Hacker Story: remonsec

Hello,

I am Mehedi Hasan Remon, aka, remonsec. I’ve spent 6 years in the infosec field. I also serve as a Brand Ambassador at HackerOne, and a Penetration Tester at Red Sentry. Today, I will share my hacking journey and how I started with zero technical knowledge! So let’s begin the story…

When it all started: 

When I turned 18, my uncle gave me a laptop for my birthday. That was the very first time I owned a computer. Before that, I rarely even touched one. Windows 8 was pre-installed, and I didn’t even know how to power off the computer from the menu.

At that time, I didn’t have an internet connection in my home, so I ended up not using my laptop at all. But one day, a college friend told me to try some games on it. He gave me a Pendrive and told me to copy-paste the file and run that .exe file. I followed his steps and was finally able to make use of my computer, playing the game (Call of Duty) on it. Then, it became one of my favorite games.

I completed the whole game in a few days, and learned that there was a whole series of them. I wanted more. Somehow, I convinced my parents to get an internet connection. But after searching for that game I realized it cost money, and I couldn’t buy it. I didn’t know why, but after seeing that it cost money, I made a google search that changed my life.

A whole new (hacking) world:

I searched ‘Call of duty free’ and ‘Call of duty crack’.  I found many blackhat forums and websites offering the paid game for free. The users of those websites had names like Anonymous 'Anon' and others that were so cool to me. I did some research on those names and  saw they were "Hacker team" names, or something like that. Without noticing, I opened the door to the hacking world and started looking for similar keywords.

After spending some days learning, I gained a basic understanding of the concept of Hacking, “BlackHat” hackers, “WhiteHat” hackers, and“GreyHat” hackers.I also learned about things like the “Dark Web”, “Surface Web”,and so on. 

Learning how to hack

I loved learning about these new concepts, but they were all theoretical to me. I needed some practical knowledge. I wanted to know how I could start hacking myself.  I began searching, but I used the wrong keywords and ended up wasting tons of my time on fake content. 

I searched ‘How to hack Facebook’ and tried almost every video I saw on YouTube. From installing Kali Linux to sending a phishing link. While doing all those things I made some friends from social media who were also interested in hacking. We created something like a group and used it to share everything we learned. In that group, I learned some basic vulnerabilities like XSS, csrf, etc.

Earn money hacking?

One morning, one of the group members reported a security issue and got $25 as a reward. I was like… seriously!? I couldn’t believe companies would pay people for hacking them. I was thrilled by the idea, so I asked him: “isn’t it bad to hack into companies like that? Why does the company reward you for it?” Then, he explained the concept of BugBounty,and how it works. That was the very first time I heard about BugBounty and became almost obsessed with it.

The vulnerability he reported was not a big deal. It was just an SPF issue and the reward was a token of appreciation. At that time, I had no idea about those low-hanging or out-of-scope vulnerabilities. I took that vulnerability seriously and reported it on HackerOne bug bounty programs. You can say this was one of the big mistakes I made.

The Rollercoaster: Ups & Downs

This was how my HackerOne profile started, 3 years ago. I felt so sad seeing people get paid $700 for finding the same vulnerability I had already reported. I wasn't able to understand what was going on. For a moment, I thought: “it’s all ended here, it’s all over”.

But after a couple of days, while scrolling social media, I found a write-up Guide 001 by a Pakistani bug hunter. When I checked that writeup I realized I was moving in the wrong direction. 

To become a white-hat hacker, first of all, I have to think like a hacker. A good hacker never cries over failed attempts. He uses it as a way of developing the next attack. That write-up covered pretty much all the basics, so I took that seriously and studied it as deep as I could. After a couple of weeks I started looking for bugs again. And this time I started finding valid security issues!

I found them with my basic recon understanding, nothing special. But as a total beginner, it was a big deal for me. I became so motivated and continued with full energy. After spending several more weeks focused on this, I realized it was not working well again, because most of my findings got closed as duplicative or informative. Basically, anyone could find them, or they weren’t impactful enough. But I wanted to be an amazing hacker, not a loser! I was stuck again, and couldn’t figure out why…

The final answer

While scrolling Twitter I saw a book called ‘BugBounty Playbook v1 & v2’ that was trending. I ordered one for myself to see what it offered. I took notes on every chapter,did practice while learning, and it worked so well for me. 

That book solved my problems with real-world scenarios. I knew about the basic vulnerabilities, but I didn’t know where to look and how to approach them. Then, after completing that book and deepening my understanding, I was able to approach vulnerabilities differently and started getting many that others missed. I narrowed my focus to recon and finally felt I was doing it right. Then it was just a matter of time. So I practiced, observed, tried, and repeated. Again and again..

And that’s how I got to where I am today, working day-in and day-out with the Red Sentry team, helping do some of the industry's best penetration testing, while continuing to learn more each day. Keeping companies protected, and doing what I love. 

I will not push this post any longer, as it’s already a pretty long read I guess. So in closing, here is some of my advice for beginners!

Hacks for beginners:

  • Don’t escape the basics, your future depends on them..
  • Instead of following others’ ways of doing things, try to figure out your hacker's way.
  • Get yourself involved with the hacker community. What you alone can’t do, a community can.
  • Before hacking, build a hacker mindset. If you can’t think like a hacker, you can’t hack like a hacker.
  • Programming knowledge will give you an extra advantage over the people who don’t know.
  • When you see yourself in a position to help, please do. Hacking is an open-source community, and we can only succeed together.

Thanks for taking the time to read this, and tune in soon to hear from the next “Hacker Hero”!