Curiosity of a Hacker: The Power of Asking “What If?”

Am

I audible? >> All right. Hello everybody again. So now it's time for Nikl. So welcome Nikl. >> Thank you. Comr. Uh am I audible? >> Yes. >> Okay. Let me share my screen please.

can check my screen. Is it working right? >> Yes, it's working. >> Okay. Hello everyone. Uh my name is Nick. Uh and my name is Nik Shivasa. I go as uh Nyx Nyx. Uh so today uh I'm going to talk about uh the hacker's mindset. It's a simple talk just to uh create a curiosity uh in your mind that why uh hacking uh I mean how how come hacking so so important and how uh how you can become a good hacker uh in the future itself. So uh this talk is all about uh this just the basic uh mindset just to create the curiosity in your mind. Uh I guess I'm audible to everyone. >> So uh yeah so uh regarding me I'm a

full-time bug bounty hunter. I am a sin red team legend uh at one of the US based company uh sin. Uh I'm a founder of security besides Ahmedabad. uh it's one of the security conference happening in India each year in September. Uh I'm also a Microsoft security response at MSRC top 100 researcher. Uh previously I been spoken to uh Devcon, Blackhead, GISC uh and many other conferences across the world. Uh I'm also a board of advisor to risk profiler and uh uh so I so just just to give you a brief about myself that I've been I have started uh uh doing bug bounty hunting since my college days uh and uh uh what what we

do we it's usually report vulnerabilities to uh all these companies called Google uh PayPal uh all these big giants and uh get uh get the bug bounty out of it. And uh uh I I I've been also dedicated myself to uh uh MSRC like Microsoft uh for like one two years uh dedicately doing finding the vulnerabilities in their systems uh exploits in their systems and uh uh giving um reporting it responsibility to get uh the boundaries out of it. uh and uh like uh uh I'm not very frequent to uh talk on on on my u on my findings like uh I'm not very much confident to talk about myself during on a stage but I decided to uh give it a go

uh I guess after co uh like I've been challenged myself to start working on these conferences uh So, so I submitted CFP and they got accepted and then I started uh speaking on these conferences and uh I mean I got to know that uh people want to listen to you uh listen to different perspective as well. So yeah I mean uh that's where I started uh speaking in the conferences as well and uh uh so there's a US based company called risk profiler. that I've been assigned to assigned their board of advisor because I've given some server uh uh server uh advisor to them that brings uh that brings the product to so uh these this

is uh all my background uh I've also been working with the cobalt is one of the printers company uh where I'll be leading uh I'll be as a working as a lead printer sir Uh I also worked with hacker one as well. Hacker one uh as a security uh security researcher itself not as employee finding vulnerabilities in multiple companies. Uh uh maybe I can't name them uh because it's all uh confidential. Uh I also I also done a lot of things. Uh I think I didn't remember anything right now. So uh this is all about me. uh so I'll move forward uh with uh my talk itself that uh that is all about uh the

hacker's mindset how uh how to create curiosity in in yourself to find uh more and more uh flaws in the in the any of the systems. So hacker is all about the curiosity. So uh if you see uh if you if you're uh if you see any hacker they al they always talk about that uh how this things works how uh how this thing actually uh going on and uh they have a lot of curiosity about uh any systems or any uh person or uh anything related anything they always have a curiosity and they all always ask the questions multiple questions that how this thing works and all is all those things. So uh hacker is all about the curiosity and uh

you must have those curiosity in order to become a hacker and uh uh that's the talk I've been uh that's that's what I'm going to uh talk about in this uh in these slides as well giving my example giving uh my friends examples uh uh of uh why uh how what uh the impactful bugs they have found and how they found it. So uh let's start with my my uh personal uh my personal example that uh so I've been invited to one of the uh live hacking event in uh Hong Kong in uh around last year May and uh there were like five elite hackers that were invited into that event and it was a two

days event uh they have so so the f for the first day they have given us uh the point of sale devices Uh and uh and this company has uh like 50,000 stores across uh 27 plus markets worldwide and uh they they uh they have been uh they have a huge security team and uh they have been testing these these products and services since uh last 10 years and uh all those things. But uh what uh what thing matters is the curiosity of uh curiosity of uh having uh accessing these these products uh right on the spot. So uh they have given them uh they have given us all the all their possess devices and uh like devices are like no

not long with just uh Android device or iOS device running on on running on some ports. So uh uh so uh so that uh so the first day first day they have uh given us access to all the all the assets they have. So the event hasn't been started. We just uh curious that okay next two days we'll go and have a have a good uh run uh probably finding more and more vulnerabilities in the system. So first day uh we go there we have a coffee we uh we are getting provided with all the devices uh we are started getting set up everything and in about like uh 10 minutes uh we were just connecting all

the poss to on our systems uh and uh it started intercepting those. So uh uh we found one request I mean usually uh what we do uh we uh we are we remain always curious that what how the how how these things are working. So we connected it because it's a normal Android device uh we connected it and uh uh all the traffic uh went through uh the burp suit. So one of the requests we found uh that uh so uh whenever you found any integer or any value what the first thing uh hacker do they just add a single code to check if uh if uh there is uh you know uh there's a SQL or not.

