munsiwoo

Who am I

My name is Siwoo Mun (a.k.a munsiwoo, munswings)
I'm web application bug hunter, studying programming and security engineering.
I'm doing CTF activities on a team CodeRed ๐Ÿคญ

  • DEFCON CTF 26 Finalist โ˜  (Team C.G.K.S)
  • DEFCON CTF 27 Finalist โ˜  (Team CGC)

Achievement


  • 2019
    • 1st , HolyShield CTF 2019 Junior (team HeungbuBudaeJjigae) - 1,000 USD
    • 1st , WhiteHat Contest 2019 Junior Final (team Uneducated people) - 5,000 USD
    • 1st , SUA CTF (team BOB8TH_VULN_ANALYSIS)
    • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
    • 5th , ISITDTU CTF Final (team Aleph Infinite)
    • 5th , Timisoara CTF (team Munahnhae)
    • 9th , DEFCON CTF 27 Quals (team CGC)
    • 14th , PlaidCTF 2019 (team CGC)
    • Finalist, DEFCON CTF 27, Las Vegas/Play remotely (team CGC)
    • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
    • Finalist (4th), Codegate CTF 2019 Junior (username munsiwoooooo)
    • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae) - 3,000 USD

  • 2018
    • 1st , 2018 CyberGuardians (team Layer7) - 5,000 USD
    • 2nd , Timisoara CTF, Romania (team NextLine) - 300 USD
    • 3rd , Harekaze CTF (team SeoulWesterns)
    • 3rd , ์ œ 1ํšŒ KO-WORLD ํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (team phpandrust) - 1,000 USD
    • Finalist (13th), DEFCON CTF 26, Las Vegas (team C.G.K.S)
    • Finalist (8th), Cyber Conflict Exercise, Jeju (team ์•ผ๋ชฝํด๋ฆฌ๋‹‰/Red Team)
    • Excellence Prize, 2018 ๋Œ€ํ•œ๋ฏผ๊ตญ ์œก๊ตฐํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (The Republic of Korea Army Attack and Defense Contest)

  • 2017
    • 1st , Christmas CTF 2017 (team ๋ฐ•๊ด‘ํ˜ธ 1์ธํŒ€) - 800 USD
    • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team ์ƒˆ์‹น๋ณด๋”๋ฐฅ)
    • 4th , Neverland CTF 2017 (team gazoku - solo)
    • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

Internship,  Educated


  • Sunrin Internet High School  
    • Position : Student
    • Date : 2017.03 ~ 2020.02
    • Details : sunrint.hs.kr

  • CSSA IoTcube, Korea.Univ    
    • Task : Security Vulnerability Analysis in Block-chain Open Source Project
    • Date : 2018.07 ~ 2018.09
    • Details : CSSAIoTcube

  • Best of the Best 8th, KITRI  
    • Position : Student
    • Date : 2019.07 ~ 2020.04
    • Details : KITRI, BoB

Speaker


  • HackingCamp 18, PoC Security    
    • Title : Security option bypass 101
    • Content : PHP์˜ open_basedir, disable_functions ์˜ต์…˜์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ์—ฌ๋Ÿฌ ๋ฐฉ๋ฒ•์„ ์†Œ๊ฐœํ•œ๋‹ค.
    • Date : 2018.09.02
    • Detail : HackingCamp

  • ๋น—์ธ ์ฒญ์†Œ๋…„ ์‚ฌ์ด๋ฒ„ ๋ณด์•ˆ ์บ ํ”„, Bithumb    
    • Title : ์‰ฝ๊ณ  ๊ฐ„๋‹จํ•˜๊ฒŒ ๋ฐฐ์›Œ๋ณด๋Š” ์ •๋ณด๋ณด์•ˆ Tip
    • Content : ์ค‘ํ•™์ƒ ๋Œ€์ƒ์œผ๋กœ ๊ฐœ์ธ์ •๋ณด๊ฐ€ ์œ ์ถœ๋  ์ˆ˜ ์žˆ๋Š” ์—ฌ๋Ÿฌ๊ฐ€์ง€ ์ƒํ™ฉ์„ ์†Œ๊ฐœํ•˜๊ณ  ์ด๋ฅผ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ๋Š” ์˜ˆ๋ฐฉ๋ฒ•์„ ์•Œ๋ ค์ค€๋‹ค.
    • Date : 2018.11.23
    • Detail : Internet article, Bithumb

  • CodeGate 2019 (First prize was awarded)    
    • Title : PHP Trick Trip
    • Content : PHP Trick Trip์ด๋ผ๋Š” ์ฃผ์ œ๋ฅผ ๊ฐ€์ง€๊ณ  PHP์˜ ์—ฌ๋Ÿฌ ์ด์Šˆ, ๋ฒ„๊ทธ์— ๋Œ€ํ•ด ๋‹ค๋ฃฌ๋‹ค.
       PHP ์ธํ„ฐํ”„๋ฆฌํ„ฐ(Zend Engine) ์†Œ์Šค์ฝ”๋“œ ์˜ค๋””ํŒ…์„ ํ†ตํ•ด ํŠธ๋ฆญ์ด ๋ฐœ์ƒํ•˜๋Š” ์ด์œ ๋ฅผ ๋…ผ๋ฆฌ์ ์œผ๋กœ ๋ถ„์„ํ•ด๋ณด๊ณ 
       ์ด๋ฅผ ๋ถ„์„ํ•˜๊ธฐ ์œ„ํ•œ ์ค€๋น„ ๊ณผ์ •๊ณผ ์‹œํ–‰์ฐฉ์˜ค ๋“ฑ์˜ ๋ถ„์„ ๊ธฐํ–‰๊ธฐ๋ฅผ ์†Œ๊ฐœํ•œ๋‹ค.
    • Date : 2019.03.27
    • Detail : Blog, CodeGate, PDF
    • Award : ํ•œ๊ตญ์ธํ„ฐ๋„ท์ง„ํฅ์›์žฅ์ƒ (๋ฐœํ‘œ ์šฐ์ˆ˜์ƒ)

Organizer


  • 2019
    • 2019 Layer7 CTF
    • 2019 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ณ ๋“ฑํ•ด์ปค (์˜ˆ์„ /๋ณธ์„  ์šด์˜, ์‚ฌ์ดํŠธ ๊ตฌํ˜„, ๋ฌธ์ œ ์ถœ์ œ)
    • 2019 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ต๋‚ดํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (๋ฌธ์ œ ์ถœ์ œ- Github)

  • 2018
    • 2018 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ณ ๋“ฑํ•ด์ปค (์˜ˆ์„ /๋ณธ์„  ์šด์˜, ์‚ฌ์ดํŠธ ๊ตฌํ˜„, ๋ฌธ์ œ ์ถœ์ œ)
    • 2018 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ต๋‚ดํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (์šด์˜, ๋ฌธ์ œ ์ถœ์ œ)
    • PoC Security HackingCamp18 CTF (๋ฌธ์ œ ์ถœ์ œ - Github)
    • 2018 Layer7 CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2018 H3X0R CTF (๋ฌธ์ œ ์ถœ์ œ - Github)

  • 2017
    • 2017 PoC Security Belluminar CTF (๋Œ€ํšŒ ์ฐธ๊ฐ€, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 PoC Security Power of XX (๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 Layer7 CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 H3X0R CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ)

Projects


  • 2019
    • Automatic Analysis for Node.js Modules (BoB 8th Team Project) - WIP
    • PHP Trick Trip (Presented at the codegate 2019, Github)
    • Nully fuzzer - Selenium based reflected xss dynamic fuzzer (Private)
    • Mun Template - Simple PHP Template engine (Github)

  • 2018
    • PHP CTF Framework (used in Layer7 CTF 2018, Sunrin High School Hacker CTF 2018)
    • Simple MVC Framework in PHP (Github)
    • Simple directory search tools with multi-threading (Github)

Bug bounty


  • 2019
    • HackerOne Directory
      • ฮผTorrent(utorrent.com) : [censored] - External Program
      • AfreecaTV(afreecatv.com) : found 13+ vulns including SQL Injection - External Program
    • Naver Bug Bounty Program
      • found 8+ vulns (XSS) - 1,200+ USD
    • GNUBOARD5 (sir.kr)
      • SQL Injection (<=5.4.0.1) - 2019.09.08
      • XSS (<=5.4.0.1) - 2019.09.08
      • Authentication bypass (<=5.4.0.1)
    • DVP (dvpnet.io)
      • Gateio : SQL Injection (4.5 ETH)
      • Gateio : Reflected XSS (0.125 ETH) * 2

  • 2018
    • KISA Bug Bounty Program
      • NAVER - SQL Injection (KVE-2018-1301) : 1,000 USD

  • 2017
    • NAVER PER(Privacy Enhancement Reward)
      • found 25+ vulns (XSS, Open Redirect)

Github

@munsiwoo

Facebook

fb.com/munsiwoo

Blog

blog.munsiwoo.kr

Contact me at mun.xiwoo@gmail.com
ยฉ Siwoo Mun. All Rights Reserved