All the shenanigans
So, for years I’ve been fascinated by cyber attacks and the opportunities there
are to trigger unintended behaviors in the software that are so common in our
day to day lives now. I remember being like 12 years old, reading a
phrack article about SQLi, then finding some random
website in a land far far away to test the concept on. I know, some white hats
are probably killing a kitten right now because of ethics, and whatnot. Get over
it – I was a kid and you probably pulled the same shit. Nothing wrong with a little
'or 1=1-- or
Regardless my youthful exuberance, I was hooked – XSS and SQLi were simply incredible, and mind blowing. I knew I wanted to be a hacker. Hanging around on IRC taught that you shut your mouth, read, and practice. Back then, you didn’t have many options for practice. So, like most other hackers of that era, I was into booting people on AIM and Yahoo chat; cruising various clearnet sites hosting various forms of malware – all the stuff of yesteryear that’ll get you arrested now adays. It was mostly harmless fun, really. A guy I really looked up to wrote Beast in delphi, and that spurred the realization that I really needed to learn to program, and fast. Writing basic scripts was all well and good, but if I wanted to be a real hacker, I needed to sling real code.
I’ll show you Operation Swordfish
Fast forward a few years, and I had picked up a handful of scripting languages, and the Art of Exploitation Second Edition just came off the press. Oh, man, was I stoked. Knowing just enough C to be dangerous, with some Python and Ruby chops, I was sure to find some great buffer overflow and win the hot girl and have one of those moments from Operation Swordfish. You know, with John Travolta and the girls; you know the scene I’m talking about. All I needed to do now was read this book, pick up some tricks, and be off to the collect my prize money.
Lofty dreams those were – it’s been 11 years since Art of Exploitation hit the shelves, and only five since I’ve been a professional software engineer. We won’t talk much about the time before I landed my first developer gig; we’ll just say I deviated from the plan. However, my passion and interest in security hasn’t waivered one bit.
We can’t stop here, this is bat country
In all honesty, I’m indifferent to software engineering. I love the challenge of making a computer do something. There’s something special about writing code and watching this mass of bits start to take shape and perform actions that wouldn’t exist had you not poured your time and mental capacity into making it so. My problem is there have been very few projects I’ve professionally worked on that I gave two shits about. Who cares about the thousandth parallax website or a tracker for people banned from rest areas? I certainly don’t, but it’s paid the bills. With PHP nonetheless – shoot me for it.
At this point, I devote nine plus hours, five days a week to improving a disasterous code base, improving the infrastructure, blue teaming a bit, and generally helping improve the precarious situation my employer brought me on to fix. After hours, every few days, I’ll spend some time hitting up challenges on htb. While I’ve only owned one box and am really close to owning my second, this platform has really lit a fire under my ass again.
Last year, I focused on overthewire.org, but grew tired of the challenges. That, and I hit the second one on narnia and got totally stuck. When you don’t have the time to sit down and focus for extended periods of time writing an exploit to gain root via a buffer overflow, it complicates things and I just kind of lost interest in the platform. I still highly recommend it, especially for beginners as Bandit and Natas will teach you a lot between general Linux knowledge and fundamental web application hacking techniques.