So uh we were just checking a few requests and we found one request uh just put it uh single quote in it and it uh it was giving uh SQL SQL error to us. So uh what we did we just uh went ahead and uh uh dumped their whole uh database from the uh from from that uh particular request itself and this this all happened within 10 minutes. So within 10 minutes we have uh done their whole database uh from the POS from the one of one of their POS devices itself. So it's not uh it's it's not a single API that that have been they have been using for uh just one uh one uh uh POSOS but uh

it's spreading across all the devices. So all the store owners can also dump it if they have those skills. So uh this is the uh this is the uh example that uh that uh the what curioity can do uh what uh curioity can do at uh at this occasion because uh uh the event was not even started and we just uh found a critical vulnerability in their one of the systems and they have been uh they have a huge uh security team and they've been testing this product from long long time. uh they have been uh they have bug bounty programs on multiple uh uh multiple platforms and uh all those things here. Uh so this is what happening at that

time. Uh so I have already told you that uh this 10 the client was uh uh wasn't weak. We have been testing this product from last five six years. Uh and u just like others we uh this is also overconfident about their assets and uh all those 10 minutes we weren't uh following the checklist. So we are not just checking the uh checking all the bus checklist one by one. We just uh giving our best to find a critical or high high level vulnerabilities uh from a system that has been tested by multiple times. This is the another application uh this is a uh another thing that uh uh that that has been found by uh one of our

good good friend uh Sam. So uh so what he did uh he he so he he has been testing uh testing this car from uh Kia Kia uh web portal or Kia mobile application from um um from very long time and uh uh he found uh se several uh vulnerabilities uh in their systems and uh combining they they created uh created a high impact vulnerability and through which they can able ble to unlock the doors of the Kia or start the car. So, I'll just give you a short. So, this tool is not uh available. Uh this is just a demo. I think uh this is a video

This should be a video, but uh I guess it's not playing right now.

So, uh they created this tool uh through this uh tool. Uh I think this P is available on the Twitter as well. So, you can just go and check uh for the KIA tool. uh Sam Curry is his name. So uh so just uh using uh using those uh vulnerabilities he created uh this uh short tool uh which he was able to unlock the car or uh start the engine or just exploiting remotely uh to the to all these Kia cars and uh this is uh and you all know about the flippers. So uh so I think I think uh in 2020 I 2021 I went to uh Defcon US. I uh so this flip flippers are very

trendy at those times. I uh I got this uh from one of my friend uh didn't buy it but uh luckily I got uh one of hold on one one of the devices at that time and uh uh what I when I went come come back to uh home uh what I did I uh so my uh so my gym gym card was using the RF ID so I was curious that how uh let's uh roll and uh let's uh play with this device. So I just uh tried to uh read the read the card and uh try replicate the same uh same uh flipper device to uh my uh gym gate. So I was able to open

the gate and doing all those things. So uh so this is this is what the curiosity do that uh if you have a new toy in the town just uh use it to uh play along with it and uh that's that's uh that's raise the curiosity out of it.

I think this is all video. I'm not sure but it's not playing but uh uh what I did just read the read the card here and uh emulate the same card to uh my uh machine my gym machine just to open the gate out of it. So uh uh it was really uh it was really fun part. So uh for for the hacker hackers is it's not not not all about uh money or something else. So it's about fun as well getting fun out of the things you are using. So player is one example. There are a lot of tools available on the uh web by hack 5. Uh they've been selling a lot of uh these these uh tools

or a lot of application that has been fine to you uh to work with. So this is this was uh one of the society gate I was opening just to reading the signals uh from it just capturing the signals uh replaying it to open the gate

and uh this is one of another example that uh uh one of the friend has got uh during the covid time itself that uh they have found a sign in with vulnerability in uh all of the uh all of the iOS uh uh iOS devices. So uh so using this vulnerability they was able to uh I mean they they allowed to uh um um he's allowed to valid JWT for the arbitrary emails without being uh without ensuring that the requesttor really owned that email ID on just just plugging in the email id of any of the victim and he was able to hack into their account directly. So uh he was uh so he was a uh iPhone uh sorry

iPhone developer first and uh uh I think uh he was playing around with the Apple application and found this vulnerability uh just out of curiosity and uh he is now a full-time Apple now. So uh so this is what the curiosity do to you that uh uh you have been anywhere else and uh you've been doing something else and uh uh the curiosity comes in play and uh you got some serious flowing uh one of major application use by everyone.

