cat ~/.bash_history

All the shenanigans

So, for years I’ve been fascinated by cyber attacks and the opportunities there are to trigger unintended behaviors in the software that are so common in our day to day lives now. I remember being like 12 years old, reading a phrack article about SQLi, then finding some random website in a land far far away to test the concept on. I know, some white hats are probably killing a kitten right now because of ethics, and whatnot. Get over it – I was a kid and you probably pulled the same shit. Nothing wrong with a little 'or 1=1-- or <script>alert('h4xed');</scrpt>.

Regardless my youthful exuberance, I was hooked – XSS and SQLi were simply incredible, and mind blowing. I knew I wanted to be a hacker. Hanging around on IRC taught that you shut your mouth, read, and practice. Back then, you didn’t have many options for practice. So, like most other hackers of that era, I was into booting people on AIM and Yahoo chat; cruising various clearnet sites hosting various forms of malware – all the stuff of yesteryear that’ll get you arrested now adays. It was mostly harmless fun, really. A guy I really looked up to wrote Beast in delphi, and that spurred the realization that I really needed to learn to program, and fast. Writing basic scripts was all well and good, but if I wanted to be a real hacker, I needed to sling real code.

Gonna learn today

I’ll show you Operation Swordfish

Fast forward a few years, and I had picked up a handful of scripting languages, and the Art of Exploitation Second Edition just came off the press. Oh, man, was I stoked. Knowing just enough C to be dangerous, with some Python and Ruby chops, I was sure to find some great buffer overflow and win the hot girl and have one of those moments from Operation Swordfish. You know, with John Travolta and the girls; you know the scene I’m talking about. All I needed to do now was read this book, pick up some tricks, and be off to the collect my prize money.

Me, had stayed the course

Lofty dreams those were – it’s been 11 years since Art of Exploitation hit the shelves, and only five since I’ve been a professional software engineer. We won’t talk much about the time before I landed my first developer gig; we’ll just say I deviated from the plan. However, my passion and interest in security hasn’t waivered one bit.

We can’t stop here, this is bat country

In all honesty, I’m indifferent to software engineering. I love the challenge of making a computer do something. There’s something special about writing code and watching this mass of bits start to take shape and perform actions that wouldn’t exist had you not poured your time and mental capacity into making it so. My problem is there have been very few projects I’ve professionally worked on that I gave two shits about. Who cares about the thousandth parallax website or a tracker for people banned from rest areas? I certainly don’t, but it’s paid the bills. With PHP nonetheless – shoot me for it.

At this point, I devote nine plus hours, five days a week to improving a disasterous code base, improving the infrastructure, blue teaming a bit, and generally helping improve the precarious situation my employer brought me on to fix. After hours, every few days, I’ll spend some time hitting up challenges on htb. While I’ve only owned one box and am really close to owning my second, this platform has really lit a fire under my ass again.

Last year, I focused on, but grew tired of the challenges. That, and I hit the second one on narnia and got totally stuck. When you don’t have the time to sit down and focus for extended periods of time writing an exploit to gain root via a buffer overflow, it complicates things and I just kind of lost interest in the platform. I still highly recommend it, especially for beginners as Bandit and Natas will teach you a lot between general Linux knowledge and fundamental web application hacking techniques.

All in all, I’m pushing forward. I’m going to start writing write-ups for the boxes I complete on htb as I complete them, but holding them until the box is retired (per their terms of use). If you’re on there, let’s link up! I’d love to be making friends and networking in the industry, because frankly, development isn’t what I wanted to do when I started this journey. Despite that, my years of development will serve me well as I transition to the dark side – it’s a matter of time before finding the shop that will have me.

Stay tuned.