'll mess up the sentence here. So let's say it has five points and 50 ,000, whatever. If person A goes, they get the five points. Person B goes, it's a unique bug, but they're the second person. So they get 25 ,000, but they do get the five points. so,
Justin Gardner (@rhynorater) (01:53:56.829)
Sure, that's fine. That's fine.
Sina (SinSinology) (01:54:15.94)
if they work so hard to manage to find a lot of bugs, but they weren't so lucky to go first, they still might be able to be the master of pawn at the end day, because the end day they count the points, whomever has the highest points, they get to be master of pawn, get recognition, some sort of a trophy, and some additional money, good money, really good money. And, so there's some wiggle room here as well, right?
Justin Gardner (@rhynorater) (01:54:34.27)
Very cool.
Sina (SinSinology) (01:54:44.264)
So imagine your person C, right? You're nervous, you go on, you're like, okay, shit, first person A and B went, and then this has gotta be a dupe, right? But for some reason, it says, I don't know, is this right? There's many ways to salvation or whatever, I don't know. There are many ways to do something, right? So maybe for a bug, maybe for a bug that you managed to explode, you only needed
Justin Gardner (@rhynorater) (01:55:04.187)
Yeah, yeah, yeah, okay. Right,
Sina (SinSinology) (01:55:13.277)
to chain two bugs, maybe if I do it, I need to manage four things. Why? It depends. But I will go through an example with you to make it more established, right? But imagine you went on, your RC exploit consists of two bugs, an information disclosure and maybe a arbitrary file upload, whatever, right? Maybe you needed to disclose the file system path in order to be able to write to a specific directory.
Justin Gardner (@rhynorater) (01:55:35.603)
Sure, sure.
Sina (SinSinology) (01:55:40.691)
So you need it. And the file path is random. So you need to disclose it, whatever. So you need to change these two things together. So your final expert consists of two bugs. But imagine person 3 goes. And these two bugs were for person 3, person C, let's call it. But person A managed to use only one bug to get the RC. They didn't need the information disclosure. When person C goes.
Justin Gardner (@rhynorater) (01:56:04.502)
Sure, simpler exploit.
Sina (SinSinology) (01:56:09.841)
since they have two bucks and it's an additional book that the person A didn't have. that adds to your money. That is a partial dupe. Exactly. It's a partial dupe. So it adds to your money. It's based on some sort of a percentage, but it's not half of the half anymore. It's like some sort of a one third or like, I don't know, two, I don't know, two
Justin Gardner (@rhynorater) (01:56:16.393)
It's like a partial
Justin Gardner (@rhynorater) (01:56:20.659)
Huh.
Justin Gardner (@rhynorater) (01:56:29.297)
Okay, interesting, interesting. So more complex chains or chains that have more components to them get rewarded further.
Sina (SinSinology) (01:56:33.734)
Exactly.
the more complex that you can make it, the better it is. So that's kind of the way to look at it. Yeah. So much rules. So much rules. So much rules.
Justin Gardner (@rhynorater) (01:56:40.327)
Wow, okay, man, there's so much, that's insanely different from the live hacking events because in the HackerOne live hacking events, you only get a dupe if it's literally the exact same bug, you know? I mean, or if it's on the same endpoint or whatever, right? So if I get an RCE via, you know, pseudo random number generator plus a file upload, right? Something like that, and you get an RCE via SQL injection to file, right, to, you know, that sort of thing in a different endpoint.
Sina (SinSinology) (01:56:53.138)
Yeah.
Sina (SinSinology) (01:57:07.666)
Yeah, exactly.
Justin Gardner (@rhynorater) (01:57:09.501)
both of those get the full bounty. However, if multiple people submit the same thing, then the same prize for that critical bug or whatever starts getting split in half, in thirds, in fourths, right? So that's very different, and actually the way that ZDI does it is very, for a second I thought it was better for the researcher because it gets halved and then halved, but it's actually,
Sina (SinSinology) (01:57:20.232)
Mm -hmm. Yeah, yep, yep.
Yep.
Justin Gardner (@rhynorater) (01:57:38.729)
that target in general, right? So once the first person claims the first 50K prize or whatever for that target, the most that the researcher B and researcher C are competing for is 25 grand. Is that accurate? Oh my gosh. No, man. So it's so much luck. That draw is worth 25 grand to you. Oh no.
Sina (SinSinology) (01:57:50.618)
Exactly. You got it right. You got it right. Exactly. Yeah. So much, so much luck, man. So many factors. told you it's like, it's like Mortal Kombat. told you it's, Yeah. It is. And a lot of things you need to, like the vendor doesn't push a patch. You're lucky. Your exploit doesn't fail. You can finish it and you have three attempts and each attempt is five minutes.
Justin Gardner (@rhynorater) (01:58:01.447)
This is hard as heck, dude!
Justin Gardner (@rhynorater) (01:58:13.49)
my gosh.
Sina (SinSinology) (01:58:18.292)
So you need to be careful with your everything. need to, I've kind of wrote down like steps that you need to go through for a target. I can read it for you, right? Just like quickly. So basically with a target, before I read this, lot of this is based on another talk that Alex Plaskett, Alex Plaskett is a phenomenal security researcher who works at NCC Group. Alex Plaskett, if I'm not pronouncing him.
Justin Gardner (@rhynorater) (01:58:26.461)
Yeah. Yeah.
Justin Gardner (@rhynorater) (01:58:41.481)
Okay, let me write that down. Alex, what?
Okay. That's fine.
Sina (SinSinology) (01:58:47.072)
pronouncing his name right, wrong. He's a phenomenal security researcher. He's crazy how good he is. He's been exploiting everything that you can think of from the back in the ancient time until now and way more, I'm sure in the future. He's a good friend of mine. And then he has given another kind of like an interview talk about Pwn2Own with
in another YouTube channel or something that I forgot the name for, I apologize for it. This is my bad. Maybe I'll give it a link, you put it down there or put it in a link or something so people can go. It's a great YouTube channel, a great interviewer and great interviewee, I think, I don't know. Great people in general, right? So Alex has kind of put together a list methodology of how things go together.
