Hack the Box, CTF, challenges, and ethical hacking (+ some thoughts about courses)

-
During last few years I've bought some Udemy courses when some person has suggested them. Mostly they are related to security and hacking, because that's the high level topic in ICT which interests me most.

Yes, I've bought them. And hadn't started any. Until this summer.

In the past if you wanted to learn some new skill in the ICT world, you usually attended some 3-5 day long course which normally costs some thousands of euros. Quite costly, too much information in short time span, and it required many days off from work + traveling. Then came the online courses. They cost less, you can follow the videos as you wish with your own schedule and you'll get community reviews for courses before buying them. I'm not fully sure but I suppose that the instructors get some amount of money for every attendee and no one wants to use their money (or time) to poorly made course. Thus every instructor has an incentive to make their course as good as just possible.

At the moment Udemy and Pluralsight seems to be the most suggested platforms at least in these parts of the world. The biggest downside is that you need to understand English well enough, but usually that's not an issue for people working in the ICT world.

I've invested some money to these courses and I don't want to make bad or unnecessary investments, so better to make some use of them. I decided to start from this Practical Ethical Hacking course, although it starts from the basics of the basics but you can skip those things you know well enough. My background is mostly in blueteaming so even though I have been interested in penetration part and redteaming and had quite good general understanding how you should approach the actual penetration test part, I didn't have actual experience in getting access to unknown machines.

The instructor in this course is really good and the technical quality is good enough. I have some background in sound and video production so I can't stand bad quality or if the sound changes too much between various videos.  I would say that especially if you are starting your hacking career or don't yet know much, this course is one to start your learning process. The course will go deep, but the instructor explains really well what he's doing.

During watching those videos I finally decided to get my hands dirty and get my Hack The Box subscription in good use. I've been participating remotely in HTB events of the Citysec community, and have done some hacking during those, but hadn't actually rooted any machine before. I bought the subscription in the spring because I thought that I would have time, but our spring was quite.... hectic. We are a foster family on call and had our house full of kids during the corona crisis. Not much time for own hobbies inside that chaos.

HTB is one of the sites offering Capture the Flag type of challenges. Basically it means that you have some machine you need to get access. You might have some info, often the name implies something, but not always. When you are in, there are two flags you'll need to find, user and root/admin. Flag is some random string which is clearly marked when you'll find it, and you'll input it to the CTF system UI to get your points from braking in that particular system.

CTF in general can be more than just braking in machines, it can include cracking crypto, programming, reverse engineering and exploitation. HTB offers also these additional things, but for now I'm mostly interested in the exploitation process.

HTB offers free and paid access. You can use the free version quite well, but it has limitations. Thus, if you really want to learn the process, it's better to pay for access, it's only £10/month. Free machines can get a bit over crowded every now and then, which makes cracking them harder. And with paid version you'll get access also to the retired machines which have walk-throughs available. HTB publishes the official howto for every retired machines and users are allowed to publish their own ones after the machine has been retired. Those are really good way to learn new things!


Comments

Post a Comment

Popular posts from this blog

The only constant is change

-
"I'm leaving next week. I'll change to company Y." This comment from my coworker caused quite many feelings and put my thoughts in motion. "Company Y.... Umm... I have heard it few times, and I know persons who have joined them, but I have no clue what they actually are doing. Let's see what their website shows. Oh. They seem to have an open position, which would be a direct match for me." At this point I had been in my position a little less than three years. Those years had been absolutely incredible, from the experience (and also CV...) point of view. When you are working in a global enterprise as the product security engineer/cyber security architect for a product line whose products are used globally in critical infra related use cases, it's quite unique place to gather experience and hopefully also knowledge & know-how.  There were multiple really interesting projects going on, which would give even more experience around how to secure 40 y...
Read more

Passion is a fruit

-
 "What if we educate them and they leave?"  "Well, what if we won't and they won't leave?" "Hi, there will be a big security conference in Helsinki next February. I'm going there. Can I use work hours for that or should I use my vacation days?" This is how I presented the trip to Disobey to my boss last autumn.  Disobey is quite a unique event, and presentations are not The Thing(tm) for this event, even though they are also awesome. Meeting people and discussions with them are among the reasons to go there.  This year the following presentations were nominated to my top list. Not all of them will be released on Youtube, but I can recommend any of those which will be released. Antti Kurittu: Story of Vastaamo (Keynote) Juho Jauhiainen: Losing My Mental Health in Cyber Security Jussi Eronen: Vulnerability Handling for the Masses Helinä Turunen: Cyber Comms 101 - What to Say When Cyber Hits the Fan (workshop) Lea Viljanen: Hacking the Audit Int...
Read more