Looking Back and Looking Forward: My Undergrad Journey
This is an attempt to catalog my infosec journey so far during my undergrad.
I recently completed my undergraduate studies at Rajiv Gandhi University of Knowledge Technologies, Nuzvid(AP IIIT), getting admission to the university was the sole reason for where I am at now. To be honest, If it isn't for my university, I would be no one, like millions of other people in my locality who don't know what they are doing with their life. During the six years of my Integrated Undergrad Studies, I made relationships that stay lifelong, I found my passion and countless other things that helped me grow as an individual.
Admission to RGUKT
Education should be: free, universal, digital, and accessible to all regardless of background - balajis
I really hope the above quote becomes true in India in the future.
RGUKT was established with the motive to provide free technology-oriented higher education to students born into a low-income, rural family in AP. It was Dr. Raj Reddy's idea who is a professor at CMU to provide free laptops, internet and have a curriculum that encourages self-learning. So, sometime around 2014 when I am in 10th standard studying in a government high school one of the lecturers somehow predicted I would top the class and suggested me to apply for this university. These government high schools I studied are bullshit, most of the people send their kids to private schools which are better but the issue is everyone can't afford them.
As my lecturer predicted, I am topper of the class and I applied to the university and got admission to 6 years integrated program(2+4). Honestly, at that time I really didn't have a clue about what I applied for and I know it was engineering but I don't know what engineering actually was. The reason for my cluelessness is that nobody told me about this stuff in high school and my parents didn't receive any formal education
I joined the university on Aug 1, 2015, interestingly I still remembered the date. It was the first time I stayed away from home and I saw a lot of people feeling homesick and I didn't feel a bit maybe it's because I was too excited.
I went to an introductory class and man that was one fancy classroom with a laptop and a LAN at every seat, projector, and a hub. For an inquisitive guy like me who never used a smartphone or a computer, there was a lot of stuff to poke in that classroom.
I remembered sitting at the seat near a window, exploring that windows/zorin(linux) Acer laptop, and somehow I was able to configure intranet IP to access the online notice board, I still don't know how I did it.
Pre University Course 1st and 2nd year
The first two years of the integrated undergraduate are pre-university course which is similar to 12th/Intermediate. Most of the course content is online hosted on the intranet in a lousy website, so the seniors shared the offline websites they have created with fancy CSS and HTML. My immediate thought was to create one, so I somehow managed to edit the HTML file and changed "Desgined by someguy" to "Designed by s1r1us", changed a few colors here and there, and shared the website with my friends. They were all so surprised, little did they know that I edited a few HTML files on the senior's website. Over time, I got interested in web development and I developed a website for administration and a chat rooms website in the classroom which got me into trouble because few of my friends used it to slide into girls' DMs.
At that time, we used to have night classes and we saw our seniors playing Counter-Strike 1.6 a lot, so we somehow managed to get it in our laptops and it is the only thing we did during the night classes.
Weekends were particularly allocated to cricket, they were the only days we wake up in the early morning at 5:30 AM to get hold of the cricket ground to play matches with other classes or seniors, if you are a few minutes late to the ground it will be occupied by the other class teams.
Hacking in PUC
I used to do some lame stuff, like controlling others' laptops via SSH or RDP, and brag that I am hacking their laptops. Almost, every laptop in the classroom runs on Linux OS called Zorin, only a few were installed with ssh server, so during lunchtime, I used to stay in the classroom and login into my friend's laptop using default credentials and install OpenSSH(sudo apt install openssh-server)and rebooting(sudo reboot) their laptop was so much fun whenever they were watching some movie seriously.
It looked pretty exciting to me, so I decided to visit hostels of computer science seniors who do "hacking" and learn stuff from them. So, I met a guy named Subhani he taught me some cool stuff like sniffing internet proxy passwords(most of the infra runs on HTTP) on the intranet, and shared sites like https://www.hackthissite.org/ to learn.
At that time, I was mostly doing script kiddie stuff and making lame youtube videos like the below one and I didn't know anything about CTFs. If I could change one thing at that time, that would definitely be knowing about CTFs because the next two years I spent my free time learning about AI/ML which in my opinion could've been used for doing CTFs.
Overall, PUC went pretty well with lots of memories to cherish and good grades.
I was fascinated by electronics and computers, so I had only two choices in my mind one is Computer Science and another one is Electronics, after careful thought I decided to choose Computer Science and Engineering as my field of study for Engineering.
Engineering 1st and 2nd year
During the whole engineering, I never concentrated much on academics because most of the faculty were not good at what they were teaching and I have confidence that I can learn alone without a teacher through the Internet or books. So, I concentrated mostly on exploring things outside the curriculum like developing websites or doing competitive programming(boring/hard) or doing free AI courses on Coursera/Edx during these two years. I founded AI/ML club in the university but didn't get much traction. I am doing online courses about ML, but I am not practically developing anything new or interesting and it felt boring.
It was also the time when I earned my first penny through my knowledge from Chegg.
Start of CTFs - Team Invaders is born
It was sometime around November 2018 when I am in the second semester of my second year of engineering, a friend of mine shared a link to a hacking competition called InCTF where people from all over India will be invited to onsite finals if they qualified in the ongoing competition. That looked pretty dope, so we decided to form a team named Invaders with 5 members.
IIRC, we got first place in the qualifiers and got an invitation to onsite finals. We split the categories in the competition to each of the members, I used to do Binary and Web Exploitation. And we practiced some old CTF challenges for the finals.
We went to onsite finals on December 24th, 2018, nailed the finals, got first place and they rewarded us with ~$600 dollars.