Justin Gardner (@rhynorater) (01:59:22.567)
Yeah. Yeah, yeah,
Justin Gardner (@rhynorater) (01:59:30.813)
Mm -hmm. Yeah, that's
Sina (SinSinology) (01:59:42.371)
when looking at these targets and I'm trying to replicate the same thing that he said. So basically, because I exactly do his method and then once he, so I, sorry, just a second. Let me get some water.
Justin Gardner (@rhynorater) (01:59:42.717)
Yeah, hit me, hit me.
Justin Gardner (@rhynorater) (01:59:54.683)
No, you're good. I should have actually told you before the podcast to get some some water or something like that because you see during this whole thing, I've been like drinking my coffee or whatever. Do you have water nearby or you got to go grab
Sina (SinSinology) (02:00:06.523)
Yeah, let me go grab it, it takes a second.
Justin Gardner (@rhynorater) (02:00:08.477)
Go grab it, go grab it. Yeah, go for
Sina (SinSinology) (02:00:33.628)
Not gonna lie mate, it was empty so I filled it out. Okay, so let's just see.
Justin Gardner (@rhynorater) (02:00:37.117)
That's great.
Alright, alright, alright, so we're gonna let this man get some water really quick. Okay, so tell us about this, the steps for
Sina (SinSinology) (02:00:47.706)
Yeah, so there's steps for Pwn2on inspired by Alex Blasket. What it says is basically, first you do background research, right? You have this target that they announced for Pwn2on, I don't know, it's a router, a smart speaker, whatever. You do a background research, You're searching for the product to see if there were any previous vulnerabilities, previous write -offs, previous ways to get an initial shell. All of that could be important and valuable to you.
previous reverse engineering and mitigation bypasses and stuff, you learn all of that, right? So it's better to build up on other researchers that are out there instead of starting from scratch. Sometimes you need to, because only some of the targets from Pwn2on may get repeated, not all of them, right? So it's always best to do some background research, go through the previous vulnerabilities and all of that, and then after that, I'm just reading through it.
Justin Gardner (@rhynorater) (02:01:31.921)
Right, right, right, right.
Sina (SinSinology) (02:01:42.439)
then you need to get the device, get a shell on it, basically some sort of a way to debug it and all that, to research it, to put it in like a lab environment. And then you start, after you got a shell or whatever, you start mapping the attack surfaces, what's available, what can be exploited, what's important, what's excluded, all that. After that, you start doing reverse engineering, static analysis, code review, whatever it is, fuzzing, basically looking for bugs. And sometimes you need to, as you go,
for different kind of targets, sometimes you need to make your own tools for that target. Maybe there is some sort of a tedious task, maybe there is some sort of a condition with this target that you need to make a tool for. So you need to be fast, agile about it, like writing plugins for, I don't know, like your favorite disassembler that is Gidra, Ida, whatever, write something about it for it. And then you have the, after you, I don't know, found the bug through fuzzing code review,
Justin Gardner (@rhynorater) (02:02:27.503)
Mm -hmm.
Sina (SinSinology) (02:02:42.078)
dynamic, static, whatever you did kind of magic, then you get to exploit development where you make your POC. And then one thing that is really important is making your exploit as efficient as possible, as reliable as possible, and as portable as possible. Because the day of the competition, the POC gods will fuck with you the way that you can think of.
Justin Gardner (@rhynorater) (02:03:07.383)
Hahaha
Sina (SinSinology) (02:03:10.511)
your cable goes missing or your cable that you were using for five years without any problem starts not working or this device doesn't work or the battery keeps dying or the system gets giving you a blue screen or a kernel panic or whatever. don't know. like a USB C hub doesn't work or the libraries that are important in your exploit don't work. then, okay, you need to, okay, this happens.
Now you need to move your exploit to a different machine. Maybe ZDI gives you a new laptop saying, okay, launch it from this laptop. So you need to have your exploit ready. Even your laptop got, I don't know, burned or crashed or exploded, you have the exploit somewhere else that you can get it. Somewhere secure, hopefully. And then you can put it quickly on another machine with no setup previously and the exploit can be launched quickly without problem.
Justin Gardner (@rhynorater) (02:03:52.723)
Sure.
Sina (SinSinology) (02:04:06.801)
and you need to be able to write your exploit as beautiful as possible because this happened to me, right?
So one time that I was doing the competition, at a certain point, I've got my exploit ready. It was like a full chain. was a memory corruption vulnerability, and it was relying on a ROP chain that was like pulling off a ROP chain. And when I caught my flight and then landed in Toronto in Canada, and I went to the competition and I say it was my turn to exploit the device.
one of the devices, when it got to my turn, I realized that the vendor had just pushed the patch. It wasn't even a security patch, it was just like a feature patch. And I think they did that purposely because they knew there might be memory corruptions. It's not really far -fetched for a vendor to think that. And then they pushed a feature patch that was just adding some sort of a string or something that
Justin Gardner (@rhynorater) (00:58.831)
no.
Sina (SinSinology) (01:15.486)
just like cause the main executable on that device to have like different offsets. And then that kind of like, that kind of led into my rupture not working properly. But since I knew from hearing out past experiences from other people at the competition that it's best to make an exploit like refine and like make a clean exploit that would be portable and would be easily modifiable on stage.
at that moment when it's your turn, you've already had a failed attempt and you have a couple of minutes to complete it and you've put months of work to get something out of it. It's like an investment and then you don't want things to go wrong. So you need to keep it together and then do the changes, which I would, and especially like shout out to ZDI.
Justin Gardner (@rhynorater) (01:51.433)
If
Sina (SinSinology) (02:10.376)
when you're at this stage, when you're on stage and you're doing your exploitation, they're super calm and trying to help and try to, even they ask you, what do you need? What's wrong? Can we do anything? Tell us the problem. Maybe we can do something. Maybe we can change something. They always try to come up with a way to help you. They love to buy the bugs. They love to pay.
Justin Gardner (@rhynorater) (02:31.539)
Mm, mm. That's awesome.
Sina (SinSinology) (02:39.914)
pay the researchers because they know it's so much work. And that's what's really good about them. then long story short, since the exploit was well written, this I can kind of say, I managed to change what I needed to change without breaking a lot of parts in the exploit, which was exploiting a race condition and a memory corruption at the same time, and then got it working. And then it landed on the second attempt, I think, and I was super happy.
Justin Gardner (@rhynorater) (03:01.554)
Wow.
