60 Hacker Jokes Every Security Researcher Has Lived

I read the CVE. The CVSS score was 9.8. The description was three sentences. The patch notes said "various improvements."

"How did you get in?" The printer.

Recon is 80% of the engagement. The other 80% is writing the report.

Every CTF starts with nmap and ends with regret.

CVE-2021-44228 was disclosed on a Friday afternoon. That's the actual joke.

"We have a WAF." The WAF is in monitor mode.

Red team finding: domain admin in 47 minutes. Client response: "Can you redo it but slower so we can detect it."

I do not break into systems. I demonstrate that someone already could.

The Top 10 hasn't really changed in 20 years. Neither has the codebase.

Hollywood hackers type fast on a black screen. Real hackers stare at Burp Suite for nine hours.

"It's a feature, not a vulnerability." The feature is a deserialization gadget.

Every senior pentester has the same origin story: "I changed the URL once."

The bug bounty triager asked for steps to reproduce. I sent a video. They marked it duplicate of a report from 2019 that was marked "won't fix."

There are two kinds of organizations: those that have been breached, and those that have a TLP:RED memo about it.

"Our security is military-grade." Military grade means the lowest bidder built it.

I love SSRF. SSRF is the gift that keeps giving 169.254.169.254.

"Defense in depth." One firewall, three exceptions, and a shared admin password.

The exploit worked first try. I immediately distrusted it.

"We're PCI-compliant." The assessor was here for two days. The auditor was here for two hours. The breach was 11 months long.

A skilled hacker can tell from across the room that your session cookie isn't HttpOnly.

The hardest part of the engagement was getting the VPN credentials.

"The vulnerability is theoretical." The PoC is in the email below.

I told the client we got domain admin. The client asked if we could prove it. I sent the krbtgt hash.

OWASP Top 10: Injection is number 1. Injection has been number 1. Injection will be number 1.

"Zero-day." It's been in the codebase since 2014. The zero is when somebody finally noticed.

I don't write malware. I write proofs-of-concept for educational purposes. The education is expensive.

Phishing test: click rate 38%. Report rate 2%. Management asked us to make the test easier.

"We use rolling our own crypto for performance reasons." No further questions.

A good red teamer leaves no trace. A great red teamer leaves a polite note in the SIEM.

I solved the CTF challenge in 4 hours. The writeup took 6. The blog post took 11.

"Air-gapped network." There's a USB port on the workstation. There's a USB port on the workstation. There's a USB port on the workstation.

The vulnerable endpoint was /api/v1/users/{id}. The id was sequential. There was no authentication. The pentest took 4 minutes.

DEF CON dress code: black t-shirt with the previous year's badge.

I told the SOC I'd be running an engagement Monday. They detected me Thursday. The IR ticket was opened the next Wednesday.

"Encrypted at rest." The key is in environment variables. In the repo. In the docker image. On Docker Hub.

Every appsec finding closes with the same compensating control: "This will be remediated in a future release."

The most dangerous string in security: "';--

I do not need to bypass MFA. The user has already approved 47 pushes today.

"We don't think anyone would target us." The ransomware affiliate disagrees.

There's the CVE description. There's the vendor advisory. There's the actual root cause. There are usually three different vulnerabilities.

Blue team's favorite log line: "User logged in successfully." From an IP in Vladivostok at 4:13 a.m.

"We rotate keys quarterly." The key was checked into git in 2017.

Reading a CVE is half cryptography and half forensics. The vendor wrote the description hoping nobody would weaponize it. The vendor's advisory tells you exactly how to weaponize it.

I love a good privilege escalation. I love a great misconfiguration more.

The first thing in any engagement scope: "Out of scope: anything that breaks production." The first finding: breaks production by existing.

"Threat model." The threat model is one slide and the threat is "hackers."

Pentester at a party: "What do you do for work?" "I'm in IT."

A senior offensive engineer once told me: "If you're using Metasploit, you've already lost the engagement." A different senior offensive engineer told me: "If you're not using Metasploit, you're showing off."

The exploit is 12 lines of Python. The writeup is 4,000 words. The disclosure timeline is 18 months.

"Sanitized inputs." The sanitizer is a regex that allows < and >.

Every C2 framework is the same C2 framework with a different logo.

I respect a hardened target. I especially respect the one that's hardened on the perimeter and trusts everything inside.

"It's behind a VPN." The VPN is also behind the VPN. The VPN credentials are in a SharePoint titled VPN_creds_FINAL.

Capture the Flag 101: the flag is in /root. The flag is always in /root. It has been in /root since 2003.

I have never met a logging configuration that wasn't either turned off or turned up so high nobody reads it.

Patch Tuesday is a cultural event. Exploit Wednesday is a sport.

"This is a low-severity finding." The finding is unauthenticated remote code execution.

I trust an attacker with a Burp Suite license more than a vendor with a compliance certificate.

Real hackers do not say "I'm in." Real hackers say "wait, did that work" and then "holy shit" and then "I need to take notes."

The CVE was published. The patch was released. The exploit was public within 6 hours. The org will apply the patch in Q3.