It was really an awesome experience. The adrenaline rush and the excitement of solving a CTF challenge got me addicted, and I know at that point I am going to pursue Information Security as a career.
I continued playing the CTFs the whole semester.
Engineering 3rd year
We participated in a lot of CTFs and reached to top 3 in India in the 2019 ctftime rankings. We got an invitation to the CSAW finals with free flight tickets, we got 3rd place there. I was one of the top 3 CTF players who got invited to BountyCon which is hosted by facebook in Singapore but sadly because of COVID it got canceled.
We(Invaders) conducted a local CTF in the university to find talent to hire in our team, we found a gem S3v3ru5 who turned out to be a pro in cryptography.
I noticed people earning money through bug bounties on Twitter, it caught my eye. Till that point, I mostly did Binary Exploitation but seeing those bounties I started concentrating on Web Exploitation.
Sliding into Indian BB pros DMs
I started doing bug bounties along with Invaders teammates Ajay and Akash. kmskrishna invited us to a live hacking event by hackrew at Hyderabad after seeing our progress in CTFs. We went there and earned a $200 bounty which is our first bounty. That was also an nice experience for us, so we thought of hunting on Hackerone/Bugcrowd.
We are so desperate to find bugs and earn bounties at that time, but we couldn't find anything. I reached out to top Bug Bounty hunters from India on Twitter asking for suggestions to find bugs. And obviously, not even a single person responded. I was a little bit disappointed at that time, but now I know the reason for them not responding. It is just that they can't respond to each and every guy who sends DM and the question I am asking is not at all a proper one. I am just generally asking how to find bugs, if it is a question related to a specific bug or some edge case people will definitely respond in my opinion.
So, I realized that until you have something good to show in your profile most of the people not going to give a shit.
Crush on Browsers
I noticed terjanq solving each and every XSS challenge, joining FB and later Google. He really caught my eye, and I took him as an inspiration and scrolled to the end of his Twitter feed and started solving each and every challenge he solved.
Whenever someone posts a new challenge, I tried to solve it until the author posts the write-up and learned a lot of new stuff throughout the process.
Once alex posted a challenge, I couldn't solve the challenge but I bugged him with a lot of questions, over time he became a mentor-like person to me. We discuss XSS challenges and share the cool bugs we found. He is a pretty cool guy.
I read each and every blog post of Alex Inführ, terjanq, Sergey Bobrov, Filedescriptor, Gareth Heyes, Mario Heiderich, Michał Bentkowski, Masato Kinugawa, Jun Kokatsu, Luan Herrera, Eduardo Vela, Krzysztof Kotowicz, James Kettle, Shafi Gullin. I learned so much from their blogs and I am so grateful to each and every one. (https://blog.s1r1us.ninja/inspiration)
In the final semester of my third of engineering, I started finding client-side bugs on Google, Microsoft, and private programs on Hackerone.
I earned something around $25,000, which is so much for a guy like me. My parents still don't understand how I earn and I think they are so proud of me. I used some of the money to construct a small house, buy a bike for myself, and that was really cool.
Engineering 4th year
Bored of Bug Bounties
I found bug bounties boring, I felt like I was not learning anything new, I was mostly repeating the same process on each and every website. I am not saying that the whole process is repetitive, but I felt like it is mostly repetitive and boring. So, I decided to concentrate more on CTFs and Vulnerability Research.
Invaders collapsed
When I decided to start playing CTFs, most of the players in the team lost interest except s3v3ru5, so I decided to join an active team. I reached out to ptr-yudai to join zer0pts and they accepted me, later s3v3ru5 joined.
Joining zer0pts is definitely the best thing I did, the team is so active and it is really motivating for me to play CTFs every weekend. I learned a lot of cool stuff in zer0pts from ptr-yudai, st98, posix, and many other people.
My first research: Finding Prototype Pollution in the wild
Sometime around August 2020, I started working on client-side prototype pollution. I started collaborating on this research with BlackFan, our idea is to scan all the bug bounty programs for client-side prototype pollution and we were successful in it. You can find more details here
Gave a talk at BSides Ahmedabad about this research along with Harsh Jaiswal which was also a good experience.
My Next Research
During prototype pollution research, I came across an interesting bug after escalating it to Remote Code Execution, I realized that this particular bug is so bad and I started working on it and after a few months it turned into full-blown research.
GrandPew, Vakzz, Aditya Purani, and I submitted this research to OffeinsiveCon and got selected as a backup talk for the OffensiveCon, and we are thinking about submitting it to Blackhat or Defcon next year.
Dilemma on Job or Higher Studies
I always wanted to study at a western university, but I really don't want to take a loan or spend my hard-earned bug bounty money on a college degree. I know having a Master's Degree will land a nice paying job easily but all my life I haven't spent a penny on my education and I couldn't convince myself to pay >$50,000 for a Master's. So, I decided to look for jobs.
Rant on Job Hunt
It is so sad and frustrating that the opportunities for a person in India and a person from western countries are not at all equal. I struggled a bit to get my first job, I had offers from a few companies but the salary didn't look good to me and the position is not at all interesting. With the remote jobs, I think people will get equal opportunities but it might not be any time soon. During this process, Harsh, Rahul, Prateek, and Akhil were so helpful to me.
In the end, I got an Application Security Engineer position at Bugcrowd, but I still have to onboard.
That was a fruitful ride so far, I am grateful to every person that became a part of my journey, mainly to the awesome people who are sharing their knowledge, helping others, and I would like to be one of them.
Cheers to new beginnings🍻
Aspirations
Continue Vulnerability Research
Publish more blogs
.....