Clever Title Goes Here

Security educator, researcher, and developer

Read this first

CTF Design 101

I’m frequently asked how I go about building a successful CTF and while I’ve tried to answer this in the past (generally on Twitter), I’ve never actually gone in-depth on it. So today we’re going to talk about what makes a CTF successful.

A word of warning: I’m writing this entirely from my own experience as a CTF builder, not as much of a CTF player. While I’ve participated in a couple over the years, I’m actually quite bad at them in most cases and need significantly more practice (… and free time) to change that. Additionally, I’m only going to be talking about “jeopardy-style” CTFs (a term I absolutely despise!) wherein tasks are laid out and the players win by completing those tasks. With that warning out of the way…

So You Want To Build A CTF

Before you write a single line of code or start designing challenges, you need to ask yourself one question: when the players are done...

Continue reading →


Bounty Progress - September 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • (ACHIEVED!) At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Update

I’ve really had a hard time with this lately. I burnt out pretty bad in May and took some time off from bug bounty and didn’t really get started again until hacker summer camp, back in August. I’ll try to update more frequently.

Goal Health

Current total earnings for the year: $48679

This is 97.358% of my goal for the year. By the end of September I should be at $37500 to be on track, putting me $11179 ahead as of 2019-09-21

Lifetime Stats

  • 29 bounties paid
  • 6 bonuses paid
  • $59641 total earned
  • $1970 average bounty

Bugs

  • CRITICAL Discovered 2019-08, Paid 2019-09 by Verizon Media –...

Continue reading →


SupercellNX #0

For the past few years, I’ve been working on an intermittent research project. My hypothesis is this: it’s possible to create a CPU description from which you can generate disassemblers, decompilers, interpreters, recompilers, and more. A single CPU description could be used for any number of independent projects, without all the bullshit that typically comes with working with machine code; you just get to write the part that makes your project different.

I started off with extremely high-level, generic code (something usable by many different architectures), and eventually decided to specialize things. The first fruits of this were a fork of the Beetle/Mednafen PSX core from Retroarch, which autogenerated an interpreter and recompiler (using libjit) from a single file description of the MIPS core. This used LLVM Tablegen with a custom language embedded within it, and a giant (very...

Continue reading →


My Journey to Now

I’ve been asked by many people how I got to where I am today. I’ve given the tl;dr version for years and have meant to write the long version for a while. This will include a lot of details that aren’t just about my tech experience, because they shaped me in ways more fundamental than, say, learning C++ did. If you only want to know my tech journey, the first section will cover that.

Small warning: I try to be as accurate as I can with when things happened but, well, it’s been a long time now. I’ll do my best to be truthful and accurate despite that!

TW for those who want it: mental illness, self-harm, drug use.

TL;DR

I grew up in a household that always had a computer, so they were always around. In kindergarten there was an Apple //e and I started learning BASIC, thanks to a book discovered in the library. I spent years writing apps in Apple BASIC and later QBASIC on my DOS PC at...

Continue reading →


Bounty Progress - April 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Goal Health

Current total earnings for the year: $25329

This is 50.65% of my goal for the year. By the end of April I should be at $16666 to be on track, putting me $8663 ahead as of 2019-04-30

Lifetime Stats

  • 22 bounties paid
  • 2 bonuses paid
  • $36291 total earned
  • $1533 average bounty

Bugs

  • CRITICAL Discovered 2019-03-17, Paid 2019-04-01 by private – $3000
  • CRITICAL Discovered 2019-03-17, Paid 2019-04-01 by private – $3000
  • CRITICAL Discovered 2019-04-13, Paid 2019-04-18 by private – $2200 (Plus $300 for the original bug, rated medium)
  • CRITICAL Discovered 2019-04-07, Paid 2019-04-03 by undisclosed –...

Continue reading →


Hackprenticeship Alpha

Read this first: Applications for this trial run of the Hackprenticeship are closed. 365 folks applied and only 1 can get in, so no further applications will be accepted. (Please don’t email/tweet/carrier pigeon at me asking about an exception; I’ve received so many of those already!)

