Our idea of launching the Hacker Spotlight was to share the beautiful journey of the hacker/researcher of our platform. So, at first, we are putting the spotlight on our one of the best researcher “Rikesh Baniya” who also goes as “@itsrickyy” based on his recent excellent performance on our Bugv platform.
By putting him under the spotlight we have asked him a different set of questions that will enlighten us about his journey, his struggles, his methodologies, his motivation, how it has impacted their social and professional life etc.
Hope his journey might inspire our fellow hackers and other people who are thinking of joining this community.
We did a set of question and answer sessions with Rikesh about his bug bounty experience and here are those conversations.
1) How did you come to know about hacking?
“I came to know about hacking in 2014 when I was in class 9. I had seen youtube videos about rooting, wifi hacking, MITM attack using zanti app and I was fascinated by it. Although I was keen about hacking, I had never dived deep into it to pursue it as a career.”
“The actual stepping stone in my journey came after I watched the video “Offensive Approach to Hunt Bugs “ by Vikash Chaudhary in 2019.”
2) What motivates you to hack and how long have you been into hacking?
I have been actively hacking since mid-2019 and money is definitely the driving factor for me. If the program does not have a bounty program,it’s an automatic NO for me. I would rather sleep than spend my time hunting on a program just to appear on their lousy hall of fame page.
3) How do you choose a program?
It depends on a lot of factors; scope, bounty and most importantly how much can I feel the connection with the target. Some targets are more interesting to hunt compared to others and everyone has a preference.
I focus more on api testing so I primarily target sites that have an android app in scope,or use api.target.com subdomain.
4) Who is your inspiration?
I don’t have a single inspirational figure who I religiously follow.
In the hacking community, there are a lot of talented faces, all doing great in their own domain and I admire the work of many people like ShawarKhan, ysamm,s0md3v, etc
5) What advice would you give to hackers?
Take regular breaks. When I feel like I’m not able to find a valid issue even after trying everything,I just take some time off the computers.
In hacking, I do not believe in the idea of “never give up, keep pushing”. Many times when I have taken breaks and re-approached the target with a fresh mindset,I have been able to find simple yet high-impact issues that I completely missed with a stressed mind.
6) What is your favorite bug type and why?
Definitely, information disclosures.
Being able to access information that I’m not supposed to be a pretty good impact bug and pays well. Plus, these kinds of bugs can be found using multiple attack vectors. Like CORS leading to info disclosure,IDOR leading to info disclosure so there’s always a new approach to learn.
7) What are a few of your favorite hacking/security tools?
My whole hacking approach is based on finding as many hidden endpoints as possible.
So I extremely rely on apktool for apk analysis, gau for finding old endpoints, Arjun for parameter discovery, and JSFScan for js analysis. While I’m on burp,I mostly use JSLinkFinder and para miner.
8) What do you enjoy doing when you aren’t hacking?
I usually spend time watching movies when I’m not hacking.
9) What advice would you give to someone who is starting out as a beginner in bug bounties?
Learn the basics; Networking, programming, web technology. Don’t get confused about what programming language to learn. programming language isn’t important, programming logic is.
And most importantly DO NOT get tempted by “P1 in 5 minutes, P1 using nuclei/automation” posts and give more focus towards the manual hacking approach. Move to automation after your foundation is solid.
10) What is a quick hacking tip or technique that you recommend?
A quick way to hunt on android apps without bypassing SSL is by downloading its older version.
I have come across many apps that were extremely hard to intercept but older versions had no protection implemented.
11) Do you have any favorite tools or resources to learn? /What do you do to keep up with all the new trends?
Previously,I used to rely on Twitter but these days “BugBytes by intigriti” and “BugBountyHunter” group in Telegram is my go-to place.
12) How much time do you spend hunting bugs?
To be honest, I’m by my machine pretty much the whole day. Either hacking or watching youtube.
If I would have to take an average guess; I would say 4 hrs during regular days and 8 hrs during holidays.
13) How have bug bounties impacted your life?
Bug Bounties made a huge impact on my life. I am not wasting my time like I used to, I have learned a lot of things during this period and have become financially independent as well 😉
Thank you so much to Rikesh for his time and for his great contributions to our platform and to the bug bounty community. We wish you great success with your life.
