The #100DaysOfHacking Challenge : A Game Changer for Me
by Najam Ul Saqib
How it all started?
I have known bug hunting for 2-3 years now but I had never been able to start hunting with consistency, I used to pick up a target after spending hours deciding which one will be good for me, spending time on recon i.e collecting all the subdomains, hunting on it for an hour or two for a couple of days, realizing that I need to learn hacking concepts first using tutorials and the cycle goes on. I was stuck in a loop of learning, though learning is not too bad but if you get stuck in learning only and don’t apply what you’ve learned practically you have done nothing but wasted your time.
Spending time on tutorials, labs (that too were solved with walkthroughs), and writeups were the only thing I was doing, maybe I was afraid that if I start I won’t be successful. The fear of failure!
Then one day, I came across a video of Katie discussing this “loop of learning” titled, How to Stop Learning and Start Hacking! that proved to be an eye-opener for me. I came to know from this video that all these years of learning hacking via tutorials only might have made me a better hacker THEORETICALLY meaning that I would know all the concepts, you name the vulnerability and I could tell you its description, impact, and whatnot. I only got better at learning but if you talk about PRACTICAL hacking I was not so good.
Anyways, I eventually decided to start giving time to PRACTICAL hacking and after switching so many targets I finally decided to hack on Department Of Defense since it was known as a good starting point for beginners for being a wide scope target. I started hacking on Department Of Defense in June 2021 and spent a good amount of time on recon. I managed to get one bug triaged and I was in the air but soon it was closed as informative as the triager made a mistake and according to him that bug was not valid. He was apologetic but it was very disappointing for me, imagine you get the first valid bug after so much effort but it turns out to be informative later. Pretty discouraging. Well I won’t go into the details but I got 13 Informative Reports, 5 Not Applicable, 7 Duplicates (thanks to Nuclei) and 2 triaged reports that are still in triage state. Long Live DOD!
Stats After Hacking A Month or Two on DOD
I got 2 valid security bugs and I don’t know if it was procrastination or what, but again I left hacking consistently, putting in so many hours only got me 2 triaged bugs out of 27 total submissions. I started doubting myself and started making excuses like bug bounties are a scam, only absolutely genius guys can find bugs and I am not one of them, bla bla!
“Failure is the key to success; each mistake teaches us something.” – Morihei Ueshiba
Trying To Get A Mentor
I always heard of how important it is to have a mentor, I knew I was doing something wrong and I wanted that someone could guide me, on what am I doing wrong and what should be the right direction. I approached many people asking loads of questions and obviously not silly ones e.g “Can you mentor me?”, “Can you teach me how to hack?”, etc rather I wrote the complete scenario and asked for their feedback but unfortunately almost no one responded positively. Most of them were unresponsive as well. I do not blame them, everyone has their own routine and not everyone is ready to help you. I just am saying that I had no mentor back then, I even asked people if we can hack together, on CTFs, or programs, etc but no one was interesting as I had nothing under my belt quite obviously. Why would one waste time with a noob? Therefore, I stopped wasting time asking people for help as it only portrayed me as a stupid begging for help.
Taking the Initiative
Being a developer, I have already seen people taking on the challenge of #100DaysOfCode which is very popular among developers, in this challenge people coded in some language for 100 days straight. I decided to go with #100DaysOfHacking, upon searching online only a couple of articles were available on the #100DaysOfHacking challenge, one was successful and the other one failed on day 31-32. As I was struggling with consistency and being stuck in a learning loop I thought it was not a bad idea to give it a try and so I announced the commencement of this challenge. Here’s a tweet that was part of the announcement thread
Therefore, I have planned to be accountable on Twitter and take the #100DaysOfHacking challenge from 1st Jan 2022, in which I will be focusing on:— Najam Ul Saqib (@NjmUlSqb) December 29, 2021
- Building my Bug Hunting Methodology
- Sticking to a program for longer duration
- Learning manual exploitation of bugs
Therefore, I started this challenge on the 1st of January 2022. At the beginning of the days, I was skimming through the website trying to understand its functionality. I submitted my first bug of the year to this program on the 3rd day of this challenge which was Improper rate limitation on OTP when OTP was not expiring and it turned out to be a duplicate. My first duplicate bug that didn’t involve Nuclei so yeah you need something to stay optimist 😅
At the beginning of this challenge, though there were some people encouraging my step, unfortunately, there were more people on the other side that were criticizing me that I am doing this challenge just to get fame and followers, or I am just showing off, etc but their criticism instead of bringing me down, pushed me to work even harder & prove them wrong. No matter what you do, there are always gonna be some people criticizing you, which as a human being definitely feels bad but one should not take the negative criticism too seriously.
“To avoid criticism, say nothing, do nothing, be nothing - Elbert Hubbard”
Is it just about 1 hour daily?
Theoretically, if I hacked 1 hour a day and tweeted the progress I was good with the challenge but I want to make clear that most of the days I hacked for 2-3 hours because 1 hour never seemed to be sufficient for me, 1 hour just used to pass by and I wouldn’t have done anything concrete.
What was my routine?