Sina (SinSinology) (03:09.551)
And then I got it through. And then that was like a lesson to me. Exactly.
Justin Gardner (@rhynorater) (03:11.039)
Dude, the relief, the relief in that moment must be crazy. yeah, well, props to you for building out a cool exploit. And I do have a similar story to this where, you know, we only have two weeks before the live hack game ends to actually do any of this stuff. So this one time I was really working hard on a hardware device and I was going down this rabbit hole and I knew that it was possible to get a very impactful, I'll just say, you know, we were able to take over this whole
device and look through the camera and look through the microphone, right? and listen to the microphone remotely. And, and I was like, I was like, I know that this is possible, but we didn't have enough time. And I popped it less than an hour before the end of the pop, the competition, you know, in that two week period up to that last hour. And man, the whole team was sitting behind me and I like showed it and they're like, yeah, you got it. And I was like, yes, you know, like it's
Sina (SinSinology) (03:46.577)
Nice, that's crazy.
Sina (SinSinology) (03:56.331)
my god.
That's
Sina (SinSinology) (04:04.519)
Wow. Yes.
Justin Gardner (@rhynorater) (04:08.979)
the best feeling ever. So I think there's a lot of stress that comes along with that, you know, but there's also a lot of payoff, right?
Sina (SinSinology) (04:10.449)
It's the best feeling, yeah. Exactly. It has a really good payoff, right? As I said earlier, right at the beginning, I didn't know at some point that even there's gonna be jobs for it or there is a job for it. It's just the feeling, the excitement, right? Of course I'm working for money, right? Just like nowadays. But when I started, it was just like...
Justin Gardner (@rhynorater) (04:16.499)
Yeah, yeah, absolutely.
Sina (SinSinology) (04:39.571)
The only purpose was the feeling and the feeling only. then the excitement, like I can't find it in anything else personally. Personally, I didn't find it in anything else so far.
Justin Gardner (@rhynorater) (04:52.553)
Yeah, now that's amazing, man. Okay, so you said, you know, in this list from Alex, you know, you've got create a very high integrity, easily portable, you know, you've got all the libraries and stuff you need packaged together, you've got all of your offsets and variables rather than just like, you know, added into strings or whatever, right? So for easy modification, you got your exploit ready to go. What's the next step in the process?
Sina (SinSinology) (05:12.461)
Yeah. Yeah. Yeah. as I said, I went through a lot of steps, but after you know, like your exploits like proper and then it's easily portable, you just, one other thing that these might sound the same thing, even though they kind of like collide, but testing your exploit again and again and again.
not going to lie, if the device is not expensive, I'll sometimes buy another device, just a fresh one. I just plug it in and run the exploit. Just plug it in. Don't do anything else because it might surprise you, but sometimes like, sometimes like weird things happen. Like the first time that you visit the device, there is a Ajax call on the HTTP request that sets the time zone of the device.
Justin Gardner (@rhynorater) (05:41.335)
Mmm.
Sina (SinSinology) (06:10.885)
without you knowing it. And at this on stage, the ZDI device is fresh out of the box and maybe they didn't visit the first page and then you exploit it's failing. And you're like, why is it failing? And maybe it's because, well, just because nobody has ever visited this certain page, which normally is visited or something. Yeah, it's like very weird stuff. yeah,
Justin Gardner (@rhynorater) (06:30.025)
That's a very specific example. That's, that's crazy, man. That's great. Go ahead.
Sina (SinSinology) (06:39.241)
Crazy stuff, yeah. Yeah, one thing I found from before, I kind of did an example about when you have bugs which is like a chain of multiple stuff and then the more complex the bug is, the better because then when you do, you don't fully do, you do like a partial do. One other thing is, another example will be, imagine you're exploiting a memory corruption and then when you're exploiting it,
this actually happened in one of the recent competitions that I went to. For some reason, when I was doing the memory corruption, I managed to pull it off, the memory corruption, without the need to find the information disclosure and leaked any addresses to defeat ASLR, because I was like, in my Rob chain, was relying on some addresses which weren't getting randomized. But one of the team was clever enough to thought, okay,
let's instead make our exploit harder and we find an info leak and add it to our chain, even though they didn't need to, but they just made their exploit more difficult because they thought, okay, if they did like a random draw and then we didn't go first and then we went second or third, at least our exploit is more complex so we don't do like a full dupe, a partial dupe at least, which is smart and ZDi actually like encourages you to do so. Yeah. Yeah.
Justin Gardner (@rhynorater) (08:02.793)
That's a smart technique.
Wow, very cool. Yeah, thanks for sharing that. think those sort of things are exactly what we want to know about going into these competitions, right? Having that sort of meta -gaming aspect. How do you play the environment properly so that you can maximize your return? So that's really helpful stuff. Okay, man, I think I've got a picture, right? I think I've got a picture of what it looks like to do Pwn to Own a little bit more. The only other thing that I wanted to talk about was the
Sina (SinSinology) (08:07.676)
That's pretty much it.
Justin Gardner (@rhynorater) (08:36.321)
the master of Pone title, right? So in a Pone to Own environment, there's just one winner, you everybody who has a successful exploit is considered a winner of Pone to Own or whatever, and then there's one person that comes out as the master of Pone. Is there any awards for like second or third or fourth place, or is it just that one master Pone
Sina (SinSinology) (08:57.852)
Yeah, so people go to Pwn2Own, they are, I think the sentence is maybe I'm doing the grammar right or wrong, they are a winner at Pwn2Own, not winner of the Pwn2Own, right? So they're not winning the whole thing. they're just one of the many winners at Pwn2Own, And then sometimes there is this like crazy geniuses who manage to win Pwn2Own and then the whole thing, and then they will be nominated as Master of Pwn.
Justin Gardner (@rhynorater) (09:09.969)
Mm -hmm. Okay, gotcha, gotcha.
Sina (SinSinology) (09:27.84)
who can be only one. There is no second place, no third place, just one place. And then they get a statue of reward, like a trophy, which is always different. Either it's like a, I don't know, a signed basketball in like a cool cage or like a statue of a beetle, of a bug or something, or something which is just like a token of appreciation and also a certain amount of money. And also, I think...
Justin Gardner (@rhynorater) (09:48.839)
Wow, that's cool.
