February 3, 2023 | Samuel J Morris
How do you learn to hack? How can this be done legally? These are the questions I asked myself growing up knowing I wanted to go into Computer Science and more specifically, cybersecurity. Going into college, there were some basic cybersecurity courses that weren’t available until Junior or Senior year, but I wanted to get started right away. This has since changed with concentrations in cybersecurity becoming abundant and ethical hacking becoming much more mainstream. However, that wasn’t the case going into my freshman year as a computer scientist. After some research, I found out about Capture the Flag (CTF) exercises and challenges. These challenges make you find and use exploits in software or computers to ultimately find a hidden flag in the form of a string of text. This seemed like the perfect way for me to get started learning how to hack without annoying friends and family or breaking the law accidentally.
The site of choice for me was HackTheBox; however, back when HackTheBox was less established, you needed to know some simple enumeration techniques just to make an account. After some googling and an hour or so, I was finally able to log in to the site. Little did I know that I had stepped into the deep end of penetration testing by trying an “easy” box. I started up the easy box and followed some basic enumeration techniques to no avail. I spent the better part of a weekend researching red herrings and going down rabbit holes that ended with me making zero progress towards getting the flag. This was my first taste of what it can be like to practice penetration testing.
After giving up on the first box, I discovered there were retired boxes that had write-ups along with them. This seemed like a better place to start. Once I started on those, I started to recognize the attack vectors that I tried on the first machine, and with the help of the writeups, I was able to successfully finish my first machine and get the flag. Continuing to work my way through other machines on the site taught me fundamentals of penetration testing, as well as helping me develop the mindset and work flows that I use as a professional penetration tester.
Spending dozens of hours to make zero progress can be a frequent occurrence in real world systems. Unlike HackTheBox, clients’ machines aren’t built to be hacked. The ability to not only be okay with an attack vector not working after hours of trying but to know when to stop looking into that vector is vital when it comes to professional penetration testing. Real world tests are time-boxed to days or weeks where you need to be able to know when a vector is not worth looking into any more. CTF challenges help shape this mindset, as well as helping us recognize attack vectors that are more promising than others.
A lot of the time, the easier HackTheBox machines use OWASP top 10 vulnerabilities or common vulnerabilities that have existing exploits. Completing new machines can also keep you up to date with the latest vulnerabilities that you may not know how to exploit.
Note taking is also a vital skill when it comes to pentesting. During CTF challenges, I would take constant notes that I could return to after hours or days in order to know what attacks I had tried and what attacks worked. This is a huge skill to have when it comes to taking notes during a real pentest. Notes not only help you keep track of your progress across a week (or weeks) of testing, it makes reporting much easier and simpler when it comes time to report to a client.
All in all, CTF exercises are a fun, challenging, great way to get exposure to penetration testing as well as practice and hone your skills not just for CTF but for real world pentests as well.