Hey guys welcome to pratik tutorials, I am Aaditya and this is Pratik the host of the Youtube channel
and he is going to ask me some questions, now I will hand over to pratik
to start the conversation
How did you get started into Hacking?
Before couple of years, like around 2012 I was playing a contest on facebook
Now there was a specification in the contest that, like facebook app
Like you approve some OAuth based facebook app, it says it wants to read your data, contacts and all that
and then you approve it, and the OAuth redirects you to the site's page
In such contest, there was vote based system. Participants used to some some post, like photos and get votes
Like suppose increasing the likes, and in 2012 rarely someone on facebook even had 10 likes on their post.
[Aaditya]: Yes, not even 10 likes, as Facebook wasn't popular in India at that time.
[Pratik]: Right
[Aaditya]: These are poorly written, 3rd party contest applications, majorly written in PHP
In competition, generally the time limit is around 24 hours and you have to get maximum votes or like
in those given time. And in prizes you get phone, laptop or some good incentives.
[Pratik]: Can you please tell us, how much total prize you have won in contests?
[Aaditya]: A lot, When I used to play, at that time a lot like Autographed books, Cds, Cell phone like iPhone 6
[Pratik]: And I guess he has it's won phone
[Pratik]: In 2014 he won it, and now it's 2018 and he is still using the same phone.
[Aaditya]: It's like a sovenieur from contest.
[Aaditya]: When I was doing beginner level contest, I was just playing like any other players.
Like please like my post, vote me, etc. But generally when I used to see, few of the people were
who had 1-2 likes but in 30 minutes, they increased to 80-90 votes.
I was thinking like, how do these guys do that.
One day, there was a contest in which I put hardwork to gather 80-90 votes.
But what happened is, in last 5 minutes. I thought I would win.
The difference was 40 between me and 2nd last player.  But my entry got deleted.
I asked the admin, did you deleted my entry and why? The admin said we don't know, nothing is shown in the logs.
Like I had 90 votes before and now my entry has been deleted. What is happening?
After next minute, when I referesed page. 3 entries from 3 person were at 100, 200, 500 votes
It all happened in 5 minutes time gap
Like now I was curious that how all this thing happened
I asked 1 or 2 friends, like what is this all about
They told me, we shelled the website.
At that time, I didnt had any cyber security lingo
Like Shell means, webshell means?
Then, I started doing some research like what are all these things and
like what approoriate languages I need . That was my kick off
Like that gave me interest that these
people are doing hacking then they are doing for their personal benefits
The same thing if you do to help others or do some good work, then that should be more appropriate
[Pratik]: Alright, Is there any breakthrough moment in which you think it was the best moment
in 5-6 years of you being in IT Sec
[Aaditya]: My best moment, in Infosec is I found a bug in Brave Browser
Browsers like chrome, mozilla firefox
[Pratik]: I think, brave browser is a, like you can surf Tor based websites, right?
[Aaditya]: Yep, It's like a more privacy oriented browser
[Pratik]: And it is fastest browser, the Brave.
[Aaditya]: And that browser is a founded by Mozilla Firefox founder. He launched it
They claim that brave is a very secure browser
Like we have a bug bounty program, where you can show your exploits.
They were very privacy and like security concerned. [Pratik]: Concerned.
[Aaditya]:So that's cool, Brave is an awesome team to work with. A decent team
I found a bug in brave browser that, you can call it Address Bar Spoofing
Let's say you open facebook.com , then it will only open facebook.com
Nobody can fool you that it's something else
But, Address Bar Spoofing means if I provide my website's link
but in URL it will show facebook.com or whatever I want to show to you
Now, that's a grave problem as the content on site will be mines. but url indication will be spoofed including green padlock
They were like quite surprised and they provided me bounty
I also got assigned an CVE. It was my first CVE
It was CVE-2016-9473 and it was covered in news.
That was a good time
[Pratik]: Next, What is the evolution of hackers before and old style?
[Aaditya]: In old time, it was mainly focused on like web based technologies
Like if you had good hold of PHP,
Then you can find out bugs related to PHP based system
Now, as slowly time has progressed. Like web2.0,
Now, web is slowly getting ruled out.
It's still there, but it's like getting secured due to community awareness
Mobile apps,  if you can pentest. Android, ios, Unity based programs
That you can assess nowadays, now IOT based products are coming
Microcontrollers, Like you can hunt the firmware for bugs
So, if you want to move for Hardware pentesting it's a good future trend
and a new tech has appeared recently is Blockchain
There is a language called 'Solidity'
It is for Ethereum crypto currency. It's like 'Turning Complete'
Like you can run contracts on the blockchain.
There is a process to find bugs, like if you overtake a smart contract
then it has lots of funds in the contract. It's hard to track as well.
So, the generation of InfoSec threats and trends is slowly slowly progressing
[Pratik]: Is tracking bitcoin possible?
[Pratik]:Like as far as I know, FBI also says like they caught silk route owner
was seized by them as he used some public wifi
FBI said, it is hard to trace Bitcoin transactions
[Aaditya]: It depends on, how is using the cryptocurrency wallet.
Let's say if you are dumb, and if you have done multiple transaction from one wallet. Like you have published your public
or private key, wallet hash on your website.
Then using OSINT skills, you can figure out. Like even in dark web, if you post your information
and post real identity.
If you are using Bitcoin for ethical transactions, and safely then chances are less
[Pratik]: Hacking craze is increasing. What would you say for new InfoSec enthusiasts?
What they should keep in mind.
What they should focus most on?
[Aaditya]: Very good question, Like I meet a lot of new people
How do we hack this ? How to get into CTFs?
How to start Bug Bounty?
