Profile of a Hacker
Matthew Thurber
Winner of CMD+CTRL Cyber Range for Hack Through the Holidays
As part of our recent Hack Through the Holidays event, we interviewed some of the top performers on our CMD+CTRL Cyber Range.
The world of security testing and hacking can often be intimidating to break in to, so we’re hoping the shared experiences of these top performers encourages others to learn more!
We highlight Matthew Thurber (aka Lamp) below. Matthew is a professional penetration tester who also volunteers on the side to test the Flash MMO AdventureQuest Worlds. Lamp was the first person to solve ALL 48 of our ShadowBank challenges with a perfect score of 11,020. Lamp also provides one of the best concise definitions of the hacker mindset we’ve seen; “a curiosity and desire to tinker.” Great job Lamp!
SI: How did you get into security testing?
Lamp: When I was around 13 or so I stumbled my way to HackThisSite. I started off as a total skid, but within a few years, I was developing missions for them. Since then I knew I wanted to make a career out of it.
SI: What is the most interesting exploit, vulnerability, or finding that you’ve discovered (and are willing to share)?
Lamp: The security team I led for AdventureQuest worlds found a really neat exploit involving the game's authentication system and how it was handled across the game's multiple servers. This ultimately led to us being able to generate massive amounts of their in-game micro-currency.
Another favorite of mine involved abusing HTML injection where only double quotes weren't filtered to hijack a META tag to set a cookie. The cookie value was used in page source, unfiltered, all around the site. To get a payload into the cookie without any particularly dangerous characters besides double quotes, I had to double encode the payload which was then decoded when being stored in the cookie and a second time when being written from the cookie to page source. This allowed me to abuse cookie-based XSS to inject a persistent JS keylogger directly into the target's cache. Until they cleared their cache, this keylogger would silently run on any page on that domain which wrote out the cookie value (which was most pages).
(SI Note: This is amazingly cool, but takes years of experience to understand, never mind exploit. Don’t worry n00bs, you’ll get there!)
SI: It can be difficult to build up the knowledge and skills needed to become a good hacker. How did you learn these skills?
Lamp: After finding HackThisSite, I spent the next few years actively seeking out mentors on their IRC chat and learned a lot. The rest was mostly self-taught over the following years.
SI: What recommendations would you have for others that are interested in learning more about security and hacking?
Lamp: I would say that it's more important to cultivate a hacker mindset than simply seeking out knowledge. While knowledge is important, ultimately all that knowledge exists because of the hacker mindset: people's curiosity and desire to tinker. Once you have that mindset, the rest comes more naturally.
SI: Other than Cyber Ranges like CMD+CTRL, what tools would you recommend to others looking to extend their skill sets?
Lamp: As mentioned earlier, HackThisSite was a good starting place for me, but it isn't as active anymore. The main thing I got from HTS, though, was the community to help me learn and I'm sure similar communities are still out there nowadays if you look.
SI: What were the main factors that drove you to become a top scorer in the CMD+CTRL Cyber Range?
Lamp: I wanted to rep my appsec team at work and flex a little for fun. I honestly didn't know anything would come out of winning; I just wanted to hack for myself mostly.
SI: What other guidance would you give to people interested in building their hacking skills?
Lamp: Try to accumulate as much general knowledge as possible instead of simply specializing. While having something you are particularly good at is fine, often times having broad knowledge and the ability to daisy chain that knowledge and combine disparate ideas can be very useful.
*SI Note: There is lots of great cybersecurity info out there. You can start with our blog here: Security Innovation Blog
You can subscribe to our monthly blog updates at the top of this page.
We also highly recommend our webinar, BrightTalk channel as well for valuable information.
You can find it here: Security Innovation BrightTalk Channel
And Our YouTube Channel Here: Security Innovation You Tube Channel