Dear Diary…(This is the last time I swear!)
So I really wanted to make sure and update more than once every two weeks. You, dear reader, part of my large and adoring audience, deserve better! Really what I should do is just back date this. Then if I ever do have an audience and they decide to peruse my back catalog, they would never know the ugly truth. Such power at my fingertips. I can shape the past from the future. Is this what it feels like to be God?
Anyway, so yeah, uhm, I am still bugless (big surprise), but there are a few interesting things to report. On the Synack platform they have ‘Missions’ which are site specific tasks that pay you a bit of money when you perform them and turn in a report. Things like testing that verbose error messages aren’t displayed on site X, et cetera. The prospect of being able to earn a few bucks even if I couldn’t find a bug was one of the reasons I thought it would be cool to be on SRT in the first place. I quickly learned however that no such opportunities were ever going to be available to me as it was pretty obvious people had written automated scripts to grab all the missions as soon as they were posted. Sadly since I had never even seen one, I couldn’t birth my own bot and lovingly nurture it (read: pump it full of hate and growth hormones) and have it do battle with the other artificial lifeforms in the hopes of putting dinner on my table as I had no idea what the checkout flow was. (I thought about making a bot that just randomly clicked buttons all over the website until I got lucky, but figured that wouldn’t go over well). Well maybe they changed something, I don’t know, because a bunch of missions popped up one day while I was working on a target. I think I did about 6 or so in total, for somewhere around $150. My first money on the platform! I won’t think about what that averages out to over 16+ months of ‘employment’, but it still felt pretty cool as technically I can now say I am a professional hacker ;) Your boy also saved all the requests so I can now write my own bot should I choose.
Also, I submitted a vulnerability! You’d think I would have led with that, but given I didn’t write anything for two weeks I’m sure you would have figured out immediately that meant it was rejected. I expected it was going to be, I was honestly kind of embarrassed to even submit it, but I figured I’d take a flyer because what did I have to lose? It was on the same site I talked about last time that was chock full of vulns, but was late to the party on. There was a feature where you could request to add a contact by their email address, and the response let you know if the user was a member of the site or not, which meant you could use it to enumerate users. I knew that was a low impact vuln and wouldn’t be accepted, but if the user was a member it also gave you their first and last name regardless of whether or not they accepted your request. While I don’t know if technically that is even considered a vulnerability, it certainly isn’t something any site should be doing (let alone a .gov one), so I thought maybe the combination of the two meant there was a slightly larger than 0% chance I’d get lucky. Alas I did not.
The last week I didn’t do much on the platform as I was working on other projects. I really would like to be able to just divide my day up better and be able to work on multiple different things throughout the day, but I just can’t seem to operate that way. My mind gets stuck on one thing and when it comes time to stop and start doing something else, I either have completely lost track of time and it’s well past that point, or I am unwilling to lay down what I’m doing because I’m too focused on it. I hate how feast or famine my ADHD brain is. The plan is to spend more time on the platform this week and work more on thinking about what to key in on in my quest for a bug. See you in a couple weeks! (That’s a joke. Unless it isn’t. Only the future knows. Unless I change it.)
Comments
Post comment