The thing is, there is a thin line between Ethical hacking and Black Hat
So those who are newcomers, have craze to hack all the things.
As we have knowledge of particular thing
Like let's say you know SQL Injection, then newbies will test on all the sites.
In parameters,
On website on which you don't even have the permission. There are occurances
that people are caught on testing on site they had no permission to pentest.
If you wisely utilize your skills and you keep your focus on good things
like stuff that you can use to help someone, ethical hacking or bug bounty to earn decent money
[Pratik]: And there is no need. Like you can test on localhost, Mr.Robot Vuln Hub, CTFs
Hack the box, and alot of website.
I will share the resource of Aaditya's in description. and he is also a blog writer. I will share it as well
You can enjoy his amazing content.
And Aaditya, tell me who inspired you in hacking? Who is your favorite?
[Aaditya]: My Favorite is George Hotz aka Geohot. He was the first person to do jailbreak on iPhone at that time.
Carrier tied iphones. He hacked sony playstation.
He was very talented, and he used to play one person guy in few CTFs
[Pratik]: Best thing about hacking and worst
[Aaditya]:Best thing is like you feel you can solve any of the problems.
You can become a good problem solver if you do cyber security.
Foremost, your logic would get sharp. Like how would you assess, or utilize
Worst thing is if you mess with site which you don't have permission to then it can destroy your whole career.
[Pratik]:What are your goals when it comes to Ethical Hacking and Cyber Security?
[Aaditya]:My short term goal is
like I currently focus on Reverse Engineering, like malware analysis
[Pratik]:Like this RE and malware analysis both field are damn awesome. In RE, you need pretty good hold of Assembly
and when you trying to crack the software and you make a keygen. The feeling is too awesome
It's low level based
If you do RE, then you dive into 32 bit (x86) assembly
64 bit, ARM.
[Pratik]: Is it hard to learn assembly ?
[Aaditya]: If you get the concept, like how registers work, memory management and if you have reversed basic programs.
[Pratik]:Alright, and any advise for new hackers?
[Aaditya]:The advice is be patience first of all. Like, if someone is doing bug bounty, then I should also start Bug hunting instantly does not apply.
If you do this, then you won't learn anything. Just take your time.
If your speciality is web, then start covering web concepts slowly. Do programming
Like if you directly jumping to something, then you are being a script kiddie.
That won't help you in future. It may fetch you 2-3 bug bounty but
in future those bugs may not work .
The logic will remain the same, but trend of languages would shift.
Like in Ruby based app, if sanitization is not covered, SQLi can happen.
[Pratik]:Like as new programming langauges are coming, those old bugs like OWASP Top-10 are getting lesser
Try Node.js , Mongo DB
And Kotlin, Web assembly
[Pratik]: Aaditya, Now tell me something about yourself?
I want to let you all know, that he is awarded by Prime Minister of India, Hon. Narendra Modi.
Now, tell me what was GCCS and what happened
What was the task scenario? When you received award, what did you talked with PM Modi and how was the moment?
[Aaditya]: Ok, another good question. GCCS is a conference, global conference on cyber space
It is hosted every year in different country. Australia, etc.
In 2017, India was hosting that.
In every major conference of cyber security, CTF is essential.
It's like a game kind of thing. Like if you go to conference, and don't like talks.
you go play ctfs, you can demonstrate your practical skills.
and you can get good prize money.
GCCS organized a CTF. It was an online ctf, the first round
It was qualifier round, it was open to all nations. There was no discrimination
Around 2000 teams played, there were about 30-40 challenges web, mobile, forensics, crypto, re, pwn
6-7 Categories which are there in all ctfs.
[Pratik]:Which category tasks you solved?
[Aaditya]:I generally solved web, crypto and mobile because I had team mates
Like the guy who was with me was Sanat. He is good at Binary Exploitation
Like we two and few more friends we solved all challenges in 15 hours out of 24 hour limit.
We were the first team to solve it. We finished 1st in Qualifiers
Then we were Invitied to Delhi from USA and hosted in Marriott. Digital India sponsored us
I got a call from them and they sponsored whole trip
In finals, you have to hack real world applications.  Scada based system, network based pentesting
[Pratik]: Like In network, you are given a test network and what stuff you can exploit
[Aaditya]:You are given few IP address and datasheet. There are flags at every path.
We ultimately won in International Category. We were super happy when the announcement came
We had to write a report. The weight of report was 50%
If you have technical skills, but if you can't demonstrate better in reports. Then it's not worth it
Like in real world, for example I Interned at Bishop Fox, in Arizona USA
It was a cyber security consultancy. Like you find bug in client products and write report, like bug bounty.
There is a standard of reports. Like you provide
Executive summary, Proof of concept, applicable devices, code, patch, additional reference links, image
We wrote a report of about 20 pages, I was jetlagged.  Still me and my colleague did it
Like due to good weight of report with the technical, we got first
and next day we had to meet Prime Minister, Ajit Doval sir, Srilanka's Prime Minister
It was a big event. On day 2 there was a conference by Ambani
Big shots from Microsoft, etc
We were assembled, and when we went to stage then I told 'How are you' (in regional prime minister's language)
and he responded, 'I am good' (In PM's regional language)
Then we collecte the prize, and it was like truly a greatest moment.
And in a country which Prime minister himself supports cyber security then it's a good progress
This has never happened before.
Like in future, I will be looking forward to such mega ctfs in India
[Pratik]:And any personal talk with Modi ji
[Aaditya]:No personal talks
[Pratik]:Offered any job?
[Aaditya]:It's confidential (chucks)
[Pratik]:Hacker keeps confidentiality. It was a joke though
