Meet our CTF master – Chamli

07/05/19
Interviews
Meet our CTF master – Chamli

1. Hello! Tell us a bit about yourself and how you started hacking

I’m Mohamed Chamli, security analyst at Yogosha, where I create and manage the selection process.

I learned hacking by myself 7 or 8 years ago. After studying software engineering at university, I started learning and coding tools. I became a Bug Hunter and found critical vulnerabilities for companies such as Paypal, Google, Kaspersky, Mozilla… I also frequently participate in many CTFs with my teams (my current team is DCUA ).

2. Which steps do you follow when you create tasks for the CTF?

When I create a new CTF, I always try to think like a hacker, and I develop different plans for each task.

I start by coding tasks and preparing the environment and the CTF platform. Then, I deploy tasks on different servers and Dockerize them. I prepare exploits for each task and test all steps before running the CTF. Finally, I create hunters accounts.

3. Where do you find inspiration for your challenges?

I get my inspiration from many CTFs and bug bounty programs I participate in. I try to create new and funny challenges based on latest CVEs or bugs. My goal is to encourage hackers to learn new techniques and to challenge their abilities. I also read write ups about bugs, or check public reports on bug bounty platforms.

4. How do you secure the challenges infrastructures?

Securing challenges is the hardest part. When you play with hackers, you have to think about every possibility of how they could hack your platform or tasks 😉 I make sure that both the platform and the challenges are secured so that hackers don’t spend time trying to break into the platform ; the CTF’s purpose is to test hackers on specific challenges.

5. How do you manage Yogosha’s challenge?

Before launching a CTF, I code my own solution (exploit). During the challenge, I always check the status of each task, and I try to help hunters by adding hints and answering their questions by email.

6. Do you participate in CTFs?

I love CTFs ! I have participated in more than 50 CTFs (local and remote). Here are my favorite ones :

7. Which types of CTFs do you enjoy most?

My favorite type of CTF is Attack-Defence, but it’s quite rare. I think it’s more exciting and challenging because each team has its own servers and vulnerable services. They have to attack each other’s apps while protecting their own from being hacked. I also enjoy playing jeopardy CTF. (jeopardy CTF is a kind of CTF where you just have URLs to test and no access to servers).

8. What was your best and worst CTF?

My best CTF was when my team qualified to play in the CSAW finals. We missed our flight for Dubai and had to wait for the next day to take a plane. We didn’t get any sleep, and one of our team members was missing – I know it doesn’t look like a great experience for now. When we finally arrived in Dubai, we started playing right away. We began by the most difficult task, and received the first blood. This encouraged us to continue, even though we had to take turns to sleep to survive this challenge ! In the end, we won this competition, and were really thrilled about it.

As for my worst CTF, it was a local CTF in my country. We had almost solved all tasks and were ranking first. During the final hour, we realized that some teams had collaborate and share flags (which is forbidden), without leaving any proof. The organizers didn’t tell us that the flags were fixed, so we lost a lot of time trying to win something that was already won. In the end, the team who cheated stole the 1st place. It’s really frustrating to work so hard and to experience cheating like this.

9. Which advice would you give to someone who wants to start Bug Hunting?

If you want to become a bug hunter, you have to learn basics that will help you understand how each application works. If you want to go further, you can learn a useful programming language that you can use to automate your POC.

Reading and understanding other hackers write ups is also very helpful. When you start Bug Hunting, try working on small programs to find your first bug faster and keep your motivation.

10. Do you have any useful websites to learn and train?

Here is a list a cool websites to learn & train :

Find Chamli on :

Twitter
Github

kliagre

kliagre

About Yogosha

Yogosha is the first private Bug Bounty platform in Europe, helping organizations to detect and fix vulnerabilities before criminals exploit them. Yogosha’s clients benefit from an international elite of ethical hackers ; only 25% of aspiring Yogosha security researchers manage to pass the selection process and join the platform.

Find all of our resources here

Follow Us

Other Articles

07/05/19

Meet our hackers – MPGN

1. Hi. Tell us about yourself and how you started hacking I'm Martial Puygrenier, 25 years old. I…

Read More
07/05/19

Meet our hackers – Yann Cam

1. Hello Yann. Tell us about yourself, and how you first started hacking. Hi Elodie ! Well when…

Read More
07/05/19

Meet our hackers – Intruderx

1. Who is Intruderx ? I’m Indrajith AN, a 25 years old security enthusiast from Bangalore, India. I’m working…

Read More

Contact us and we will reach out to schedule a demo

Contact us and we will get back to you shortly