Sina (SinSinology) (09:55.652)
Let me just make sure that I'm saying this right. So with ZDIs, you have something called a status, is, lot of people know, but ZDI purchases bugs, and when they purchase these bugs, you get some points. I think it's similar to Signal or whatever in HackerOne. I think so.
Justin Gardner (@rhynorater) (10:23.347)
Sure, yeah, reputation, yeah.
Sina (SinSinology) (10:23.592)
But on ZDI, they call it like, yeah, exactly. So you got like points, you got the status. You gather points and then you reach a status with this points. For example, 15 ,000 points will get you a bronze status and then 25 ,000 points is silver and then it's gold and it's platinum, which is the maximum status that you can have. And when you win Pwn2Own, as a master of Pwn, when you win the whole thing,
you instantly get a platinum status on your account. And these statuses, what they do is basically, yeah, exactly. What they do is they, whenever you submit a book to ZDI, and then the researchers will review it, reproduce it, make sure it's legit and all of that, and then it's cool. When they want to purchase it, based on your status, they do a multiplication on the amount of money they're going to give you.
Justin Gardner (@rhynorater) (10:56.553)
Wow, that's cool.
Sina (SinSinology) (11:19.752)
that so if you're like platinum, maybe you get double of the money. If you were supposed to get five grand for a RC on a product, you get like 10 grand, right? Based on the status that you have on the ZDI platform. Yeah, that's pretty much it. And also, when I said the more complex the box is in the chain, you get like partial duping, that's like a technique to use. It's because, don't forget, ZD is buying the bug.
Justin Gardner (@rhynorater) (11:32.563)
Mm, mm, wow.
Sina (SinSinology) (11:48.39)
and also is buying your technique. So if you made your exploit more complex to adding more buck chains to it, it's good for them as well because you're giving them more techniques to learn about. So you're like selling more techniques. Yeah.
Justin Gardner (@rhynorater) (12:00.125)
Hmm, very cool. That's very cool that they've found this a profitable business model with their product. Essentially, the result of this funds enough sales to make it worth it for them to pay out all these researchers. I think that's really cool. In the HackerOne environment, how this works a little bit differently. go ahead.
Sina (SinSinology) (12:19.559)
Do you know how it started?
Sina (SinSinology) (12:24.142)
Go ahead, sorry, bad habit jumping in people's talking. I just wanted to ask
Justin Gardner (@rhynorater) (12:29.021)
No, no, no, I want to hear that. want to hear that. Tell me that.
Sina (SinSinology) (12:32.185)
Okay, do you know how Ponto on the started?
Justin Gardner (@rhynorater) (12:35.752)
No, no I
Sina (SinSinology) (12:36.943)
Okay, by the way, do you have my sound and video good or is it like delay or something? I can change something maybe.
Justin Gardner (@rhynorater) (12:42.599)
Yeah, it's it's delaying a little bit, but it's okay. Tell me about
Sina (SinSinology) (12:45.032)
A little bit, okay, okay. Okay, okay, okay, worries. I can change it, by the way. If you want to, I can change it. But I can continue. So with Pwn2O and the way it started, as far as I know, at Cansec West, which is a security conference in Vancouver, Canada, back in the day, I don't remember the exact date, maybe 2016 or 17 or maybe 15, I don't know. One of
times ZDI was a sale like purchasing bugs and ZDI was a thing. And then CanSegWes organizer asked the crowd that back in the time people were like always saying like MacBook is the securest or whatever. And then they've asked if anyone from the audience can hack a MacBook remotely remote code execution. And if they do, if they pawn it, they can own it. And then they asked, so ZDI was there as well, I think as a sponsor or something. And then they asked ZDI.
if ZDI is willing to purchase the bug and ZDI said, yes, we'll purchase it for 10 ,000 if anyone can do it. And then somebody actually did, they found a vulnerability in MacBook, it's crazy at the time, they found a RC MacBook QuickTime and then they exploited remotely. then Pwn2un kind of started from there. Initially it was only browsers, they were only like doing like, I don't know, like Safari, Chrome, Internet Explorer at the time.
Justin Gardner (@rhynorater) (13:52.989)
No way.
Sina (SinSinology) (14:11.865)
And then after that, it of evolved into a lot of more devices, virtualizations, VMware, VirtualBox, enterprise solutions, SharePoint, Exchange, and then Microsoft Teams. And then it kind of evolved into mobile devices, which is like Samsung, Sony, Xiaomi, Apple, Google, and then enterprise solutions like IoT devices, smart home speakers, printers.
And then after that it was ICS products, which is like SCADA products, like critical solutions. And then after that it evolved into automotive, which is the newest type of thing, which is like infotainment systems, smart EV chargers, and all of that. And ZDI started from paying hundreds of thousands, like 200 ,000, 400 ,000 total at one competition to now paying over millions now.
Justin Gardner (@rhynorater) (15:06.27)
Mm, mm.
Sina (SinSinology) (15:07.034)
they pay like at a single competition, they pay over a million now, and then which is crazy. So the competition is way, way more now it's much more. And there's a sad truth to one other thing as well as back in the day, it was either solo researchers or a team of like two or three people, just like solo people. Now people are competing who are coming from companies, company -sponsored teams.
who have like, I don't know, 40, 50 employees at the company and they're paying the employee salary, so no limit on that, to work on these products. If a solo researcher is working on it, they're not getting paid until they find the bug, right? But imagine you work for a company who's paying your salary, so you know, like if you're going to look at it like eight to five, eight to five, you're gonna get your salary at the end of the month. So you have that calmness, you don't have any stress on
Justin Gardner (@rhynorater) (15:55.271)
Right, right.
Sina (SinSinology) (16:05.927)
and then those people will like 20 people come to the competition, right? And then you're not competing against a team of two or three, you're competing against a company of 20 people and they're doing it to get PR, which makes sense kind of, but I'm just saying it, putting it out there, even though it is a well -known thing, but for anyone who doesn't know, things get more difficult when you're competing against a company who has... So
Justin Gardner (@rhynorater) (16:06.791)
Right, right.
Justin Gardner (@rhynorater) (16:32.009)
Hmm, yeah.
Sina (SinSinology) (16:35.321)
If when I'm competing, I'm breaking the hardware, attacking the hardware, reversing, fuzzing, writing the exploit myself. When that company is doing it, they have five experts who only understand hardware. Since they were a little kid, they were designing PCBs and then just building hardware. So they give the device to there. So the initial stage was getting a shell on the device. They get a shell on the device in two hours because they're five seasons.