Being a full-time security engineer, I had very little spare time so I used to hack early in the morning (before office) or at night (after office), usually morning time was more productive as I wasn’t tired out. Being away from home, I also needed to travel some days and had to schedule my challenge accordingly. Routine used to get really tough, I used to be tired as hell but never skipped a single day of this challenge and made sure that every day I learn something new. There were days, when I was sick and some days was in hospital too and my close ones suggested I just put some fake tweets including false claims, obviously no one can verify whether you actually did what you state or not, look at yourself, you’re sick, and what not but no matter how you justify this act it remains cheating and I would tweet lie once but as a result, I won’t be hurting anyone but myself. I would kill the core purpose of this challenge and whenever I won’t be feeling well I would be tweeting lies so I never went on that path. Whatever I tweeted each day was 100% true and portrayed exactly what I did that day.
Yes, I for the first time experienced burnout, my health was deteriorating. This challenge with a full-time job was no joke and one should think 10 times before getting into it. There were days when I just didn’t want to see the laptop screen still I managed to do something meaningful. You may term it as being cruel to yourself but I knew that I had a bad habit of staying in my comfort zone and I needed to get rid of this habit, the only way I found was #100DaysOfHackingChallenge and my decision proved to be absolutely spot on!
“Before anything great is really achieved, your comfort zone must be disturbed.” – Ray Lewis
My First Bounty
I was testing for IDORs for some days on this program’s API, trying different stuff, making my own methodology and on Day 31 i.e within the first month of this challenge I found another bug, and this time it was IDOR. I submitted it to the program after writing a detailed report and started waiting for the response. If you have ever submitted a report you would know this feeling of binge checking email to see if the triager has responded or not and to test my patience triager did not give the verdict on my report for the next 2 weeks 😬
One beautiful morning of Day 46, at 3 AM I was checking email when I saw some activity on the report. When I opened the report I saw this
The feelings, the happiness, and the dopamine rush I experienced cannot be explained in words. It was just out of this world. I was just so so happy. My first bounty was huge which I never expected, there was a time when I craved for a low 50$ bug but now I had a 4-digit bounty and high severity bug. Hard work, persistence, and consistency really paid off!
I asked the program for permission to disclose this bug so that I can release a detailed writeup on it but of course, being a private program they had reservations on disclosure as the severity was high so they were required to publish a press release to their customers regarding this finding and stating that the bug is fixed which they were not in a position to do so. Anyways, in a single line I can explain the bug: Ability to download the account exports (that can contain full account information) of any user on the platform.
This bounty gave me a confidence booster, all the self-doubts faded away. I started this challenge to develop a habit of staying consistent and as a by-product I got my first bounty.
Role of Recon in My Success
You might be expecting me to say that recon has helped me a lot during this challenge but you would be shocked to know that I did almost no recon this time, I hunted only on root domains, and with the amount of stuff that was available, I never felt the need to get more subdomains. At the same time, I am not saying that recon is useless. Recon is very important and can get you some awesome findings but I already wasted so much time on subdomain enumeration and stuff that this time I just wanted to hack and not get stuck into the recon loop.
People who helped me along this journey
There were times when I was hopeless, feeling that I took the wrong decision of getting into bug bounties, while on other days I needed guidance. These were the special ones who responded to my tweets and never made me feel alone on this journey. Always up there for moral support and guidance. I owe these guys a lot for their help:
The Trend of #100DaysOfHacking Challenge
When I was starting this challenge, there were only a handful of people that took the #100DaysOfHacking challenge and I found a single person named Chris Inzinga who successfully completed this challenge and was quite successful too. He guided me in the beginning and motivated me to take on this challenge too. Now, I am happy to state that I was able to set a trend and motivated some people to take on this challenge. Now while scrolling through social media platforms, I can notice lots of posts with the hashtag #100DaysOfHacking these days. I am happy to bring this positive change, to motivate people to learn cybersecurity.
As I proceeded to this challenge, many people joined me in this caravan. The critics faded away with the passage of time and 100+ people followed me along this journey which I am thankful of. I wasn’t really expecting this and I am thankful to each one of them because they were my motivation to hunt on my off days. To my surprise, the triagers of the program were also silent followers of my challenge and I came to know this when one of them congratuled me on this challenge and I am grateful for support from all of you. ❤️
GitHub Repo on My Tweets
I maintained a GitHub repo during this challenge that contains references to all of the tweets I made during this challenge so that if you want to see my journey you can go back to any day’s progress with ease. Here’s the repo: #100DaysOfHacking Github Repo
When I was starting this challenge, I was full of doubts and was not expecting anything special but I was determined to do it every day, do it a little every day and that’s it. I stuck to the rules of this challenge by doing it daily and it paid dividends. Was it tough? It definitely was! I gained so many benefits from this challenge, for example, I learned a lot of new stuff which I would never have in normal circumstances, I came out of my comfort zone and learnt the art of challenging yourself, I made a network around me consisting of many new friends, I am more confident and disciplined on the successful completion of this marathon. It took so much effort to stay dedicated and disciplined but this strengthened my willpower. I thoroughly enjoyed this challenge and will carry on this momentum to hunt more bugs. Was the #100DaysOfHacking challenge worth the effort? Beyond any shadow of a doubt!tags: Challenge - Hacking - Bug Hunting