Who am I

Hello, my name is Siwoo Mun (a.k.a munsiwoo)
I'm security researcher, mainly focus on web app exploitation.
I'm playing CTF as member of CodeRed and Aleph Infinite 🐷

Achievement/Awards

• 2021
  • Finalist, DEFCON CTF 29 ☠ (team StarBugs)


• 2020
  • 1st, m0leCon 2020
  • Finalist, 사이버작전 경연대회(Whitehat Contest) (team Uneducated People)
  • Finalist, 사이버 공격방어대회(CCE) Quals (team 흥부부대찌개)
  • Finalist, CONFidence CTF 2020 Teaser (team CodeRed)
  • Finalist, Midnight Sun CTF 2020 Quals (team CodeRed)
  • Finalist, 0CTF/TCTF 2020 Quals (team Heart Breaker)
  • Finalist, DEFCON CTF 28 ☠ (team StarBugs)


• 2019
  • 1st , HolyShield CTF 2019 Junior (team HeungbuBudaeJjigae) - rewarded $1k USD
  • 1st , WhiteHat Contest 2019 Junior Final (team Uneducated people) - rewarded $5k USD
  • 1st , SUA CTF 3th (team BOB8TH_VULN_ANALYSIS)
  • 2nd , The Hacking Championship Junior 2019 (team HeungbuBudaeJjigae)
  • 3rd , Belluminar CTF 2019 (team Aleph Infinite)
  • 5th , ISITDTU CTF Final (team Aleph Infinite)
  • 5th , Timisoara CTF (team Munahnhae)
  • 9th , DEFCON CTF 27 Quals (team CGC)
  • 14th , PlaidCTF 2019 (team CGC)
  • Finalist, DEFCON CTF 27 ☠ (team CGC)
  • Finalist (5th), ISITDTU CTF Final (team Aleph Infinite)
  • Finalist (4th), Codegate CTF 2019 Junior (username munsiwoooooo)
  • Finalist (4th), 2019 DVP Global Blockchain CTF (team HeungbuBudaeJjigae) - rewarded $3k USD


• 2018
  • 1st , 2018 CyberGuardians (team Layer7) - rewarded $5k USD
  • 2nd , Timisoara CTF, Romania (team NextLine) - rewarded $300 USD
  • 3rd , Harekaze CTF (team SeoulWesterns)
  • 3rd , 제 1회 KO-WORLD 해킹방어대회 (team phpandrust) - rewarded $1k USD
  • Finalist (13th), DEFCON CTF 26, Las Vegas ☠ (team C.G.K.S)
  • Finalist (8th), Cyber Conflict Exercise, Jeju (team 야몽클리닉/Red Team)
  • Excellence Prize, 2018 대한민국 육군해킹방어대회 (The Republic of Korea Army Attack and Defense Contest)


• 2017
  • 1st , Christmas CTF 2017 (team 박광호 1인팀) - rewarded $800 USD
  • 3rd , Kookmin Univ & Ubuntu CTF 2017 (team 새싹보끔밥)
  • 4th , Neverland CTF 2017 (team gazoku - solo)
  • 8th , SECUINSIDE CTF Quals 2017 (team FHF)

Bug bounty

• 2020
  • Bugcrowd
    • Atlassian - Jira Service Desk: rewarded $600 USD
    • Bitdefender: rewarded $300 USD
  • HackerOne
    • Starbucks: rewarded $1.5k USD
    • Steam(store.steampowered.com): rewarded $400 USD
  • Naver Bug Bounty Program
    • found 15+ vulns - rewarded $2k USD
  • Node.js NPM modules
    (NodeJS Module Vulnerability Automation Analysis, Best of the Best 8th)
    
    • CVE-2020-7719, CVE-2020-7700, CVE-2020-7702
    • CVE-2020-7717, CVE-2020-7715, CVE-2020-7716
    • CVE-2020-7707, CVE-2020-7721, CVE-2020-7701
    • CVE-2020-7724, CVE-2020-7727, CVE-2020-7718
    • CVE-2020-7725, CVE-2020-7722, CVE-2020-7703
    • CVE-2020-7704, CVE-2020-7714, CVE-2020-7706
    • CVE-2020-7723


• 2019
  • HackerOne
    • μtorrent(utorrent.com): Reflected XSS
    • AfreecaTV(afreecatv.com): found 13+ vulns including SQL Injection
  • Naver Bug Bounty Program
    • found 8+ vulns (Reflected/Stored XSS) - rewarded $1.2k USD
  • GNUBOARD5 (sir.kr)
    • SQL Injection (<=5.4.0.1) - 2019.09.08
    • XSS (<=5.4.0.1) - 2019.09.08
    • Authentication bypass (<=5.4.0.1)
  • DVP Bug Bounty (dvpnet.io)
    • Gate.io: SQL Injection(DVP-2019-30029) - rewarded $1.2k USD
    • Gate.io: DOM Based XSS(DVP-2019-30165, DVP-2019-30149) - rewarded $500 USD