Justin Gardner (@rhynorater) (16:57.424)
Right,
Sina (SinSinology) (17:05.383)
hardware like experts they get it in two hours and then they pass it on to the next department who are like experts in writing fuzzers they write the fuzzers they pass it on to the next department meantime like they're they're working on different time zones 24 -7 the research has never stopped never paused and they go and then people like me or someone else show up a solo guy a one -man army two -man army three -man army show up and They're competing against these teams right, which is crazy
Justin Gardner (@rhynorater) (17:08.137)
Right, right.
Justin Gardner (@rhynorater) (17:14.261)
Wow.
Justin Gardner (@rhynorater) (17:34.92)
That is crazy. That's very different.
Sina (SinSinology) (17:35.5)
And yeah, people should know, crazy is hard.
Justin Gardner (@rhynorater) (17:40.085)
Yeah, wow dude. Well, it seems like the competition has evolved a lot over the years and hopefully we'll see some accommodations for researchers that are going at it more single -handedly versus these big teams. But also, as the game changes, our approaches to the game has to change. And we've seen that in the Hekka 1 Bug Bounty world as well. Just trying to build collaboration units, essentially, and also building automation out to try to help with these sort of things.
But that also highlights one of the main differences between the ZDI competitions and the HackerOne world, which is, this is probably the biggest difference, is ZDI only pays for remote code execution. And at a HackerOne event, there's normally two, three, four, five remote code executions, but there's like 700 other vaults. so once again, when talking about the differences between these two worlds, the fact that we're able to pay the bills,
with our little C -surfs and our XSSs and our iDoors while working on these more complex exploits really, I think, makes it sustainable in the long term for us to be able to continue to do bug bounty. Whereas, like you said before, ZDI, the PwnTown competitions, it's like hard mode, right? You gotta go in there. Who knows if the wheel doesn't stop on your number, then there goes your car, you know?
Sina (SinSinology) (18:49.382)
Got a good point.
Sina (SinSinology) (19:04.357)
Exactly,
Justin Gardner (@rhynorater) (19:07.573)
And there's a lot more volatility to the process. And then also the exploits accepted are much more, have to be much more technical, have to be much more RCE oriented than maybe even business logic oriented or impact to the actual target ecosystem oriented. So very interesting to see those differences there.
Sina (SinSinology) (19:07.611)
I
Sina (SinSinology) (19:29.329)
Yeah, and there are some people that like, so at the last pontoon that was held in Vancouver, when I say like these like, exactly this like RCs only and then the difficulty of competing against this company is this guy whose name is Manfred Paul. I know if you know him, but he came in, one guy exploited all the browsers, Edge, Safari, Firefox, Chrome.
Justin Gardner (@rhynorater) (19:49.364)
Mm -hmm. Yeah.
Sina (SinSinology) (19:59.267)
all of them, all of them exploited by one guy. And he's this crazy dude and he won the competition. Like lot of companies were there, I'm not naming names, but a lot of companies were there and then he managed to win it. And he's exceptionally talented. We're talking about someone who's like, I think is out of this world. don't know, like how would someone can reach his, exactly, he is.
Justin Gardner (@rhynorater) (20:02.751)
Holy moly.
Justin Gardner (@rhynorater) (20:23.253)
Yeah, 1 % of the 1 % here, yeah.
Sina (SinSinology) (20:29.031)
I can't even analyze him to put him into words. He's crazy. yeah, with Pwn2Own, it's hard mode, it's RC, lot of factors like luck and a lot of other stuff, but it's an elite competition. And I know people who are only doing it to prove to themselves and challenge themselves to do it, mainly compared to the money part. But it is how it goes.
Justin Gardner (@rhynorater) (20:51.935)
Yeah.
Yeah, I think that's, I were to do it, if I were to do it, and I think I will someday, I think that would be the reason. It's not because these incentives are good, but more so, like, would rather, I would like to compete in it, I would like to be, you know, just going back to the Hacker One world, you know, the master of Pwn for Hacker One is the MVH, the most valuable hacker, and when you win, you get these belts, I'll point them back here, these belts.
Sina (SinSinology) (21:04.889)
Mm -hmm.
Exactly.
Sina (SinSinology) (21:19.035)
Yeah, Yeah, I can see it.
Justin Gardner (@rhynorater) (21:24.565)
And I, you know, I've got those and I would like to also conquer the world of of Pwn2Own. But man, you know, when you're up against people like this guy that rolls in here, this Manfred dude that rolls in there and just demolishes all browsers in one attempt, it's like, wow, that's definitely going to be a challenge to go up against. And I just can't imagine, you know,
Sina (SinSinology) (21:43.001)
Everything,
Justin Gardner (@rhynorater) (21:51.251)
I just can't believe there's not more incentive there because this is such a challenging thing that people are doing. I do want to get your take on one more thing before we wrap up, is do you think that ZDI should, and the Pontoan Competition, should accept bugs that are not RCEs in the future to compete with the other bug bounty arena? Because obviously there are some situations where it's like, I've got full auth bypass.
But I don't have a way to turn this into RCE. There's just no way to turn it into RCE in this front end of the system, you know, or whatever. There's lots of impactful bugs that are out there that will just destroy a product, but these are not being paid for from, in these competitions. What are your thoughts on
Sina (SinSinology) (22:39.276)
Yeah, ZDI, well, let's look at it this way, right? Again, it's their rules and it's not really up to me thinking like what should they or shouldn't they do, but for some devices like mobile phones, things that like make sense, like with mobile things, I think they have like exceptions saying
if it's a mobile phone, we allow connecting like a USB, like a USB something because there's a lot of stuff going on over like the lightning protocol that the cable on iPhone uses. Like a lot of protocols go on there and lot of people haven't found memory corruption. Like it is accepted on those or like for example, on mobile devices, like phones, like Samsung, Xiaomi, whatever.
Justin Gardner (@rhynorater) (23:19.529)
Mmm. Yeah.
Sina (SinSinology) (23:34.513)
they allow one click exploits as well. So basically you share a link and then when they click on the link, so it's like, so, and they do that. And they also, when you have like, when you go to the competition and you have a valid exploit, but you're not able to finish the exploit on stage, but it is an actual valid exploit. They also give you some percent, they offer you, offer to you that they will still buy it from you if you want to.
