Resume

Who am I

Hello, my name is Siwoo Mun (a.k.a munsiwoo)
I'm security researcher at RAON Whitehat, mainly focus on web app exploitation.
I'm playing CTF as member of CodeRed and Aleph Infinite ๐Ÿท


Seoul, KR
+82-10-3629-3625


Achievement/Awards


  • 2021
    • 4th, DEFCON CTF 29 Final โ˜  (team StarBugs)

  • 2020
    • 1st, m0leCon 2020 (team AlPray)
    • Finalist, ํ™”์ดํŠธํ–‡ ์ฝ˜ํ…Œ์ŠคํŠธ (team Uneducated People)
    • Finalist, ์‚ฌ์ด๋ฒ„ ๊ณต๊ฒฉ๋ฐฉ์–ด๋Œ€ํšŒ(CCE) Quals (team ํฅ๋ถ€๋ถ€๋Œ€์ฐŒ๊ฐœ)
    • Finalist, CONFidence CTF 2020 Teaser (team CodeRed)
    • Finalist, Midnight Sun CTF 2020 Quals (team CodeRed)
    • Finalist, 0CTF/TCTF 2020 Quals (team Heart Breaker)
    • Finalist, DEFCON CTF 28 โ˜  (team StarBugs)

  • 2019
    • 1st , HolyShield CTF 2019 Junior (team HeungbuBudaeJjigae) - rewarded $1,000 USD
    • 1st , WhiteHat Contest 2019 Junior Final (team Uneducated people) - rewarded $5,000 USD
    • 1st , SUA CTF 3th (team BOB8TH_VULN_ANALYSIS)
    • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
    • 3rd , Belluminar CTF 2019 (team Aleph Infinite)
    • 5th , ISITDTU CTF Final (team Aleph Infinite)
    • 5th , Timisoara CTF (team Munahnhae)
    • 9th , DEFCON CTF 27 Quals (team CGC)
    • 14th , PlaidCTF 2019 (team CGC)
    • Finalist, DEFCON CTF 27 โ˜  (team CGC)
    • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
    • Finalist (4th), Codegate CTF 2019 Junior (team munsiwoooooo)
    • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae) - rewarded $3,000 USD

  • 2018
    • 1st , 2018 CyberGuardians (team Layer7) - rewarded $5,000 USD
    • 2nd , Timisoara CTF, Romania (team NextLine) - rewarded $300 USD
    • 3rd , Harekaze CTF (team SeoulWesterns)
    • 3rd , ์ œ 1ํšŒ KO-WORLD ํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (team phpandrust) - rewarded $1,000 USD
    • Finalist (13th), DEFCON CTF 26, Las Vegas โ˜  (team C.G.K.S)
    • Finalist (8th), Cyber Conflict Exercise, Jeju (team ์•ผ๋ชฝํด๋ฆฌ๋‹‰/Red Team)
    • ์€์ƒ, 2018 ๋Œ€ํ•œ๋ฏผ๊ตญ ์œก๊ตฐํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (The Republic of Korea Army Attack and Defense Contest)

  • 2017
    • 1st , Christmas CTF 2017 (team ๋ฐ•๊ด‘ํ˜ธ 1์ธํŒ€) - rewarded $800 USD
    • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team ์ƒˆ์‹น๋ณด๋”๋ฐฅ)
    • 4th , Neverland CTF 2017 (team gazoku - solo)
    • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

Bug bounty

I'm still a novice bug bounty hunter ;0
//hackerone.com/munsiwoo

  • 2021
    • HackerOne
      • Starbucks: rewarded $6,000 USD
      • Starbucks: rewarded $1,440 USD
      • Starbucks: rewarded $4,770 USD
    • Bugcamp
      • CISSP: rewarded $120 USD
    • GNUBOARD5

  • 2020
    • Bugcrowd
      • Atlassian: Jira Service Desk: rewarded $600 USD
      • Bitdefender: rewarded $300 USD
    • HackerOne
      • Starbucks: rewarded $1,500 USD
      • Steam(store.steampowered.com): rewarded $400 USD
      • Ford
    • Naver Bug Bounty Program
      • found 15+ vulns - rewarded $2,000 USD
    • Node.js NPM modules
      (NodeJS Module Vulnerability Automation Analysis, Best of the Best 8th)
      • CVE-2020-7719, CVE-2020-7700, CVE-2020-7702
      • CVE-2020-7717, CVE-2020-7715, CVE-2020-7716
      • CVE-2020-7707, CVE-2020-7721, CVE-2020-7701
      • CVE-2020-7724, CVE-2020-7727, CVE-2020-7718
      • CVE-2020-7725, CVE-2020-7722, CVE-2020-7703
      • CVE-2020-7704, CVE-2020-7714, CVE-2020-7706
      • CVE-2020-7723

