Intro and how I started hacking.
Welcome to my blog! Here I would like record my journey to becoming a professional hacker and bug bounty hunter. It will include personal stories and inspirations, book and course recommendations as well as write-ups of my security findings. It may be helpful to those who are curious about hacking, especially those who may be inclined toward independent study using publicly available courses. In this first non-techical post I would like to tell you a little bit about myself and how I got started with hacking.
It all started in kindergarten (1993) when my father brought home our first computer. It was the Soviet clone of ZX Spectrum (unfortunately I don’t remember the exact model). You had to hook it up to the TV set, and it used an audio cassetes for input. It had a BAISIC console, and I would code little programs using source code from reprinted books that my father would bring home. This enjoyable pasttime combined with video games kept me hooked and mesmerized by the possibilities of these machines.
I continued coding here and there (nothing serious) and playing computer games, when we moved with my parents to my aunt’s town, close to Moscow, Russia. In those days my cousin was an admin at a computer club and also very passionate about new tecnology and IT in particular. He subscribed to this magazine called Xakep, which was the magazine from hackers to hackers. It had so much interesting, detailed and captivating information, I really loved this magazine. I could barely wrap my head around most of the exploits, software, tricks and how-tos, but I kept reading it none the less. Also at this time I finally got regular access to the Internet, and my hacking journey progressed on forums and message boards in a connected and collaborative fashion.
Everything about hacking intrigued me, but one thing worried me. If you do “real” hacking, one day, most likely you would go to jail. It was practically inpossible to do responsible disclosure, and bug bounty was not a thing. I saw news of hackers getting busted, and it made me real uneasy about the field. I decided for myself, that I don’t want to get money for illegal hacking activities. At some point I stopped considering hacking as my career path.
Fast forward into the future, I got a degree in psychology and sociology and met my current wife. We moved to U.S. in 2015, when my wife got accepted for her PhD program. She was not my wife at the time so I didn’t have proper documents to work. I needed to figure out a way to make money without working for $10 an hour as an illegal apple picker.
I decided it was time to get back in touch with my childhood passion - I started to educate myself in programming and networks. By the end of 2015, I discovered HackerOne and Bugcrowd. It was a revelation to me that one can actually hack real companies and businesses and get paid for it, legally! I was shocked and excited to get started.
I read blogs, articles, how-to’s, guides, books and tried to apply it, I read more, and tried again, read more, applied it, (and still continue this cycle to today). I followed every hacker and bug bounty hacker that I admire on Twitter and read everything they would post.
The two most impactful books for my hacking knowledge, were: Pete Yaworski’s Web Hacking 101 and Dafudd Stuttard & Marcus Pinto’s WAHH. The fist book is full of real world reports and helpful hints and tips. The second book provides you with a foundation and details about how to hack web applications.
I have to say that being on Twitter and in constant conversation with the hacking community was very beneficial to me. When you are surrounded with a crowd of a friendly, smart, and likeminded people, the learning and working process become easier to execute. Seeing others blogging about their finds, the challenges and tricks they had to employ, it motivated me to stay in the game and try harder. It showed me that big finds are possible, but that it wasn’t going to be easy.
In the start of 2016, I got my first bounty after reading the “Web Hacking 101” report about finding AWS s3 buckets. That was such an out-of-the-box idea, so I decided to try it for myself. Read more about it in my next post.