Justin Gardner (@rhynorater) (23:40.373)
Okay, okay cool.
Sina (SinSinology) (24:00.379)
but for a small percentage just so you don't feel like you've wasted your whole time. It is not the same price as you could have got, but you couldn't finish the book. And this is just like a token of appreciation again, for the researcher to say they can offer some part
Justin Gardner (@rhynorater) (24:12.944)
Hmm. Well, that's nice. What is the number? What are the numbers look like on that? Like, are they like half? Are they like 10 %? Are they like
Sina (SinSinology) (24:23.112)
I don't have it in my mind. I think it's different every time. It really depends.
Justin Gardner (@rhynorater) (24:27.103)
Okay, gotcha, okay, that makes sense. All right, man, I'm looking through this document here. Yeah, I think we've covered most of the stuff that I wanted to cover with regards to Pwn2Own and what the experience is like and your approach to hacking and that sort of thing. The only other thing that I think we've got time for is I would like to have gone through some of the bugs that you've reported recently, but I'll just ask you one question about the what's up.
gold pre -auth RCE, and that you've logged about on your website, summoning .team. In this exploit, there's a lot of technical explanation where you're going through the code, and I love how you show the trace of what function calls what and create that little graph and that sort of thing. That's super helpful for understanding all of this. I'm wondering, so this is utilizing the
Sina (SinSinology) (25:01.93)
huh. huh.
Sina (SinSinology) (25:13.297)
Thank you.
Justin Gardner (@rhynorater) (25:25.153)
protocol within this .NET environment. So this is a TCP -based service. Is that accurate? Let me see here. Or was that the other one that...
Sina (SinSinology) (25:25.361)
Yeah. Yeah. Yeah. That's right.
Sina (SinSinology) (25:37.349)
Yeah, so the thing is, so we have something called WCF, Windows Communication Foundation. It's super easy to understand. The way that you could put it is, if, yeah, it's RPC, right? You're remotely calling procedures. You're remotely calling methods, right? They expose some sort of methods under code that you can call those methods remotely. And then in order for this call to happen, it needs to go through a custom protocol. There used to be .NET Remoting, which was
Justin Gardner (@rhynorater) (25:44.073)
Mm -hmm. Yeah. Mm -hmm. It's RPC, right?
Sina (SinSinology) (26:06.947)
very very vulnerable and they've deprecated it and introduced WCF which is this one.
Justin Gardner (@rhynorater) (26:08.467)
Right, okay, okay. So WCF is like an alternative to .NET remoting for this scenario. this is XML -based, it seems. And so, yeah, go ahead. it depends, okay.
Sina (SinSinology) (26:14.577)
Substitution. Yeah, exactly.
Sina (SinSinology) (26:19.271)
Depends, depends. you can configure your double CF to use different kind of like, they call it like, like different kind of bindings. So you can have like HTTP binding or TCP binding and like there is way more bindings, but they're basically what these bindings mean is like, do you want it to be sent over HTTP or TCP? And if you choose HTTP,
Justin Gardner (@rhynorater) (26:34.962)
okay.
Sina (SinSinology) (26:45.208)
it most of the times it goes through as like a SOAP protocol, which is made by Microsoft itself. So you don't write the SOAP, Microsoft takes care of it for you. They make your calls into like SOAP formatted things, or you use the TCP way. mean, they call it TCP, but everything is like, all of it's basically over TCP. But the TCP binding, what it does is it's another custom protocol, which you're sending like some sort of like encoded bytes and stuff like that.
Justin Gardner (@rhynorater) (26:49.813)
Sure,
Sina (SinSinology) (27:14.329)
size, like a size field, bit field, like a structure and all of that, like a protocol and then you send it across, which is also taken care of by Microsoft. But writing the exploit -wise, when you're dealing with like a binding, which is HTTP, at the end, you can write some sort of a Python code to send a HTTP request over and get it done with. But if you're exploiting a TCP -based binding, you need to write a C -sharp client, which was the other blog that I published.
Justin Gardner (@rhynorater) (27:17.407)
Sure. Okay.
Justin Gardner (@rhynorater) (27:41.853)
Right.
Sina (SinSinology) (27:42.628)
which was a C sharp client code to write the exploits.
Justin Gardner (@rhynorater) (27:46.015)
Gotcha, okay, okay. So that all makes sense, that cleared it up. It's a way to do RPC, a newer version of .NET remoting. And it could be over TCP, it could be over HTTP or SOAP or whatever, just depending on what binding is being used. And I'm wondering, so when we're looking at these sort of, obviously your thing is .NET and you're really good at that. What is
Sina (SinSinology) (27:53.434)
Exactly. Yeah, exactly.
Yeah, yeah, yeah, that's right.
Sina (SinSinology) (28:07.991)
Thank you.
Justin Gardner (@rhynorater) (28:10.493)
How often are you seeing stuff in WCF versus just like a normal HTTP, IIS or whatever environment? And is this potentially an environment that researchers might be sort of sleeping on within a lot of enterprise applications or IOT devices or
Sina (SinSinology) (28:29.413)
Yeah, so with WCF, I really recommend people to look at it. It's not something new that I've been doing. I've been doing it for years and years and I've been submitting like bugs about WCF a lot of times. It's just something that like people don't tend to blog about maybe about this. it keeps being like a little bit not as well known, even though if you Google about like WCF exploitation, you will see blogs going back to like four years from now that we're talking or maybe three years.
from now, like maybe from like 2020 or 2019 even. People have exploited it, people have given talks about it, people have written blog posts about it, presentations and everything, but you don't see it being blogged about publicly a lot of times, as much as it could be, it might have been. But yeah, I really recommend people to...
basically start understanding what WCF is, start writing some sort of a custom lab environment and stuff, build it up and then try to like experiment with it, understand it, exploit it and all of that, which we also do in our course, by the way, if anyone's interested. So in the course, there's like every, I can bravely say like 80 % of any kind
Justin Gardner (@rhynorater) (29:40.67)
really? Okay, so this is covered in the .NET course.