uh if if I talk about me as well that uh I I have found a PDF uh viewer uh there's a one one of the PDF viewer uh there where I found a zero day of uh XSC so it was XSC as a vulnerability so uh so while I exploited that vulnerability uh and uh I know that it is vulnerable I attempted uh the same vulnerability to other uh PDF uh viewers as well and uh I found that uh uh most of them are vulnerable u obviously because of it's a zero day but uh at one uh at once instance where uh where uh I've been using a I guess uh loan disperse uh loan

disperse software and uh I was uh actually uh trying to replicate the same exploit there as well because it was also using the same uh PDF And uh so I waited for uh what so uh what I did I exploited it and uh I tried I I was waiting for connection to to be back to my uh system itself. So I waited for like 15 days to get this connection back. But uh I never give up like uh uh I keep keep on pushing because I know I know that the vulnerability is still there. Something is something is missing. Something is uh still going on. Maybe maybe out of luck I have got the connection back or uh it's just a blind

exploit. So uh I have no idea what happened inside but uh maybe uh just luck or but I never gave up. So even after I think even after 15 days I might have uh might have generated some uh uh some uh automatic responses to me. So whenever I get the hate I try they're going to uh keep uh keep it going uh until I get get those hits back. So this is uh this is the uh one of the example that uh the curiosity is important but uh the never give up attitude is also uh play a crucial role is so if you if you have curiosity it's only uh you will never give up I guess

uh that's uh it's what I think it as as is. So this is one of uh one of the banking application uh that uh that that has been used by uh 70 plus uh 70% global banker across the world and uh I was I was say I was having access to uh one of the uh one of their instance in uh one of the one of the countries uh bank application uh it was uh one of the bank in Middle East. So uh I was testing it and uh uh I found it curious that uh that that code is running from like uh so uh so in the source code uh I got to know that this application is built by

someone uh I'm not uh I'm not uh disclosing the country name but uh this some other third party country been uh building this in these applications and uh uh the code is running since 203 I mean 2000 since 2003. So uh it was hilarious for me that I found multiple bugs on the on this application but most uh most uh critical was uh I was able to dump their database as so and this application been used across 70% global banks. The only thing that disallow you to uh I mean that might uh I'll disallow you to uh exploit this uh vulnerabilities is maybe the authentication but uh uh since it's a corporate banking application uh all the

corporates also have uh already have access to this application uh so they can actually exploit this to uh uh exploit this to gain access to uh all the other banks information as well. So I'm not disclosing much of information as in this because uh I'm not sure that uh just fixing the one flaw uh because they the the bank I was working with uh they I think they only just uh entered some filters and not uh fixing the whole product. Uh so it's still remains of law. So this is what uh happened. I just uh put it uh uh the SQL map SQL map on it and I was able to dump all the all the

databases and uh this is so uh what happened was uh I was uh I was uh uh taking I was giving a talk in Viet uh Vietnam. So uh I was uh showing all those all those PC's and uh I so so uh just a night before what I did uh I searched for all the banks in Vietnam that are vulnerable. I found that okay the Vietnamese bank are also vulnerable. I just told them that okay one of your Vietnamese bank might be vulnerable. So, so one of the one of the so I've shown there shown them uh that and they were like uh so one of the friend sitting in the uh sitting in the lobby and he

started laughing that man oh you helped my bank like that and uh his CISO was uh also sitting right behind right right asylum and he was also uh asking that what is the request uh where we are vulnerable. So this is just a request they their CISO was asking.

So I'm not uh using this because uh after that they just hack my blog as well because uh uh it was not uh renewed. I know the blog was uh uh blog was uh uh was pending to uh buy but uh I didn't have time so just I just leave lived it there and uh next morning someone came to me and uh they were like okay your blog is hacked someone has take over your uh subto like no worries. So uh this is uh this is one of the public based uh public company in the US uh that uh I've been uh I've been uh tasked to pentest on and uh there was no particular no exactly no no

vulnerability has been reported on the that particular uh application. Uh so uh what I did uh so I was so I I get very curious that why not uh why not no one able to uh submit a vulnerability on this uh target because uh when I when I did it uh so it it it is a automated uh uh AI powered uh auto automated uh pentest platform of uh uh one of the public limited company and it's a firewall company. So uh I got curious that and I I found out they recently had a acquisition to one of the Israel based company. So uh I got curious okay let's test it. So uh what this application was

doing uh they it was uh it was just uh uh scanning the application and uh giving the video to PC of it. So what I did uh so this application was running on Google uh cloud. So what it did I just given them given them the uh Google metadata URL uh it accepted it and it it has created a video video P of that Google particular Google metadata. So this is 403 error I have got it and you all know why uh this 403 is here because uh Google cloud accept some uh headers headers as well to get validated. So uh so but my thought was uh how how do I add uh that particular those particular

headers so that so I get the full response from from the B2B itself. So uh so the so all the uh all the vulnerability uh scanners they have one thing common that uh they have a custom header uh option in it. So what I did I just seted the custom headers uh of uh metadata flavor u of Google and I was able to uh fetch their uh private API case. >> Uh NL the time just telling >> yeah no worries uh I'll just uh I'll just push it up. Thank you. >> You are open for question. The time is running out. Uh but if uh anybody has any question uh you can place them in

the lobby and then uh that can be taken with Nikl and he can respond to them afterwards. >> Sure. Sure. Thank you so much. >> Thanks for the presentation. Nice presentation and good luck with your future curiosity. >> Yeah. Thank you. >> Thank you. Bye-bye.