Who Am I

I’m Cody Brocious (@daeken), an experienced hacker, developer, and educator. My work in security ranges from console hacking, to hotel locks, to web apps, and everything in between. A small selection of my work:

  • Hotel lock hack affecting 4-10 million locks
  • Emulator for reverse-engineering the Nintendo Switch
  • Online class in security

I head up hacker education for HackerOne, but this is not a HackerOne initiative. This is just you and I!

Goal and Process

I want to find a hacker who is interested in learning the bug bounty ropes, who will work beside me for 6 months. For the first 3...

Continue reading →


Bounty Progress - March 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Goal Health

Current total earnings for the year: $13179

This is 26.35% of my goal for the year. By the end of March I should be at $12500 to be on track, putting me $679 ahead as of 2019-03-26

Lifetime Stats

  • 19 bounties paid
  • $24141 total earned
  • $1270 average bounty

Bugs

  • HIGH Discovered 2018-11-29, Paid 2019-03-03 by private – $667 (total $3000 bounty, shared with two other researchers; $1000 paid previously)
  • LOW Discovered 2019-03-06, Paid 2019-03-11 by private – $100
  • HIGH Discovered 2019-03-07, Paid 2019-03-11 by private – $1500
  • CRITICAL Discovered 2019-03-17, Unpaid by private
  • CRITICAL...

Continue reading →


Bounty Progress - January/February 2019

I have a few goals for my bug bounty work in 2019:

  • $50k in total bounties/bonuses
  • At least one $5k bounty (for reference, current best is $4802)
  • At least half my reports rated high/critical (CVSS 7+)
  • Blog about my progress monthly, with a continuously updated entry for each month

Obviously on this last point I’ve failed so far, so this first blog will cover the first two months of the year. I’ll update this one with any further bugs I find.

Additionally, I’m going to list bugs that were discovered in 2018 but weren’t paid until this year, because … $50k is a lot of money, and I need the help!

Goal Health

Current total earnings for the year: $9862

This is 19.7% of my goal for the year. By the end of February I should be at $8333 to be on track, putting me $1529 ahead as of 2019-02-25

Bugs

  • HIGH Discovered 2018-11-24, Paid 2019-01-02 by private – $3362
  • CRITICAL Discovered...

Continue reading →


Hacker101 CTF Architecture

Introduction

The Hacker101 CTF has been up for about two and a half months now, with thousands of users finding tens of thousands of flags. It has been working beautifully – after a few rough days at the beginning – with hundreds of simultaneous instances running in parallel. Getting there, though, was an adventure.

Structure

The CTF is built on with five notable pieces:

  • Messaging protocol
  • Web frontend
  • Manager
  • Runners
  • Database – This is just Postgres
  • Levels – These are individual Docker images, completely self-contained and having their own web server

One overall note: every part of this system is built in Python, with the exception of some levels. Much <3 for Python.

Messaging protocol

I built a custom messaging protocol for this, as I had really specific goals in mind for it. In all likelihood, there is something off-the-shelf that would do what I wanted, but this was...

Continue reading →


Nintendo Switch nvservices Info Leak

In this post I’m going to discuss a Nintendo Switch bug I submitted to the Nintendo bug bounty program a few months ago, which they fixed recently (in 6.0, I believe, though I haven’t tested this myself).

Background

The Switch runs on a custom OS called Horizon. It’s a really sleek, simple microkernel, and because of that, the majority of key functionality that would normally be in the kernel is actually in a userland service. To communicate between services or from an app/game to services, you use IPC: Get a handle to a service (by an <=8 character name, e.g. ‘ssl’), then send messages to it. Each message consists of some amount of data and some number of objects, which are typically kernel objects. Kernel objects are things like transfer memory, shared memory, event handles, etc. The details here aren’t important, with one exception: transfer memory.

Transfer memory is a...

Continue reading →