Sina (SinSinology) (29:54.07)
remote technology in .NET that can happen, any kind of like RPC, WCF, .NET remote, a lot of other things that I don't want to name now because I want to keep it as like the secret sauce in the course. I cover them all and how to exploit them and how to audit them and how to write exploit clients for them and all of that. yeah, WCF is worth investigating and worth working on.
Justin Gardner (@rhynorater) (30:17.557)
Very cool. Very cool. I like that a lot. And just one last question on that. So, you know, this one is, the one in the blog that I'm looking at right now is listening on port 9642 and 9643. If we see those, I see that is specific to this application. This isn't on every single, you know, WCF service. So when we're looking for WCF services, are we trying to track down this?
Sina (SinSinology) (30:37.444)
Yeah, let's put to this application,
Justin Gardner (@rhynorater) (30:44.425)
Like in this example, it says nmapi .exe .config. So is there normally like a .exe .config file that we can look at to see where the various routing is occurring and what kind of bindings are being registered?
Sina (SinSinology) (30:48.315)
Good question.
Sina (SinSinology) (30:56.954)
Good question. So when you're auditing WCF, you're dealing with three things, address binding contract. Based on the Microsoft documentation, you're dealing with these three things, right? You need to find the address, the binding and the contract. These are the three things. The address is the address, like a slash NMAPI, whatever, right? The binding is the type of binding that you're going to be talking to, HTTP, TCP and many others. There is not just those two. And then contract is actually the code.
the methods that you want to invoke. So when you want to exploit it, you need to find or you need to write the interface for those contracts. A contract is basically the methods that the target server is offering to you that you can invoke. So you need to build it up. After you build these three up, add this binding contract, you need to, if you work on it and just read the blog and Google around maybe, you can get to it and hide that you can stick these together and then finish the exploit.
The thing is, the question that you asked, okay, how can we now find this tree? So it's not always a config file. It can even be in the code. there can be no config file at all. So you need to be able to decompile and look for WCF setup and registration and those addresses and binding and contracts in the code by decompiling it with like the nspile, whatever decompiler you want to use.
Justin Gardner (@rhynorater) (32:10.24)
wow, that's tricky.
Justin Gardner (@rhynorater) (32:25.269)
Sure, and what are some keywords we should be looking at for that? Like, for example, I see in here basic HTTP binding, something like that. If we search
Sina (SinSinology) (32:25.426)
it's not always config files.
Sina (SinSinology) (32:33.144)
Exactly, but the word binding, the word binding itself, give it out, winding. Yeah, let's look for windings. Yeah.
Justin Gardner (@rhynorater) (32:37.959)
Okay, perfect, love that. So then that'll help us track down our sources, right? These are services that are being exposed and then we can sort of track through to the sinks. And that actually makes me think of one more question I wanted to ask you. There's a big debate on the podcast. I think this mostly occurs when we have targets that we're looking at that doesn't have a massive code base because if you have a massive code base, you have to address things a little bit differently. But do you normally start
Sina (SinSinology) (32:45.826)
Exactly. Exactly.
Justin Gardner (@rhynorater) (33:07.003)
sources or sinks when you're doing a source code analysis? Are you normally looking at like, all right, there's like eight services here and I'm gonna go through every single function for every single service or do you look for vulnerable code patterns and then work it back up to a source?
Sina (SinSinology) (33:27.91)
Let me put it this way, right? Again, I don't represent any, like, I don't know, -a -bitch researchers, whatever. This is just me as a single person who's answering this, right? If you look at, the basic answer is I do all of them. But let me elaborate a little bit. If we start with,
syncs and then work our way back to sources, like find dangerous things and then find out how can we hit them, how can we reach them. That's good. Why bad? Like if it was bad, it wasn't a method. It is good. I use it to this day as well. But don't limit yourself to only that as well. Sometimes following sources to sync, like sometimes just like following sources doesn't matter. It doesn't matter if you think they're gonna hit a sync or not, just following the sources. That's just following them to see.
what the heck is the application is going to do with this, with the time group we're to be providing to you. Because sometimes if you only look for the syncs, sometimes there might be some sort of a logical bug which isn't relying on a well -known sync or a sync that you might say, but a kind of behavior that is dangerous to this certain application, right? So it's always good to also follow the sources. Doesn't matter if you know indeed that it's going to be hitting a sync. So both of them.
Sync to source, source to sync, that's both good. And that's what a lot of my personal friends do the same thing too. Yeah.
Justin Gardner (@rhynorater) (35:00.019)
Yeah, I think that's what we all do. think it also depends if you see a bunch of really obvious stuff, you might jump right into the sinks and try to trace your way back. But what I always say is if you spend time on sources, you're never going to regret that time because it's time that you're going to understand more about that application, understanding the application and understanding how the application flows. And you're to get a better feel intuitively for that app that will help you trace back up from the sources as
Sina (SinSinology) (35:08.398)
Yeah, yeah, yeah.
Sina (SinSinology) (35:18.372)
Application. That's an amazing answer.
Justin Gardner (@rhynorater) (35:29.929)
I mean from the sinks as well. Does that make sense? Am I representing that correctly?
Sina (SinSinology) (35:30.336)
That's right. You got it right on the
Justin Gardner (@rhynorater) (35:35.305)
Perfect. All right, man. Wow. Well, this has been a long episode and a great one. One of my favorites so far for sure. I would love to have you come back on again sometime and discuss a little bit more of these nitty gritty details about dot net and you know, we're getting in here. You know, we're checking out these WCF services, that sort of thing. So we'll have to set that up again in the future. But for now, man, Sina, thank you so much for coming on and anything you want to shout out before we end the podcast?
Sina (SinSinology) (35:56.379)
Amazing.
Sina (SinSinology) (36:05.682)
Yeah, of course. Thank you very much. First of all, let me take you up on that offer. Whenever you feel like, please give me a ping, give me a shout out, and then I'll show up. We can do a session, I'll share my screen or whatever, and we'll exploit the .NET vulnerability. I don't know, we exploit an exchange server, an IIS server. We exploit a tricky .NET -based target or whatever. I'm happy to do so. Did you guys...
build up a great platform and I like to contribute to it because I know it has a good spotlight on it and it helps me and you at the same time, I think. So I appreciate that you having me here. That's first. Second one is I just wanted to give a few shout outs to some people who've helped me a lot and then I remember the name. I've tried to write them in a note so you're gonna be looking at me and thinking that I'm reading
Justin Gardner (@rhynorater) (36:44.894)
Absolutely.
