1. Hello! Tell us a bit about yourself and how you started hacking
I’m Mohamed Chamli, security analyst at Yogosha, where I create and manage the selection process.
I learned hacking by myself 7 or 8 years ago. After studying software engineering at university, I started learning and coding tools. I became a Bug Hunter and found critical vulnerabilities for companies such as Paypal, Google, Kaspersky, Mozilla… I also frequently participate in many CTFs with my teams (my current team is DCUA ).
2. Which steps do you follow when you create tasks for the CTF?
When I create a new CTF, I always try to think like a hacker, and I develop different plans for each task.
I start by coding tasks and preparing the environment and the CTF platform. Then, I deploy tasks on different servers and Dockerize them. I prepare exploits for each task and test all steps before running the CTF. Finally, I create hunters accounts.
3. Where do you find inspiration for your challenges?
I get my inspiration from many CTFs and bug bounty programs I participate in. I try to create new and funny challenges based on latest CVEs or bugs. My goal is to encourage hackers to learn new techniques and to challenge their abilities. I also read write ups about bugs, or check public reports on bug bounty platforms.
4. How do you secure the challenges infrastructures?
Securing challenges is the hardest part. When you play with hackers, you have to think about every possibility of how they could hack your platform or tasks 😉 I make sure that both the platform and the challenges are secured so that hackers don’t spend time trying to break into the platform ; the CTF’s purpose is to test hackers on specific challenges.
5. How do you manage Yogosha’s challenge?
Before launching a CTF, I code my own solution (exploit). During the challenge, I always check the status of each task, and I try to help hunters by adding hints and answering their questions by email.
6. Do you participate in CTFs?
I love CTFs ! I have participated in more than 50 CTFs (local and remote). Here are my favorite ones :
7. Which types of CTFs do you enjoy most?
My favorite type of CTF is Attack-Defence, but it’s quite rare. I think it’s more exciting and challenging because each team has its own servers and vulnerable services. They have to attack each other’s apps while protecting their own from being hacked. I also enjoy playing jeopardy CTF. (jeopardy CTF is a kind of CTF where you just have URLs to test and no access to servers).
8. What was your best and worst CTF?
My best CTF was when my team qualified to play in the CSAW finals. We missed our flight for Dubai and had to wait for the next day to take a plane. We didn’t get any sleep, and one of our team members was missing – I know it doesn’t look like a great experience for now. When we finally arrived in Dubai, we started playing right away. We began by the most difficult task, and received the first blood. This encouraged us to continue, even though we had to take turns to sleep to survive this challenge ! In the end, we won this competition, and were really thrilled about it.
As for my worst CTF, it was a local CTF in my country. We had almost solved all tasks and were ranking first. During the final hour, we realized that some teams had collaborate and share flags (which is forbidden), without leaving any proof. The organizers didn’t tell us that the flags were fixed, so we lost a lot of time trying to win something that was already won. In the end, the team who cheated stole the 1st place. It’s really frustrating to work so hard and to experience cheating like this.
9. Which advice would you give to someone who wants to start Bug Hunting?
If you want to become a bug hunter, you have to learn basics that will help you understand how each application works. If you want to go further, you can learn a useful programming language that you can use to automate your POC.
Reading and understanding other hackers write ups is also very helpful. When you start Bug Hunting, try working on small programs to find your first bug faster and keep your motivation.
10. Do you have any useful websites to learn and train?
Here is a list a cool websites to learn & train :
- Hack The Box :: Penetration Testing Labs
- Root Me : Hacking and Information Security learning platform
- Community-Made Hacker Challenges
Find Chamli on :