Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

This talk outlines the experience of discovering a full-read unauthed SSRF vulnerability in a product used by thousands of companies in their DMZs. There will be 3 main sections of this talk: the discovery, the exploitation, and the results.

Starting with the discovery of this bug, we’ll discuss some methodology of looking at open-source software for security vulnerabilities and how this led to the discovery of CVE-2020-13379. Included in this section will be defining your goals for what kind of impact you wish to achieve, identifying areas of interest, and perseverance (also known as going down the rabbit hole).

From there, we’ll dive into a demo of the bug. This will include a working PoC for CVE-2020-13379, an exploitation kit that will assist in full exploitation, and a summary of some useful escalation techniques. We will also discuss what it looks like to use this bug against companies who host Grafana instances in the DMZ or in the internal network.

To bring it all around, we'll talk about the experience of reporting this bug to different vendors and mass-exploitation across bug bounty programs. This will include some lessons learned from mass-exploitation, some awesome collaboration with very skilled hackers, and some great interactions with programs.

This talk outlines the experience of discovering a full-read unauthed SSRF vulnerability in a product used by thousands of companies in their DMZs. There will be 3 main sections of this talk: the discovery, the exploitation, and the results.

Starting with the discovery of this bug, we’ll discuss some methodology of looking at open-source software for security vulnerabilities and how this led to the discovery of CVE-2020-13379. Included in this section will be defining your goals for what kind of impact you wish to achieve, identifying areas of interest, and perseverance (also known as going down the rabbit hole).

From there, we’ll dive into a demo of the bug. This will include a working PoC for CVE-2020-13379, an exploitation kit that will assist in full exploitation, and a summary of some useful escalation techniques. We will also discuss what it looks like to use this bug against companies who host Grafana instances in the DMZ or in the internal network.

To bring it all around, we'll talk about the experience of reporting this bug to different vendors and mass-exploitation across bug bounty programs. This will include some lessons learned from mass-exploitation, some awesome collaboration with very skilled hackers, and some great interactions with programs.

The Bug Hunter’s Methodology is an ongoing yearly installment on the newest tools and techniques for bug hunters and red teamers. This version explores both common and lesser-known techniques to find assets for a target. The topics discussed will look at finding a targets main seed domains, subdomains, IP space, and discuss cutting edge tools and automation for each topic. By the end of this session a bug hunter or redteamer we will be able to discover and multiply their attack surface. We also discuss several vulnerabilities and misconfigurations related to the recon phase of assessment.

Have you ever felt like no matter how much sleep you get, you feel exhausted? Struggle to concentrate? Having trouble balancing work and personal life? Or perhaps feel your work is your life? Then this talk is for you.

Burnout. We all go through it at one point. It feels like you are low on battery and it can cause impact emotionally and physically.

In this talk, we will cover burnout, how to overcome it, and how to prevent it from happening.

Pentesting or ethical hacking as it is more commonly known has become a much sought-after job by people in IT, InfoSec, or those just trying to get into the industry. In this presentation, Phillip Wylie shares the blueprint for becoming a pentester. The presentation combines Phillip’s experience as a pentester and ethical hacking instructor to give attendees a guide on how to pursue a career as a pentester. Phillip shares what has worked for his students and people that he has mentored over his years as a pentester. This presentation covers the knowledge and skills needed to become a pentester as well as the steps to achieve them.

I get asked “how to get started in bug bounties” every day, and it’s been like that since the first day I began my own bounty journey about 2 years ago. To be honest, I don’t have a simple answer anymore. In 2020 there are so many different paths to choose, and it can be really overwhelming for someone that wants to break into the hacking space. Should I focus on VPDs? Should I do ctf's? should I spend my time doing recon, should I automate stuff? Or should I go app deep? There is no right or wrong way to do it. But the most important thing is to simply take action, and simply just start hacking.

In this presentation, I will share my journey and my experience from being in the bug bounty space for the last 2 years. I will share the tools, both physical/mental, and the resources i use to gain information. How I collaborate and create new friendships. How I on multiple occasions couldn’t sleep because of bounty fever. How I dealt with dupes and program frustration. How I created content that has inspired thousands and finally how I overcame burnout, all while not knowing how to write a single line of python.

This talk covers a few of my favorite stories from the past year and will demonstrate different ways that I managed to “own” an organization during a pentest engagement. Stories include:

No MFA? Thanks! - This story discusses how I obtained domain admin access as an external attacker, teaching some key lessons along the way.

IPv6 FTW! - This story discusses how IPv6 can be abused in internal networks and easily allow for complete domain compromise.

You Spent How Much on Security? - This story discusses how I obtained domain controller access on an organization that was doing *almost* everything right and spending a lot of money to do so.

Digging Deep - This story discusses how I managed to take down an internal network when no apparent exploit existed.

Details of the car hack on my own vehicle in 2017 and then how I first created an ‘IVI in a box’ and then PD0 ‘CAR in a box’. Some hints and tips on how not to break your own car!