I've had a background interest in getting involved in CTFs for a while now, but haven't yet made it a point to overcome the activation energy to do anything beyond Overthewire's Bandit. I'd be interested in hearing how other people coming from a pure software engineering background (+ associated Linux knowledge) got started. I run into a dependency graph where I'd like to join a team and learn from others, but I need some baseline skill to do that, which requires either a top-down approach of what feels like memorizing tricks that may-or-may-not apply to a given box, or a bottom-up approach of spending a ton of time learning about the fundamentals of networking and file systems (which is often nontrivial to convert into techniques that can be used in CTFs). I know for stuff like this the key is to just get started, and the understanding will follow, but I'm curious if anyone has any recommendations for how to do that.
I think you might like to watch this YouTube Video on "How The Best Hackers Learn Their Craft"(https://www.youtube.com/watch?v=6vj96QetfTg). David Brumley speaks about his experience with getting students integrated but the skill grid he shows might be what you're looking for.
At some points, it is just getting to the answer no matter the method (algorithm, memory, quick trick etc.) At the end of the day, it's still just problem solving and learning existing tools better.
For pentesting (not bounties) I can recommend HackTheBox + IppSec on youtube. Watch a couple of his videos of retired machines to get an idea of the typical workflow (scanning, what to look for etc.). Focus on one type of easy machine (Linux) and then start working on the machines. Set a target to get all easy machines at first and go from there.
I set up a Kali VM to do all my HTB stuff from and keep a notebook of my typical flow so the process is pretty simular for each box I attack. The easy boxes usually require you to somehow identify a waekness and use a ready made exploit for it (or some easily reproducable steps). Privesc is usually also pretty straightforward. However they are not supereasy by any means if you've never done this.
I'm in a very similar position. Right now I'm working on tryhackme.com's junior pentester learning path. It's OK, but I think I'd be more excited to find a project or goal to focus on instead of a shallow overview of lots of topics (even though the context feels valuable). I'll finish the course, but I think I'll be done with tryhackme after that and go back to looking for something more specific the dive in to.
It’s a little expensive but have you checked out the OSCP cert? It’s the only certificate in tech that I think is almost unanimously accepted as a decent one as it’s so practical. That might help give you a goal to keep learning? I’m going through it myself at the moment.
I have thought about this actually. It sounds really interesting but at $1500 for 90 days of access I'll need to make sure to find a time when I don't have much on my plate for 90 days. How much time per week do you feel you need to dedicate to it? Are you enjoying the process?
They’ve changed this recently actually, its $799 for 12 months of lab access and some entry level certs. I signed up for this and will pay the extra for the OSCP once I’m ready!
This is a bit of a common trap, the idea that to do anything you must know everything. When you read writeups you see people just going from some bug to exploit and incorporating obscure bits of knowledge to make it happen. It feels like they must know everything. The reality is they probably spend hours or days banging their head against a wall having an intuition that _something_ is wrong but no idea how to abuse it or that there must be something. Spending hours researching until they can connect the dots. Those hours of frustration are not captured very well in most writeups.
> I know for stuff like this the key is to just get started, and the understanding will follow, but I'm curious if anyone has any recommendations for how to do that.
The single tip I give anyone getting started is:
Follow all the rabbit holes.
Seriously, all of them. Any time you have some random question come up, "Would doing X be vulnerable", "Could I exploit Y feature", "Why didn't this writeup author do Z", "How does A work", "Why send B this way instead of this way" ... all of them. When you have the question, just go spend the time to figure it out. Every rabbit hole you go down, even if it ends up being a dead end, is adding bits and pieces to your knowledge. Over time you build up an immense library of random bits of knowledge that you can draw from in the future.
While I wrote that with an eye towards doing binary-level exploit development against modern targets, the advice for doing manual auditing is pretty universal. It's like how to learn to program you actually have to write code, reading about writing code isn't enough. Practice against anything can be useful.
I'll also leave you my favorite vuln research quote:
"Frustration is a key part of exploit research and you must embrace it accordingly"
I am fighting this battle myself, absorbing and retaining raw knowledge is easy for me but I am not that good at CTFs because I don't practice RE and pentesting enough.
One of my big regrets is spending too much time in chatrooms and forums in my 20s instead of practicing. Now I have less capacity to do that because I do this stuff (and love it) as part of my job, I need a break afterwards.
In CTFs either I get distracted or I follow red herrings because of curiosity and waste time.
One thing that helped me before and I am recently considering is getting rid of TV/netflix/prime and social media (maybe exempt HN? Lol) to help with time.
I recently moved into an offensive job after a few years doing secops and cloud security. I think his point about having a genuine interest in security and its offensive applications is really important. Self-learning never really felt like work or a chore because I really found it interesting.
I’m also going to plug my favorite resource: Pentesterlab. I get nothing from this, I just think it’s a great product. It’s been my most used resource since I decided I wanted to be a pentester. I think I’ve seen Louis post here before, so if you read this, thanks for making a great site.
This article is so disappointing. I clicked this hoping to get tips on how to improve as a hacker, but apparently the first step is to have been a full time developer for years. It’s no surprise that this person was able to climb the ranks so quickly considering how long he has been coding for. They have the time, money, and experience to rise to the top. I want to hear from more underdogs, women, POC, etc who were able to achieve the same. I want to hear from someone who can actually articulate how they made it to the top instead of someone saying they “thought like an attacker.” Sure that may have helped you, but what exactly does it mean to think like an attacker? What do you differently when you think like an attacker?
I am aware of how some hacking is done but I've never had the interest to do it. Kind of interesting. Whether for good or bad.
Side note I was watching briefly some John Hammond videos and the way they obfuscate/package say powershell command in a word doc image is pretty insane. I've heard of some other wilder ones like the Apple gif overflow attack.
I signed up for the popular bounty program because I was looking at implementing it in a public institution, and I wanted to see what the experience for them would be like. The plan was to approach the platform about us opening it to regional colleges so that we could a) scale our threat hunting capability with locally grown talent b) create an incentive across the sector for patching, and c) create a talent funnel in the local region to get young people with tech skills interested in working in public service.
On the application I said my skills were a bit rusty because I hadn't done pro pentesting in about a decade, and the platform ignored it and wouldn't respond to followups. The institution has moved on to other priorities and the window to drive that change passed, but if there are any upstart platforms interested, a specialized version for regional public sector services that yields the outcomes above is still an opportunity. If the incumbent platform is starting to act like the incumbent, this may even be the bigger opportunity.
Unrelated, but for some reason, the first image (of a keyboard) seems to be a DALL-E image. Many images generated by DALL-E have some common sub-perceptual characteristics in the edges or something.
Hmm, you might not be wrong about the DALL-E based image there, albeit, definitely some post-processing.
This is what it generated for me
https://i.imgur.com/T2DsBCq.png
DALL-E will be an incredible tool against DMCA-scraper bots that just run rampant scanning for images that have a copyright and submitting to the registrar.
DALL-E finally shuts this loophole down, for now at least it seems.
EDIT: and it seems like the real keyboard was found! The mere fact that we are having trouble distinguishing a real or fake keyboard leads me to think of greater problems that will lie ahead; authorities or figures claiming they did or did not do/say certain things. The world of artificial intelligence is going to be an exciting time, that’s for sure. :)
I doubt it. DALL-E struggles with text, and the Windows logo is missing from the Windows key, which suggests a level of concern for trademark law that I doubt DALL-E possesses.
Yeah maybe not. But the Dall-E images have similar characteristics. But I think you're right. This seems to have more post-processing than an AI-generated image.
I love hacking stuff. Hardware, software, whatever. Its one of the few things that get me engaged the way I was when I first got into programming. Unfortunately, I also lack the patience.
I've always wondered: how lucrative is pentesting as a career? The work seems super interesting, and I've been fascinated by it, but do businesses see the value enough to justify paying >= a software engineer's salary?
So "pentesting" often kinda defaults to "network pentesting" which is closer to an IT job than a software engineering job and its salary range (in general, as you specialize pay goes up regardless).
But there is "application penetration testing" and just application security in general which tends to pay competitively with software engineering. And of course plenty of people do both at the same job.
So pentesting can be competitive but it depends on definitions a bit. That said on the upper end, software dev tends to have more chances to get a big exit by being part of building something. In security you might be with a consulting firm where you have a slight chance at that, but its not common for a security guy to have that sort of big exit.
One thing that made me really reevaluate being a penteater was when I talked with someone who'd been a pentester for years and when I asked him about it he said it was basically just a mean type of QA.
That being said right now security is becoming a very lucrative field and you know what to do to make money in a gold rush especially if you're a software engineer.
Pentesting related to national security or gov work can pay really well with a clearance (and the workload can be really light). I don't know if the private sector does pentesting pay better than engineering pay.
I found most of the pentesting salaries came in lower than engineering ones, and I felt that pentesting was the more difficult job.
More code results in more bugs. You need to throw money at software developers to build something, anything really. Only then do you hire a 3rd party pen-testing company for a few days. That's the way it works in our shop anyway. It's unfortunate, but sometimes the expected velocity to achieve MVP glosses over best security practices.
I’m a pentester. US salaries are about 20-30% less than very competitive dev salaries. Security engineers make a bit more than pentesters, but both are typically less than well-paid dev work.
I like how “having a computer science degree” counts as “zero knowledge” simply because this person didn’t know what XSS meant. Their definition of a newbie is… unsatisfying.
I made my way into the coffee kitchen at work, and unplugged the power cords for all the coffee maker machines...instant productivity killer...making me haxor supr3m3!!! Kidding of course!
While i agree with you on the hijacking of the term, i do support more people getting involved with security and especially security awareness. The more, the merrier! So, overall its a good thing, even if it creates a little pain for folks who are more kung fu gurus of the hacking way. I think a more general term like "security practitioner" might be more apt...but headlines gonna be headlines, hence writers gonna jazz things up with "hacker". Then again, what do i know.
Ask a stranger in a motel what they think "Hacker News" is about though. I too prefer the original meaning of the term but it's clear which meaning has "won".
"Having a CS degree" (or equiv. experience) is basically baseline knowledge floor for hacking. It's not possible to get someone with 0 computer skills in May 2021, and have them cracking bounties by 2022.
One of our most prolific bug bounty hunters did exactly that. And what is even more impressive / exotic is how he finds the bugs. With "just" a browser and very little Burping.
> When not at the computer, he spends time with his family, or, more accurately, when he is not spending time with his family, he tries to do some bug hunting.
I'm hoping that's hyperbole, but even if it is, the notion sickens me. I really hate the normalization of this idea that anyone who works in this field spends their 100% of their leisure time there as well. Get in shape. Make art and music. Build things. Be more than your job. Especially if you have a family. What kind of 1-dimensional example do you want to set for your children?
It's you who misunderstands. He means that the time he doesn't spend with his family is dedicated to work (his fulltime job and the bug hunting) and that this 1-dimensionality doesn't set a good example.
Bug bounties are rather pathetic. As you stated it's doing grunt work for corporations that pay 10-100x less than the exploit would fetch on the market.
I can only assume these capitalize on fame because it can lead to jobs in the industry. If it WAS about the money, and (not that I encourage it) your moral compass is sufficiently adjusted, there is far more money to be made selling the exploits for bitcoin elsewhere.
Companies are saving an absolute metric boatload of money by having people work as red team for free, and only paying a pittance to solve most bugs (with some exceptions).
Alternatively, the people who score big bounties become extremely skilled very quickly. That often translates to 300-400k salaries a few years down the line.
