[HackerNote Ep.125] How to Win Live Hacking Events

Hacker TL;DR

• Double Clickjacking POC: This research from Jorian leverages browser APIs (window.open, moveTo), pop-unders, and a fake Google Sign-In prompt to invisibly chase a user's cursor and steal a critical click, leading to full Account Takeover (ATO). Check out the full writeup here: jorianwoltjer.com/blog/p/hacking/ultimate-doubleclickjacking-poc 

• Grafana CVE-2025-4123: Another great writeup in Grafana with two findings - an open redirect chained with the /render endpoint in Grafana, allowing full SSRF and a chain abusing client-side path traversal to account takeover via XSS. Some neat ones from this post:

  • Path Mismatch for Open Redirect: Exploited a path mismatch between opt.FileSystem.Open() (treating ? and \ as chars) and http.Redirect() (stopping at ?), yielding open redirects via paths like /public/../\attacker.com/?/....

  • SSRF via /render Endpoint: Leverage the /render endpoint's screenshot functionality by smuggling a path with the open redirect (/render/public/..%252f%255C127.0.0.1:1234%252f%253F%252f..%252f..) allowed a full SSRF.

  • Full post here: https://nightbloodz.github.io/grafana-CVE-2025-4123/

• Evan Connelly - What I learned from my first 100 HackerOne Reports: Evan Connelly dropped a data-driven blog post from his first 100 HackerOne reports, offering valuable lessons for both new and experienced hackers. Check out the full write-up here: https://evanconnelly.com/post/my-first-100-hackerone-reports/

• How to win at live hacking events: Justin dropped a gold mine of tips for every single step of an LHE straight from his playbook. We simply can’t fit them all in here, but here’s a taste:

  • Dupe Window Strategy: Decide your collaboration approach (solo or diverse skillset partnership) carefully during this period, as rewards for duplicate findings will be split among all discovering hunters.

  • Pre-Event Lock-in: Secure personal time commitments and clear pending tasks before the event to minimise interruptions and ensure dedicated focus.

  • Target Niche Tier 0: During the scope call, prioritise Tier 0 functionalities with lower anticipated interest from other hunters to maximise unique critical findings and reduce duplication.

  • Combat Burnout & Distractions: Actively ignore leaderboards and chat noise, and schedule regular breaks (e.g., long walks, workouts) to prevent burnout and maintain sustained focus.

  • Go Deep on Targets: Strive to become an "unofficial extension of the dev team" by covering all core application functionality, analysing JavaScript, configuring all areas and peeling back every single area of the application.

  • Expand to Peripherals: Once core assets are exhausted and you’ve 3x your normal time and attack vectors on a target, pivot to peripheral assets (SDKs, legacy environments, APIs) as they often expose significant and often overlooked attack surfaces.

  • And a whole lot more below. Be sure to check it out for Justin’s guide to LHEs!

Double Clickjacking POC

Jorian is back with more top-notch research. This time we’ve got a double clickjacking POC, with the technique using a bunch of fairly boring browser APIs - window.open, moveTo - pop-unders, and a quick Google Sign-In prompt, resulting in a misclick, resulting in a full ATO.

Think of it as clickjacking on steroids: the target window invisibly chases the user’s cursor, waits until the perfect moment, then steals the click.

A TL;DR of exactly how this is achieved:

It was a pretty cool writeup, full research and POCs can be found below:

• jorianwoltjer.com/blog/p/hacking/ultimate-doubleclickjacking-poc 

• https://github.com/JorianWoltjer/popup-research/tree/main/ultimate-poc/gitlab

Grafana CVE-2025-4123

Some great research from Alvardo Balda with some great code review and breakdowns, leading to a full-read SSRF and a post-auth XSS → account takeover, all thanks to a handful of path-traversal quirks on both the server and client sides.

The research first started with the identification of an open redirect, abusing a path mismatch between two different calls - opt.FileSystem.Open() treats ? and \ as plain chars whereas http.Redirect() stops at ? and normalises // or /\ to ‘protocol-relative’ URLs.

This allowed an open redirect via:

 /public/../\attacker.com/?/../../../.. : Open() collapses it to a legit directory, then the redirect runs and emits 302 Location: /\attacker.com/...

This is taken from his blog and is quite a nice visual overview:

Using this as part of the chain, Alvardo identified a /render endpoint, which was used to screenshot relative paths. Chaining this with the above bypass allowed him to smuggle in a path /render/public/..%252f%255C127.0.0.1:1234%252f%253F%252f..%252f.. resulting in an arbitrary redirect to any resource, allowing full SSRF.