• 2018
  • KISA Bug Bounty Program
    • NAVER: SQL Injection(KVE-2018-1301) - rewarded $1k USD


• 2017
  • NAVER PER(Privacy Enhancement Reward)
    • found 25+ vulns (XSS, Open Redirect)

Educated/Internship

• Sunrin Internet High School  
  • Position: Student
  • Date: 2017.03 ~ 2020.02
  • Details: sunrint.hs.kr


• CSSA IoTcube, Korea.Univ    
  • Task: Security vulnerability analysis in Blockchain open source project
  • Position: Internship
  • Date: 2018.07 ~ 2018.09
  • Details: CSSA, IoTcube


• Best of the Best 8th, KITRI  
  • Position: Mentee (취약점분석트랙)
  • Date: 2019.07 ~ 2020.04
  • Details: KITRI, BoB

Speaker

• HackingCamp 18, PoC Security    
  • Title : Security option bypass 101
  • Content : PHP의 open_basedir, disable_functions 옵션을 우회하는 여러 방법에 대해 소개
  • Date : 2018.09.02
  • Detail : 해킹캠프 홈페이지

• 빗썸 청소년 사이버 보안 캠프, Bithumb    
  • Title : 쉽고 간단하게 배워보는 정보보안 Tip
  • Content : 개인정보가 유출될 수 있는 여러 상황을 예를들며 이를 사전에 예방하는 방법을 소개
  • Date : 2018.11.23
  • Detail : 인터넷 기사, 빗썸 홈페이지

• CodeGate 2019 (First prize was awarded)    
  • Title : PHP Trick Trip
  • Content : PHP의 여러 보안 이슈와 취약점을 통한 웹 해킹 공격으로 이어질 수 있는 버그에 대해 다루며,
     Zend 엔진 소스 분석을 통해 버그가 발생하는 논리적 이유와 이를 분석했던 과정을 소개하는 발표
  • Date : 2019.03.27
  • Detail : 후기, 코드게이트 홈페이지, 발표자료(pdf)
  • Award : 한국인터넷진흥원장상 (발표 최우수상)

Organizer

• 2019
  • 2019 Belluminar CTF 문제 출제
  • 2019 Christmas CTF (사이트 개발, 문제 출제, 운영) - @munsiwoo/christmas-ctf-platform
  • 2019 Layer7 CTF (사이트 개발, 운영)
  • 2019 선린인터넷고등학교 고등해커 (예선/본선 운영, 사이트 개발, 문제 출제)
  • 2019 선린인터넷고등학교 교내해킹방어대회 (문제 출제- Github)


• 2018
  • 2018 선린인터넷고등학교 고등해커 (예선/본선 운영, 사이트 구현, 문제 출제)
  • 2018 선린인터넷고등학교 교내해킹방어대회 (운영, 문제 출제)
  • PoC Security HackingCamp18 CTF (문제 출제 - Github)
  • 2018 Layer7 CTF (대회 운영, 문제 출제, Github)
  • 2018 H3X0R CTF (문제 출제 - Github)


• 2017
  • 2017 PoC Security Belluminar CTF (대회 참가, 문제 출제, Github)
  • 2017 PoC Security Power of XX (문제 출제, Github)
  • 2017 Layer7 CTF (대회 운영, 문제 출제, Github)
  • 2017 H3X0R CTF (대회 운영, 문제 출제)

Projects

• 2021
  • (주)테스트OO 보안 컨설팅
  • OO발전 모의해킹 및 보안 컨설팅, PIOLINK
  • OO전력 모의해킹 및 보안 컨설팅, PIOLINK
  • OO청 모의해킹 및 보안 컨설팅, PIOLINK
  • OO시 모의해킹 및 보안 컨설팅, PIOLINK


• 2019
  • CTF Platform - GitHub
  • Automatic Analysis for Node.js Modules (BoB Project) / Team NerdJS
  • PHP Trick Trip (Presented at the codegate 2019, GitHub)
  • Nully fuzzer - Dynamic reflected xss fuzzer


• 2018
  • PHP CTF Framework (used in Layer7 CTF 2018, Sunrin High School Hacker CTF 2018)
  • Simple MVC Framework in PHP (GitHub)
  • Simple directory search tools with multi-threading (GitHub)