  • 2019
    • HackerOne
      • ฮผtorrent: Reflected XSS
      • afreecaTV: found 13+ vulns including SQL Injection
    • Naver Bug Bounty Program
      • found 8+ vulns: rewarded $1,200 USD
    • GNUBOARD5
      • SQL Injection (<=5.4.0.1) - 2019.09.08
      • XSS (<=5.4.0.1) - 2019.09.08
      • Authentication bypass (<=5.4.0.1) - 2019.09.08
    • DVP Bug Bounty
      • Gate.io: SQL Injection (DVP-2019-30029) - rewarded 4.5 ETH
      • Gate.io: DOM Based XSS (DVP-2019-30165, DVP-2019-30149) - rewarded 0.250 ETH

  • 2018
    • KISA Bug Bounty Program
      • NAVER: SQL Injection(KVE-2018-1301) - rewarded $1,000 USD

  • 2017
    • NAVER PER(Privacy Enhancement Reward)
      • found 25+ vulns (XSS, Open Redirect)

Education/Work Experience


  • RaonSecure, ๋ผ์˜จํ™”์ดํŠธํ–‡ ํ•ต์‹ฌ์—ฐ๊ตฌํŒ€  
    • Position: Security Researcher
    • Date: 2021.09 ~
    • Task: ๋ชจ์˜ํ•ดํ‚น, R&D

  • โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ
    • Position: Security Researcher
    • Date: 2020.08 ~ 2021.09
    • Task: ๋ชจ์˜ํ•ดํ‚น, 1-DAY ์ทจ์•ฝ์  ๋ถ„์„, ๋ณด์•ˆ๊ด€์ œํ”Œ๋žซํผ ๊ฐœ๋ฐœ

  • Best of the Best 8th, KITRI  
    • Position: Mentee (์ทจ์•ฝ์ ๋ถ„์„ํŠธ๋ž™)
    • Date: 2019.07 ~ 2020.04
    • Detail: KITRI, BoB

  • CSSA IoTcube, Korea.Univ    
    • Task: Security vulnerability analysis in open source Blockchain project
    • Position: Internship
    • Date: 2018.07 ~ 2018.09
    • Detail: CSSAIoTcube

  • Sunrin Internet High School  
    • Position: Student (์ •๋ณดํ†ต์‹ ๊ณผ)
    • Date: 2017.03 ~ 2020.02
    • Detail: sunrint.hs.kr


Speaker


  • CodeGate 2019 (First prize was awarded)    
    • Title: PHP Trick Trip
    • Content: PHP์˜ ์—ฌ๋Ÿฌ ๋ณด์•ˆ ์ด์Šˆ์™€ ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ์›น ํ•ดํ‚น ๊ณต๊ฒฉ์œผ๋กœ ์ด์–ด์งˆ ์ˆ˜ ์žˆ๋Š” ๋ฒ„๊ทธ์— ๋Œ€ํ•ด ๋‹ค๋ฃจ๋ฉฐ,
       Zend ์—”์ง„์„ ๋ถ„์„ํ•ด๋ณธ ๊ฒฝํ—˜์„ ํ† ๋Œ€๋กœ ๋ฒ„๊ทธ๊ฐ€ ๋ฐœ์ƒํ•˜๋Š” ๋…ผ๋ฆฌ์  ์ด์œ ์™€ ์ด๋ฅผ ๋ถ„์„ํ–ˆ๋˜ ๊ณผ์ •์„ ์†Œ๊ฐœํ•˜๋Š” ๋ฐœํ‘œ
    • Date: 2019.03.27
    • Detail: ํ›„๊ธฐ, ์ฝ”๋“œ๊ฒŒ์ดํŠธ ํ™ˆํŽ˜์ด์ง€, ๋ฐœํ‘œ์ž๋ฃŒ(pdf)
    • Award: ๋ฐœํ‘œ ์ตœ์šฐ์ˆ˜์ƒ, ํ•œ๊ตญ์ธํ„ฐ๋„ท์ง„ํฅ์›์žฅ์ƒ

  • ๋น—์ธ ์ฒญ์†Œ๋…„ ์‚ฌ์ด๋ฒ„ ๋ณด์•ˆ ์บ ํ”„, Bithumb    
    • Title: ์‰ฝ๊ณ  ๊ฐ„๋‹จํ•˜๊ฒŒ ๋ฐฐ์›Œ๋ณด๋Š” ์ •๋ณด๋ณด์•ˆ Tip
    • Content: ๊ฐœ์ธ์ •๋ณด๊ฐ€ ์œ ์ถœ๋  ์ˆ˜ ์žˆ๋Š” ์—ฌ๋Ÿฌ ์ƒํ™ฉ์„ ์˜ˆ๋ฅผ๋“ค๋ฉฐ ์ด๋ฅผ ์‚ฌ์ „์— ์˜ˆ๋ฐฉํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์†Œ๊ฐœํ•˜๋Š” ๋ฐœํ‘œ
    • Date: 2018.11.23
    • Detail: ์ธํ„ฐ๋„ท ๊ธฐ์‚ฌ, ๋น—์ธ ํ™ˆํŽ˜์ด์ง€

