1. Hi. Tell us about yourself and how you started hacking
I’m Martial Puygrenier, 25 years old. I have a Master in Cryptology and IT security (Bordeaux) and I’m currently working as a security consultant in Paris.
When I was young, I used to play Newbie Contest with my brother. I didn’t associate this activity with hacking back then ; for me, it was about solving challenges and reading the clues left by “CommComm” on the forum.
At university, one of my teacher asked my class to do some Root-me challenges to improve our skills in exploitation (App-System). But I was more interested in solving web challenges ; It felt like playing a game where I knew I couldn’t win if I didn’t find flaws in the rules. Challenges aren’t about getting the flag, but more about understanding the games rules, to find vulnerabilities and exploit them.
Later, I found an internship as a pentester and loved it. Today, I’m still a pentester, learning new tricks and techniques every day.
2. As a hunter, how do you motivate yourself when you don’t find anything ?
Talking to more experienced hunters is very helpful. They can give you new ideas to help you achieve your goals, which is why having good relationship with other hackers is very important to progress.
But most of the time, you are alone with your computer and talking to someone isn’t always possible. When i’m stuck, I always use the three W rules of my big brother :
- What do you have ?
- What do you want ?
- What do you know ?
I believe a good hunter knows how to put pieces together.
3. How did you get interested in writing fully automated tools for CVEs ?
Writing PoC is a good way to have an in-depth understanding of the vulnerability. When you reproduce a vulnerability, you realize that it can be a bit more complex to get a reverse shell or a reflected command injection rather than a calc. I started to write tools for myself, and to publish some of them on my Github.
4. Which programming language do you prefer to write CVE exploit tools ?
I like coding in Python3, but I started to enjoy writing some exploits in Ruby. I use the most adapted language regarding the exploit. For example, exploiting a CVE on Ruby on Rails is much more simpler on Ruby since you can quickly import Rails and call the appropriate functions.
5. How do you stay tuned with all security news & new CVEs ?
It really depends on what you are looking for I guess, but I use Twitter, which is acting as an RSS newsfeed for me. Twitter’s search bar is a great way to stay informed with the latest important CVEs or exploits.
For example, you can use the keyword “exploit cve”, “_vendor_ RCE” etc. I highly recommend a custom feed like Twiter Deck. You can set several custom search panels and just wait for something interesting.
6. What are your favorite vulnerabilities ?
Some vulnerabilities are more interesting to exploit than others. I really like Server Side Template Injection (SSTI) or vulnerabilities that can be chained together to lead to a critical vulnerability. I also like vulnerabilities that don’t require any technical skills. For example, an API where there is a bad access control can be very critical and easy to exploit.
It is a quick win for a maximum bonus.
7. What was the most interesting CVE or bug you wrote ?
During my master degree, I studied Poodle vulnerability (CVE-2014-3566), which was my favorite CVE. This vulnerability affects the protocol SSLv3 and sometimes TLSv1.0 and allows an attacker to decrypt one byte of data from an encrypted request (with protocol SSLv3 and CBC cipher) using a padding oracle attack. By weaponizing the exploit, an attacker can decrypt all the data in plaintext. But this attack needs a very substantial amount of request send by the client to work and therefore is practically unworkable in real life. I love it because this vulnerability mix cryptography, network, algorithm, Cross-Site Scripting, ARP spoofing concepts. Last year I refactored my previous code (a simple PoC) in Python3 to build a full exploit, an important achievement which lead me to study more and more CVEs.
Find Martial on :
Thanks to Martial for this interview, and don’t hesitate to contact Yogosha if you have any question about our bug bounty platform or our community of hackers.