Becoming a (very Jn.) Hacker, how to, and my 1st Black Box Test

~ This is not a technical post, its a story post.
~ A story to whom just like stories, or to whom like to learn some lessons, and especially to anyone that wants to become a hacker.

Lately (like 6 last months) i'm starting to really go into hacking, it always interested me, but i could never find the time, plus, there was always another challenge @work like the new Angular.

But with time and effort, payment has become bigger, and with it my time.

And the 1st thing was how... from some videos and many SQL injections or XSS, DVWA ect. I didnt feel i'm learning anything other then extra web security.

Finally i found OverTheWire website, and finally i learn some "real" things, linux, php, memory, crypto, ssh, ect., all basics that I, as a web-programmer, had no clue. Only the web-based challenges were "natural" for me.

I can say that there I learned lesson no.1 - LEARNING.
In the world of hacking, you must be a weary-less learner, new things every time again, and start digging into finding a tweak, and i'm talking even for being just a simple white-hat, pen-test, or bug hunter. Those heavy-duty red-team, black-hat, researchers ect., all that is just the beginning.

But we are in the beginning.

Eventually i saw i am not making progress, so i just join a great course, HDE course, which was really great, i learned there basic networking and services, basic attack and how to manually implement them, Metasploit framework, and my 1st black-box test to be told soon.

I learned there 2 lessons
 - 1st thing to become a hacker is to create yourself a lab with the poorest OS, WinXP and Metasploitable, and start working on the very basics, nmap and metasploit.

 - 2nd is that if you're going to be really awesome at something, you (usually) don't need any help.

nobody ever taught me to program, i love it and i'm a self-learner ever since i was 8 years old, and always found my way into anything i made, how to do it good and right and better, and found most of the solutions alone.

here i needed help, and most solutions came with help.

and the joy, i have a lot of joy with every hacking challenge, but with a good programming challenge or project, its even more.

I'm not about to quit on hacking, its really fun and challenging, but i know now that's its all about my own passions. so really, if you want to be a good hacker, you need the passion.

Last week we had the test, and the solution was quite easy, 3 machines, 2 unresolvable, and one with a shaming robots.txt with all we needed, including a login-form, passed by " ' or 1=1 ", there View-Source to find the file-upload page in the html, shell, read some admin-account .bash_history file to find a record with the new password, and guess the right user which is a sudoer (connect via ssh).

1st I really though that this one is the honey-pot since is was very resolvable. Then I tried to extract info with the login form instead of passing it. lastly i tried many exploits which failed, probably since i tried to get the shell from withing the php shell.

lessons  learned -
 - keep it simple. if its unresolvable, its not that. I even read that its the same with OSCP.
 - keep it simple. a login page is to be passed into members zone.
 - keep it simple. collect data before going into heavy duty exploits.
 - practice. and the saying, "practice makes perfects".

So you wanna be a hacker?

here is my tip to start:

1. DO IT SLOW. it's gonna be alot of learning and googling, and when you go for an answer, try to understand how could you get it alone.

2. go do OverTheWire. At least the initial 3.

3. Make yourself a nice lab:
 - buy a nice SSD 250GB+ and install a nice linux there like Mint. Don't dual-boot.
 - download VirtualBox or VMWare and install the following:
    - Metasploitable.
    - WinXP
    - Kali Linux
 - and start practicing nmap and metasploit. no new tools, only these 2 until you make everything.
 - when done, find blogs that explain how to manually write some of these exploits, no metasploit.
 - at some time, make manually MitM attack (with netcat its easier than browser)
 - ohh, and play with netcat.

4. Learn how to program, the hacker side
 - C.
 - and then learn about the stack and memory
 - and then understand super good how buffer-overflow works until you are able to send a payload via this.
 - and then python.
 - and finish OverTheWire part 4 - narnia.

5. Web. you must learn web. and networking.
 - learn web and networking
 - make a website
 - make another one with a CMS
 - go practice OWASP, and DVWA (in metasploitable). feel good with Burp, and aslo learn how you can make most of these attacks with AJAX or CURL. dont use fancy stuff, learn these 3 really good.
 - and then start playing with bug-bounties.

I believe that doing all this will give you the real hard-basics, and if you take your time learning those, with some basic readings about encoding and crypto, you're on a good path to be a really real good hacker. Just take it easy and simple.

For me, i'm left into finishing 4, after doing most of the others.

Happy Hacking!


Post a Comment

Popular posts from this blog

OverTheWire[.com] Natas Walkthrough - JUST HINT, NO SPOILERS

SOLVED The item could not be indexed successfully because the item failed in the indexing subsystem

Asp.Net Ending Response options, Response.End() vs CompleteRequest()