Adrián Pedrazzoli – aka lemonoftroy – was hooked on hacking as soon as he encountered this “new world”.
In this interview, the Argentinian bug hunter recounts how he got into hacking and discusses his favourite kinds of vulnerabilities, preferred hacking tools, proudest Bug Bounty discovery so far and some tips for aspiring hunters.
Adrián, who is also a pentester, product security senior at Salesforce and co-founder of Bug Bounty Argentina, brought a variety of InfoSec expertise to the conversation.
This interview took place during Ekoparty, in Buenos Aires, during a live hacking event held by YesWeHack. Adrián finished third on the final leaderboard.
Lemonoftroy on how he became a hacker…
That is a good question. Twenty years ago I think, when I was younger, I [had] a conversation [with] a friend, and he sent a trojan horse, and he explained what that was. So for me it was a revelation. And in that moment, I think that was something interesting, a new world – and I wanted to be part of it.
On his favourite hacking tools…
Burp Suite, LinkFinder… and I think that’s all. Only two. Because I don’t like to do automation. I try to do more manual jobs and try to, you know, understand the business logic. So tools, there are a lot of them. Actually, I can mention a couple more, like ffuf or dirsearch, for discovering and fuzzing web applications. But for me, I think that those are enough.
On his favourite kind of bug…
I can tell you nowadays that IDORs or broken access control are my best bugs or my favourite bugs, because those are business logic bugs and are pretty impactful. And you can find them easily. So broken access control, IDORs and server-side request forgery too. But I really love XSS, like any one of us, because these are the first bugs that we used to report when we started going about bug hunting.
On the bug you are most proud of discovering so far…
It was a server-side request forgery, because it was simple. It was an HTML injection. I just embedded an iframe and I was able to extract all the metadata from AWS. Basically a critical server-side request forgery in the moment of the PDF creation. For me, it was straightforward. Around 20 minutes, but it was amazing. Not much time, but good impact and fun.
On his top tip for inexperienced hackers…
You have a lot of content nowadays: YouTube channels, TikTok, you have a lot of writeups. Try to read any kind of articles that you can, that you are interested in. For example, you have Pentester Land, you have channels like NahamSec.
Nowadays there are a lot of ‘hack-fluencers’. So I think there is a lot of content that you can use to learn and platforms to practice on.simple. It was an HTML injection. I just put embedded an iframe and I was able to extract all the metadata from AWS. Basically a critical server-side request forgery Server-Side Request Forgery in the moment of the PDF creation. For me, it was like straightforward. Around 20 minutes, but it was amazing. Not much time, but good impact and fun.
On his top tip for inexperienced hackers…
You have a lot of content nowadays:, YouTube channels, TikTok,. You you have a lot of writeups. Try to read any kind of articles that you can, that you are interested in. For example, you have Pentester Land, you have channels like NahamSec.
Nowadays There there are a lot of nowadays “‘hack-fluencers”. ’. So I think that there are is a lot of content that you can use to learn and platforms to practice on.
Interested in emulating lemonoftroy? Register as a hunter on YesWeHack, sharpen your hacking skills on Dojo, or learn about the latest hacking tools and hacking techniques on our blog.