NahamSec interview Rhok

October 10, 2020

Note that during these interviews I also moderate thus quality may vary.

PROFILE

  • Kevin aka Rhok

  • Been doing bug bounties for 4 years

  • Works at Okta

  • Hacks a couple times a month

  • First program: Uber

  • First vulnerability: Sensitive Information Disclosure

  • First bounty: $3350

  • Best purchase: provide money for parents

  • Favorite bug type: RCE

  • Mentor: Peter Yaworski

  • Favorite tool: Burp

  • Hobbies: gaming

TIMELINE

  • During junior year in college he signed up to drive for Uber and found a PII bug

  • Signed up for HackerOne to report bug to Uber private program

  • Received couple thousand dollars and started to look more into bug bounties

  • Bug bounties landed him his first infosec job at Synack as security analyst

  • Currently works at Okta

  • Provided him with vendor side insight wrt bug bounties

  • SLA etc.

  • His role is to code review new functionality

LIVE HACKING EVENTS

  • First event he was invited to was h1702

  • Didnā€™t know what to do went in head first

  • met Peter Yaworski

COLLABORATION

  • What does it mean to you?

  • Motivate each other

  • Everyone has a different mindset

  • Often collaborates with

  • ZephyrFish

  • Zseano

  • Jaworski

LEARNING

  • Reading things from hacking activity

  • Going on YouTube or just googling things

  • Talking to people in the community, e.g. on Twitter

  • Once did 120 bugs in 120 days

  • Read article by Shubz doing 30 bugs in 30 days https://shubs.io/high-frequency-security-bug-hunting-120-days-120-bugs/

  • Wanted to challenge himself

  • Lessons learned

  • Really get to know your target

  • Started following bug bounty hunters on Twitter and their blogs

  • Peter Yaworski

  • Frans Rosen

  • Matthias

  • Jack https://hackerone.com/wkcaj

  • How to learn new things

  • Do research

  • How did they go about it

  • Whitelist vs blacklist

  • What tools did they use

  • A lot of reading

  • CTF

  • Helps you think outside of the box

  • Promotes collaboration

PROGRAMMING

  • Codes with Python

  • Not required for hunting but helps, especially with code review

  • Helpful for automation

ADVICE

  • Be patient

  • Donā€™t constantly ask for updates as itā€™s immature

  • Donā€™t be lazy

  • Donā€™t immediately reach for tools such as SQLMap

  • Try to understand how it all works

METHODOLOGY

  • Recon

  • Understand what the product is about, what they have to offer

  • I do more vertical recon opposed to horizontal