From Microsoft “Build the Shield” to Microsoft “Hall of Fame”

This post is going to be about how I got started in hacking (thanks to Microsoft) and with time, how I was able to help them back by reporting some security vulnerabilities in their web applications.


The story started in my second year. I was a complete newbie — looking up tutorials on YouTube and calling myself a hacker. Hell, I couldn’t even dual boot a PC properly. Back in school, I wasn’t very good with computers. Maybe it was because of the curriculum or the intensive JEE coaching, but I never really had any motivation to explore programming. Things changed when I joined IIT and got my own laptop. My curiosity, eagerness to explore and my very talented friends sure took me a long way.

Back to the story, it all started when I saw a notice board in the college campus. Three words caught my attention: hacking contest, Microsoft and goodies. Needless to say, these were sufficient to get the second year me excited. It was a group event, so I teamed up with two of my close friends. The rules were thus: a 24-hour preliminary round followed by the top 50 teams battling it out in the finale at the Microsoft Hyderabad campus. The glitch here was that only three teams per college could qualify.

I don’t recall how, but we ended up being ranked 42. But what broke my heart was that there were already 3 teams from IIT Guwahati above us. My hopes were dashed — all this while I had considered myself to be a hacker, but my team couldn’t even make it to the finals. We did solve some web-based challenges but the Reverse-engineering challenges had us stumped.

I took this to heart.

Somewhere deep down, it hurt my ego. That was the moment I realized that whatever I was doing was nowhere near enough. Also because of the Build The Shield event I got introduced to CTFs — Capture the Flag contests. We still remember the adrenaline rush we got by participating in the event and couldn’t wait to get another dose of it.

After the contest ended, we participated in random CTF contests and also started reading related write-ups . This taught us a ton of new stuff and slowly, we started getting better at solving the challenges. All the while we only had one thing in mind — to do better in next year’s Build The Shield.


Fast-forward one year.

So the moment came again in my 3rd year. I formed a team with my friends Midhul Varma, Nikhil Alamanda and Venkat Arun. This time it was quite a different story. We called our team CerealKillers. Don’t ask how we came up with it, but the name has stuck on ever since. The screenshot of the leader-board below was taken just 1 hour into the contest — we were at the top. Midhul and I decided to take a hint for a silly question which deducted 50 points for us and landed us at the 6th position.

All the teams above us had a similar score by the last minute.

Leaderboard

Our hard work paid off and we qualified to the finals. The whole experience in Hyderabad was a blast. There were so many goodies to win and so many interesting people to interact with and learn from. The CTF was easily the best experience I had in my student life. The people at Microsoft know very well how to host undergrads and organize a grand event.

All smiles en route Hyderabad
Awkward us at the Microsoft campus
Some finale scenes

I got to meet the other awesome teams from IIT Roorkee, IIIT Delhi, IIT Kanpur, IIT Bombay etc. Until then I had no clue that so many talented people from other IITs were interested in cyber security. Though we didn’t win the finals, we were satisfied with the whole experience.


Now coming to the Hall of Fame part

After few months I was participating in another Microsoft event in campus called Code.Fun.Do — This is a Microsoft-organised Hackathon which happens every year in most of the famous colleges in India. We were building something using Bing Maps and while going through the website I noticed that the website is leaking all the API keys for Bing Maps Portal. This was a serious issue. I am not a Bug Bounty hunter, but I was able to notice the vulnerability because of the preparation I did for the Build The Shield event. I immediately reported it to the Microsoft Bug Bounty Program.

Soon it was fixed and they added my name to their Hall Of Fame page as an appreciation.

After that, I found 6 more vulnerabilities in Microsoft websites and ended up in their Hall Of Fame 3 times. Turns out, I got really good at finding bugs. To me, this felt just like another always-ongoing CTF contest.


So the sole reason I was able to report vulnerabilities to Microsoft is because I got introduced to hacking and CTFs because of Microsoft Build The Shield.

For some reason, Microsoft stopped organizing this event from the next year. It had motivated a lot of my juniors as well, to explore the field of cyber security, besides acting as a stepping stone for people like me.

It was easily the best CTF competition in India at that time organised at that scale.

I wish Microsoft would understand that all the resources spent on events like that do not go to waste — they indeed inspire a lot of people. I talked to other students who came to the finals and their stories were equally fascinating. Build The Shield played a significant role in making them interested in the Cyber Security domain.

As for the other CerealKillers, one of them is working in Microsoft Research, another is in Amazon, while the third is pursuing a PHD in Computer Science from MIT.

I am still in contact with some people from other colleges and they too are in really good places like pursuing a PHD from CMU, working for Facebook, Google or Microsoft. I on the other hand decided to start my own cyber security start-up and currently working on it. This is really awesome, considering these people have a fair amount of security knowledge and they will keep that in mind while they are working on anything.

All smiles while coming back

We also happened to meet a Tollywood movie star— Nagachaitanya

Nikhil’s shitty camera
The 3 teams from IIT GUWAHATI

It was around that time when I noticed the security scenario in India is deplorable. To encourage responsible disclosures I also helped in starting the IIT Guwahati Bug Bounty Program

We still have a long way ahead of us. But I seriously want to thank the Microsoft team responsible for the CTF event. For all the would-be CTF-enthusiasts out there, I only wish they would start it again.


If you really read until this point I will tell you a little secret, you can leave 50 claps in Medium 😃 So don’t hesitate.

Peace ❤

Sai Krishna Kothapalli

Written by

Founder/CEO Hackrew | Security Researcher | Indian | Student @ IIT Guwahati

More From Medium

Related reads

Related reads

Related reads

SSRF in the Wild

686

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade