In the past year I’ve put a lot of effort into developing habits that utilize small incremental activities (usually scheduled daily) focusing more on being consistent rather than any big all-or-nothing efforts. The latter makes it all too easy to procrastinate and put off activities when you’re not feeling at your best, and on average means much less actually gets accomplished.
Though not directly info-sec related I’m really proud of the fact that I’ve made fitness more of a priority in my life and that it’s made such a positive impact on well-being, how I feel at home, work, everywhere. It’s also really cool to see how many people in this community are involved with running, weight lifting, etc. when the more stereotypical identity of people in IT is bad diet, staying up late, and inactivity. Likewise I see so many more conference talks now addressing issues of mental illness, burnout, impostor syndrome, etc. On a personal level I’ve found Stoicism incredibly helpful (a great introduction can be found here) in helping to manage stress, cultivate mindfulness, and maintain a healthy outlook.
Again not directly an info-sec pursuit but I’ve also been learning a new language and taking formal classes to help do so. I’m not a very naturally social person. I’m very introverted and shy. The theory of learning the mechanics/grammar of a language is similar to learning a computer language or math, but the practice is something different entirely. You’re regularly fumbling with words in front of other people, you’re frequently confused or say the wrong thing, and if you’re not always somewhat out of your comfort zone you’re probably not learning or getting better. I think I’ve gotten marginally better at being at peace with being uncomfortable through this process and I do actually think it’s an invaluable skill to apply elsewhere in life. If you feel too stupid or embarrassed to ask a question you won’t grow, and all these little occurrences will add up over time. Your ego isn’t your friend.
With all that said I’d like to add only a couple modest development goals for the year:
Read more! (passive) – More fun and less of a straight technical read I will be starting with Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. 30 minutes per day minimum.
Publish more write-ups! (engaged) – Whether it be for Kringlecon, HacktheBox, Virtualbox, whatever. Even if it’s for a relatively simple box, I need to keep these up to maintain my skills and keep learning. A lot of the required mental puzzle-solving is immensely satisfying as well! 1 per month minimum.
After far too long I am again going to return to my OSCP studies with an aim to retake the exam in either September or October. My initial plan is to review all OSCP materials and try to come up with a comprehensive list of my deficiencies and skills I would like to build on. Once I am feeling fairly confident these have been worked on sufficiently I will move on to another lab period and test out what I have learned and then re-access where I’m at.
Maybe one of the biggest challenges of OSCP for me so far is accepting failure and how to move forward from it. With a lot of leftover perfectionist tendencies I need to get away with the feeling that I need to do something in an all-or-nothing faction, that incremental steady improvements are key, and that I need to become more comfortable…being uncomfortable. There is little growth or opportunity in taking things on that you know ahead of time you can easily do well.
This will be a placeholder for thoughts and additional items of study.
I absolutely need to improve Windows pen-testing familiarity + identifying avenues for privilege escalation. Unsure if this is due to mostly doing Linux lab machines, or living too much in Linux-land in general but those machines always feel unnatural difficult to get traction on.
After initial enumeration I need to develop good methods (maybe just practice) of separating out what services to focus on and devote most of my energy to. In both lab and exam machines I tended to waste too much time on things that did not pan out.
Outside of pure technical knowledge also would like to pick up a good general hacking theory book to get me thinking more laterally.
Of less importance directly but I’m going to try to embrace vim as main text editor and try to get better with shortcuts/etc. (VIM Adventures is pretty awesome!)
I’ll continue to update this as I think of additional items… (last updated 7/13/2019)
The Web Application Hacker’s Handbook – Finding and Exploiting Security Flaws (2nd edition)
I knew failing the exam was a distinct possibility and that many people I know have failed once or more before finally passing but it still hurts a bit to go through all that preparation to end up with a big reality check. Continue reading “Nov 9th OSCP Exam Attempt”
After a long holiday break working through the SANS Holiday Hack Challenge & HTB machines it’s time for another writeup to ring in the new year! As indicated by the author this should be a beginner/intermediate level machine.
Starting off we’ll scan for the target’s assigned IP:
I was all set to get started on another VM (g0rmint) but ultimately couldn’t get networking to work with it under VirtualBox using NAT/bridge/host-only or any other type of adapter and trying out other misc. settings. Sad times.
So in its place I’ll be doing “The Ether”, another VM that was pretty recently posted to Vulnhub. The author hints this is not for beginners and hopes for some OSCPers to try it out so hopefully this should be a good challenge. 🙂
This is another VM from Vulnhub that was recommended on Abatchy’s blog for OSCP preparation. I think this will be the last Linux box for a while and I will try to delve into vulninjector or other Windows-based vulnerable systems. This one has been marked as intermediate-level difficulty so hopefully will be a bit more challenging than the previous one! Let’s get started. Continue reading “Brainpan: 1 – Vulnhub Writeup”