  • HackingCamp 18, PoC Security    
    • Title: Security option bypass 101
    • Content: PHP์˜ open_basedir, disable_functions ์˜ต์…˜์„ ์šฐํšŒํ•˜๋Š” ์—ฌ๋Ÿฌ ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด ์†Œ๊ฐœํ•˜๋Š” ๋ฐœํ‘œ
    • Date: 2018.09.02
    • Detail: ํ•ดํ‚น์บ ํ”„ ํ™ˆํŽ˜์ด์ง€

Organizer


  • 2019
    • 2019 Belluminar CTF ๋ฌธ์ œ ์ถœ์ œ
    • 2019 Christmas CTF (์‚ฌ์ดํŠธ ๊ฐœ๋ฐœ, ๋ฌธ์ œ ์ถœ์ œ, ์šด์˜) - @munsiwoo/christmas-ctf-platform
    • 2019 Layer7 CTF (์‚ฌ์ดํŠธ ๊ฐœ๋ฐœ, ์šด์˜)
    • 2019 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ณ ๋“ฑํ•ด์ปค (์˜ˆ์„ /๋ณธ์„  ์šด์˜, ์‚ฌ์ดํŠธ ๊ฐœ๋ฐœ, ๋ฌธ์ œ ์ถœ์ œ)
    • 2019 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ต๋‚ดํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (๋ฌธ์ œ ์ถœ์ œ- Github)

  • 2018
    • 2018 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ณ ๋“ฑํ•ด์ปค (์˜ˆ์„ /๋ณธ์„  ์šด์˜, ์‚ฌ์ดํŠธ ๊ตฌํ˜„, ๋ฌธ์ œ ์ถœ์ œ)
    • 2018 ์„ ๋ฆฐ์ธํ„ฐ๋„ท๊ณ ๋“ฑํ•™๊ต ๊ต๋‚ดํ•ดํ‚น๋ฐฉ์–ด๋Œ€ํšŒ (์šด์˜, ๋ฌธ์ œ ์ถœ์ œ)
    • PoC Security HackingCamp18 CTF (๋ฌธ์ œ ์ถœ์ œ - Github)
    • 2018 Layer7 CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2018 H3X0R CTF (๋ฌธ์ œ ์ถœ์ œ - Github)

  • 2017
    • 2017 PoC Security Belluminar CTF (๋Œ€ํšŒ ์ฐธ๊ฐ€, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 PoC Security Power of XX (๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 Layer7 CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ, Github)
    • 2017 H3X0R CTF (๋Œ€ํšŒ ์šด์˜, ๋ฌธ์ œ ์ถœ์ œ)

Projects


  • 2021
    • (์ฃผ)ํ…Œ์ŠคํŠธOO ๋ณด์•ˆ ์ปจ์„คํŒ…
    • โ–ˆโ–ˆ๋ฐœ์ „ ๋ชจ์˜ํ•ดํ‚น ๋ฐ ๋ณด์•ˆ ์ปจ์„คํŒ…, (์ฃผ)ํŒŒ์ด์˜ค๋งํฌ
    • โ–ˆโ–ˆ์ „๋ ฅ ๋ชจ์˜ํ•ดํ‚น ๋ฐ ๋ณด์•ˆ ์ปจ์„คํŒ…, (์ฃผ)ํŒŒ์ด์˜ค๋งํฌ
    • โ–ˆโ–ˆ์ฒญ ๋ชจ์˜ํ•ดํ‚น ๋ฐ ๋ณด์•ˆ ์ปจ์„คํŒ…, (์ฃผ)ํŒŒ์ด์˜ค๋งํฌ
    • โ–ˆโ–ˆ์‹œ ๋ชจ์˜ํ•ดํ‚น ๋ฐ ๋ณด์•ˆ ์ปจ์„คํŒ…, (์ฃผ)ํŒŒ์ด์˜ค๋งํฌ

  • 2019
    • PHP CTF Platform, GitHub
    • Automatic Analysis for Node.js Modules, (Best of the best 8th / NerdJS)
    • PHP Trick Trip, (Presented at the codegate 2019, GitHub)
    • Munfoozer, Dynamic XSS fuzzer

  • 2018
    • Simple MVC Framework in PHP, GitHub

Contact me at mun.xiwoo@gmail.com
ยฉ Siwoo Mun. All Rights Reserved