Sina (SinSinology) (37:04.345)
reading from something and that's right. Let me just bring it up. Yeah, so I just, first I wanna give a shout out to the Zero Day Initiative, ZDI. They have been always supportive of my work and helped me to get into the competition and show up, especially Brian Gorance, as I said, who's the Vice President of Threat Research at Threat Micro.
and also Dustin Charles, who's the head of trade awareness. These are like two lovely folks who were like always, always helping me through Pwn2Own and just like making, making a dream happen basically. Next, I want to thank Michael, Michael DePlante. He's a, he's actually a ZDI employee. He's a researcher there and he's such a great guy. he, sometimes he, he, he runs my attempts on Pwn2Own and then when he runs them, he's always like,
He's a calm person and helps me to run my attempts really good. So shout out to him as well. I want to give a shout out to Radik from Flashback team. I don't know if you know him. He and Pedro Ribeiro, both of them, Radik and Pedro, shout out to both of you. They're both great people. They have a hardware exploitation training that you can go to.
Justin Gardner (@rhynorater) (38:07.707)
Mmm. Mmm.
Justin Gardner (@rhynorater) (38:22.164)
Mm -mm.
Sina (SinSinology) (38:32.294)
These two guys, Pedro and Radik, I think the only reason that I got into hardware exploitation was because of these people. I personally never took their training, but I know for a fact that their training is phenomenal. And I've only learned my hardware exploitation. I talked a lot about .NET. But my hardware exploitation from their public research and public blog posts.
Justin Gardner (@rhynorater) (38:43.268)
Mm, mm.
Sina (SinSinology) (39:00.686)
and they were the reason that I got into hardware expectation. I want to give a shout out to my dear friend, Sourouche, Sourouche Dalili. He's always been an idol to me. What a legend. He's one of my best friends. I can say everything that I know about .NET is because of him. That's it. It's because of him. Honestly, I shouldn't have a .NET Exploitation training. He should have it. But for some reason, I don't
Justin Gardner (@rhynorater) (39:11.231)
What
Sina (SinSinology) (39:29.68)
that up is down, something, I don't know, the night is, you know, all of a, like reverse everything, and then I'm doing the training. And also, Steven Silly, Mr. Me, he's the only reason that I've got into vulnerability research. I just, like, I've been trying to follow his footsteps and everything, and I still haven't reached his level, but I'm seeing that I'm stepping on the right path,
Justin Gardner (@rhynorater) (39:32.824)
Hahaha
Sina (SinSinology) (39:58.927)
Another shout out to two other people and I will promise you I'm done. Chadi P. Chadi works at Trend Micro as well. He always does phenomenal .NET research and .NET exploitation and he's always an inspiration to my training, to my exploits, to everything .NET that I do. He's always an inspiration to my work. I get inspired so much from his work and also Oren Tsai for basically like
Justin Gardner (@rhynorater) (40:26.207)
Mm.
Sina (SinSinology) (40:27.482)
the whole info sec concept to another level. Like you always like brings up with crazy other stuff. There's a lot of other people who are here that I like to give a shout out, but these were all them. And one other person lastly is the guy who I said at the beginning, Maysam Monsef. He was a mentor, a teacher, a friend to me and he's always be and
learned a ton from him and maybe if it wasn't because of him I wouldn't be doing InfoSec at all. Yeah that's it sorry such a long list
Justin Gardner (@rhynorater) (41:04.297)
Wow, That, no, no, that, was, that was legendary. think one of the things about you that I've gotten the impression from, from this is that you are very grateful and you're very humble. And even just in the times when we're off camera during this podcast, like you've always been very accommodating and you've been very grateful that you're, that, you know, you're able to be here. And I feel, you know, I feel like it's vice versa, man. feel like I'm so lucky to have you on the podcast and get your, your, your takes on all this stuff.
Sina (SinSinology) (41:15.11)
Thank you.
Justin Gardner (@rhynorater) (41:34.293)
That's the best situation, right? Where we're both grateful and happy and pleased to have each other. So thank you so much for coming on, man. And I just wanted to say, of that list, Sush, obviously a legend, but Chuddy P, same for Orange, but Chuddy PB is someone that just came on my radar recently with this SharePoint XXE that came out. And I actually had a note in this episode to talk about his research on the SharePoint XXE
Sina (SinSinology) (41:35.408)
Thank you. Appreciate
Sina (SinSinology) (41:42.585)
Thank
Justin Gardner (@rhynorater) (42:02.201)
he, he echoes something that you mentioned as well with, with the, the debugger being so important, which is that you can validate your assumptions instead of guessing. And in his research, he, he, he exploits an XXC where. Yeah, exactly. That's exactly it, man. The DTD processing was disabled and the XML resolver was set to a bunch of different stuff. And it's like, wow, why would you even try XXC when you see this? And I think it's because you have more introspection into the environment and see what's actually going on. So,
Sina (SinSinology) (42:12.527)
Yeah. DTD processing was disabled.
Sina (SinSinology) (42:27.247)
Exactly.
Debugger. Debugger is key.
Justin Gardner (@rhynorater) (42:32.381)
Yeah, Chuddy PB is definitely on my tweet notifications on list now. all right, man. Yeah. Yeah.
Sina (SinSinology) (42:37.509)
Yeah, yeah, yeah. His name is, by the way, sorry, by the way, when I said these people's names, maybe I used their handle or something. Chadi's name is Pewter, just wanna say it. And sorry for the long list. I don't get a lot of chance to be on something that will be seen or heard by people. And when I am, I've gotta give shout out to those people because it wasn't because of them.
I wouldn't be here, honestly. And thank you so much for having me here. Thank
Justin Gardner (@rhynorater) (43:08.595)
Absolutely. Of course, dude, of course, man, that gratitude, it warms the heart. And for anybody that's listening that's thinking, wow, that was a long list, hey, now you've got a list to go and look at and people to follow and research to look into because those are the people that have made Sina who he is, you know? And clearly they've got a lot to offer the world. So, all right, thank you so much, man. Great podcast.
Sina (SinSinology) (43:20.239)
follow.
Sina (SinSinology) (43:26.639)
Thank you. Definitely.