Using some even more tricks on path normalisation on the client side, he also built out a very nice chain, resulting in full ATO via XSS. I don’t want to rewrite the blog entirely as he’s done a great job, but this is taken from the blog, giving a high-level overview of the chain:

It’s a great read. Check out the blog below, along with the full exploit:

• https://nightbloodz.github.io/grafana-CVE-2025-4123/

• https://github.com/NightBloodz/CVE-2025-4123

Evan Connely - What I learned from my first 100 HackerOne Reports

This is a great blog from Evan, who’s recently been crushing it and is fairly active in the CTBB community. The blog post details some of his lessons learnt from his first 100 HackerOne reports, and honestly, it’s a great data-driven read.

If you’re newer to the scene or just enjoy more of the data-driven posts, this one is going to be for you.

I’m not going to rewrite or rehash it; Evan has articulated his takeaways incredibly well. Read it below:

• https://evanconnelly.com/post/my-first-100-hackerone-reports/

How to Win at Live Hacking Events

So, live hacking events. I’ve been fortunate enough to attend a few now, and there are a few timelines of the events, including:

• Pre-event: Initial preparation and reconnaissance.

• Scope Call: Understanding the rules, bonuses, and specific targets.

• LHE Start - Dupe Window Start: The beginning of the event, including the dupe window/

• Dupe Window End: The end of the dupe window.

• On-site: The in-person experience at the event.

• Event Finish: Event wrap-up.

Pre-event

When your invite comes through, you’ve got a timeline from this point onwards. It’s not uncommon for people to recon and start hacking the target as soon as the invite comes through, aiming to start the event with bugs in the pocket.

One thing to consider, however, is that the event scope can be drastically different from the main scope of the target. So that can catch you out - the bugs may not even be in scope for the event.

Scope Call

During the scope call, all of the scope, bonuses and any additional information will be disclosed.

The questions you should be asking are: What does the team want me to hack on? What will bring most impact and make them go “oh shit.” 

A key strategy here is to balance the desired scope with anticipated interest from other hunters. Focus on Tier 0 scope (the most critical and core functionalities), but prioritise areas that might not have higher interest from other hunters. This might help you reduce your chances of dupin.

Once the scope call is over, spend a brief amount of time looking at the scope and seeing what fits. Then, pick your portion of the scope, lock in and go for it.

Then, try and hit every impactful attack vector on the scope that is semi-obvious but highly impactful.

At this point, you can decide to switch to another area of the scope if it isn't as functionally rich as anticipated or simply doesn't align with your expertise - this is your time to pivot!

Lock in

These events can be incredibly taxing. Make sure to commit and lock into the timeframe, and make sure you have your time squared away with family, friends and everyone else before the event starts.

Make sure to tick off annoying to-do list items that could interrupt your flow in the event, too.

Another thing, too - if you want to win an LHE, you need at least 1 critical finding, so make sure you’re going after high and critical impact bugs. Once you make a decision on scope or switch, you HAVE to lock in.

LHE Start & Dupe Window

When the event kicks off, you will be inclined to not sleep, eat, drink or exercise. Having fallen into this trap myself, I strongly advise against this approach.

Dupe window

Now, when the event kicks off, we also have the dupe window. During the dupe window, if multiple hunters discover the same vulnerabilities, the reward is split among all who identified them.

Justin, controversially, chooses not to collaborate during the dupe window. He has found that he performs better financially by collaborating only after this period concludes.

If you aim for a full reward split across the entire event, Justin recommends collabing with hunters possessing significantly different skillsets or those who specialise in certain areas you do not.

General Approach

Another big thing - IGNORE THE LEADERBOARD, ignore the Slack, ignore all the nonsense. You’ll have someone asking ‘SOMEONE PLS TRIAGE BUG 51231231 ITS SUPER CRIT SUPER SUPER CRIT’ in the chat, and tbh, it’ll just interrupt your flow. Just ignore it all.

After you’ve put in a serious amount of hours, processed a lot of information, and tried a lot of attack vectors, you need to let your brain rest and iterate on this. The best way to approach this, in my experience, is going on a long walk or a hard workout without music or headphones. Justin has a hot tub, which helps him with this.

