Spotlight on PinkDraconian: From CTFs to huntr – A Hacker's Path

Intro

At huntr, we love to celebrate the incredible talent working with us to build a safer AI powered world. Our community of over 15,000 hackers and threat researchers are constantly uncovering and fixing AI/ML vulnerabilities. Today, we're putting the spotlight on Robbe Van Roey, also known as PinkDraconian. From his competitive hacking beginnings to his current role as a senior penetration tester, PinkDraconian is one to watch. In this blog, we’ll explore his journey and look into his recent discovery of a critical vulnerability in the parisneo/lollms-webui package.

Meet PinkDraconian

Ever wonder how a hacker is born? Let's hear it straight from the source.

"Hi everyone, I'm Robbe Van Roey, but online I'm better known as PinkDraconian. I started hacking just about 6 years ago, when I was 18 years old and I'd like to talk you through my origin story.

In the beginning, I had no idea that hacking was going to be so important for me in my life. I just watched a LiveOverflow video of some binary exploitation challenge and figured "That looks cool, I want to do that", and so I did! I started playing CTFs and really enjoying the struggle of it: In the beginning I didn't have a single clue what I was doing but after a couple of months things started to click. I kept on playing CTFs for years and eventually even made it to the position of captain of the official Belgian hacking team. CTFs are the reason that I'm a hacker today and I think they're an integral part to becoming a great hacker. They teach you problem solving, they teach you techniques and tricks, but most importantly: CTFs teach you to struggle, hacking is all about loving the struggle of figuring things out!

So CTFs were pretty cool, and at this point I had figured out what I wanted to do: I wanted to become a penetration tester. But everyone around me told me that to become one, I had to get expensive certifications and I wasn't so keen on that, so I challenged myself to become a penetration tester without any certifications. But I needed some way of showing my skills to the world, and I also wanted to give back to the community so I started a YouTube channel where I teach aspiring hackers everything from binary exploitation to web application security. Right now we're sitting at about 15,000 subscribers and I can say that I wouldn't be where I am today without that channel. Inspiring others and building a network was so important, and so I'd advice everyone to create something for the community: Tools, videos, blog posts, challenges, anything you can think of!

Through my videos, I got into contact with Intigriti, a bug bounty platform. This is where my professional career got started. I was hired there and able to create amazing content, speak with the best hackers, and really discover everything bug bounty has to offer. I loved this! Eventually, I then moved to my current role as a senior penetration tester at Toreon, dream achieved!

And that's the story of me and how I came to be in a nutshell! Feel free to connect on LinkedIn if you want to learn more!"

 

Why AI/ML Fascinates PinkDraconian

Artificial intelligence and machine learning have always been intriguing fields for PinkDraconian, but his interest is rooted in a deeper, more technical fascination.

"Back in college, I studied AI & Robotics, so I have some small background in kind of understanding how these systems work, and that initially piqued my interest in securing AI systems. At first, I didn't really know what to expect, and the whole space was still a mystery to me, but uncovering mysteries and finding out how things work is why I became a hacker, so this was right up my alley. So I dug deeper.

It quickly dawned on me that the people making AI systems are brilliant scientists, and going through their papers, I don't understand a word, but these brilliant scientists are no programmers. Sure, they know how to write code, but there's a difference between writing code and building a secure product. So what I noticed was that a lot of the common vulnerabilities that every full-time developer should know about were not as known in this field. And it makes sense—these AI systems operate with the OS in a different way than new applications. There are no guidelines (yet) on how these AI systems should be integrated securely; there's nobody to follow, no StackOverflow threads, and so on... So everything built is mostly built from scratch, and that leaves room for loads of mistakes, and I just happen to love finding those mistakes."

 

PinkDraconian’s Unexpected Path to huntr

How does a hacker find their way into the huntr community? Sometimes, it's all about seizing the moment.

"The story of how I got into huntr is a culmination of my experience from the past and being in the right place at the right time. I was driving my girlfriend to her driving lessons and had to wait for her lesson to finish to pick her up again. I figured well, what could I do with this time? So I grabbed my laptop and from my car started browsing GitHub, looking for vulnerabilities. About an hour later I found a pretty cool one in a package named Paddle and found the huntr page for it. I reported the bug just in time to pick my girlfriend up. Eventually, the bug was accepted and that's how the ball started rolling!"

 

Unraveling PinkDraconian's Remote Code Execution Discovery

Working closely with our team, PinkDraconian uncovered a critical vulnerability in the parisneo/lollms-webui package: Remote Code Execution via Cross-Site Request Forgery. Not only did he report the bug, but he also went above and beyond by creating an in-depth video walkthrough of his findings.

 

 

CVE-2024-1522 Impact

This vulnerability allows attackers to take full control of a victim's system without needing direct access to the vulnerable application. It underscores the need for robust security measures, even on localhost. By exploiting this flaw, an attacker can execute arbitrary OS commands, highlighting a significant security risk for anyone running the lollms-webui locally.

Join the hunt

Feeling inspired by PinkDraconian's story? Join us at huntr and become part of a vibrant community of hackers, researchers, and tech enthusiasts dedicated to building a safer AI powered world. Whether you're a seasoned pro or just getting started, there's a place for you here.

Check out our resources, including our Beginner's Guide to AI/ML Bug Hunting, and join the hunt today!