When you’ve hit a few days of going at full speed, it’ll also be wise to take some rest. Schedule this in and don’t feel bad for doing it. I tried to run full cylinders at 100% during my first event, and I felt terrible and very quickly burned out.

Becoming An Expert

If you do find yourself out running errands or driving, make some notes or carry a notebook so you can crunch through documentation, notes, or resources on the target. NotebookLLM might be a good one for this on the developer documentation, too.

Ensure you note any potential attack vectors as you analyse this documentation.

You also need to become an absolute expert on whatever you're looking at. Specifically, if your understanding is so profound that you effectively become an unofficial extension of their development team, you are in a strong position.

You must thoroughly cover all core application functionality, analyse all JavaScript, and comprehensively configure every area of the application. Crucially, do not neglect the application's authentication mechanisms.

Double down on any weaknesses you find - spend time analysing why a specific endpoint was vulnerable, the root cause of this behaviour, and how it could be abused in a wider attack chain or other application areas.

Peripheral Assets

Once you've covered all of the main assets, go deep on peripherals. These include SDKs, legacy environments, staging environments, mobile applications, browser extensions, APIs, and similar assets.

These can present a significant attack surface. At times, a deep understanding of a peripheral asset's placement and operation can spell out vulnerabilities in an entirely different portion of the scope.

Dupe Window End

The dupe window will usually end around a week in. Once this period concludes, you should aim to submit most of the bugs you have built out during this phase. Submitting your findings will also help you understand the company's threat model moving forward throughout the event.

If you’ve got some half-baked vectors which aren’t quite there yet, now’s probably the time to reach out to some other hackers for some insights and collaboration opportunities.

When you begin collaborating with other hackers, if someone provides valuable information or a useful tool, ensure you reciprocate with an equivalent contribution; the LHE scene is small, and someone at some point will have something you need for a bug.

Equally, pay MASSIVE attention to parts you’ve missed when talking to other hackers. There is so much value here as other hackers will be looking at the same scope as you, but you will likely find different bugs entirely. This can massively help you grow as a hacker and solidify concepts.

Ensure fair collaboration once this window concludes. If someone contributed, ensure they receive a minimum of 5% of the reward, even for a very minor contribution. Conversely, be fair to yourself. You are not obligated to agree to a 50/50 split for every finding. Ask for honesty, and give honesty.

On Site

It can be incredibly tough to concentrate when you’re on site at an LHE. The buzz is there, there are a lot of bugs, everyone has spent a lot of time on the targets, and there’s a lot of collaboration going on.

However, try and stack locked in when you’re on site - you have an opportunity to squeeze a few extra bugs in in a collaborative environment. There will be a lot of socials happening, so be cautious (of drinking and wiping a day out).

If you don’t have many leads at this point, pick a small piece of scope and go very deep on it. Equally, if the team is on site, it’s worth approaching them and asking if there are any areas they’d like to focus on or if they’d seen any interesting areas. Sometimes, they might give you a solid lead.

Another tip is to speak with triagers at these events to help understand the impact. Being able to speak, in person, and articulate the impact of a finding can massively help get your bug over the finishing line. Make sure to have a prepared POC and easy to follow flowto help them out as much as possible.

If you can’t make it on site, find a friend to do this for you!

Also, there will be a show and tell. This is where some of the coolest bugs of the event will be presented to everyone - you’ll probably learn a lot and kick yourself a few times for overlooking something, but it’s a great learning experience.

Equally, everyone is usually pretty friendly. At one event I went to as a guest, I asked a few hackers (jr0ch, mayonnaise, Nahamsec, t3knogeek) about their bugs, and they happily showed me.

Don’t Tie Your Identity to Your Results

The most important part of this process is not to define your identity as a hacker based on the outcome of the live hacking event. You don’t know if the target is going to be for you when walking into an event.

The reality is, some scope isn’t a good fit, and life can get in the way. It doesn’t mean you're a bad hacker or you don’t deserve to be there, and the truth is, the volatility is huge.

Assets go down, dupes happen, the scope might be incredibly locked down, things get downgraded.. all of these things are somewhat out of your control, so to define any self-worth on them wouldn’t make sense.

Now, last but not least, ROOT FOR YOUR FRIENDS. These competitive environments can bring out interesting behaviours in people, and you don’t want to be the guy who’s salty about his friend popping a crit. Mr Thacker covered this fantastically on his blog here: https://josephthacker.com/personal/2025/05/13/root-for-your-friends.html

Some great tips from Justin on this episode.

As always, keep hacking!