Journey back to cybersecurity since 2020

It’s been 4 years since I started overthewire.org CTF and with that the beginning of my road back to cybersecurity. It’s been a hell of a ride and I wanted to share the whole process and how I’ve always tried to improve along the way.

2020

Summer 2020, It’s been 8 months since I started a role in a devops team. Going back to technical IT tasks was a game changer after doing more project leadership tasks for a few years: I was going back to what I used to do during engineering school: trying to know how things work, solving problems, discovering new things in a technical IT context. This is what I like doing.

With the goal to go even deeper on the technical subjects I recalled spending some time at college studying ethical hacking and thought It was the occasion to look into it again: after so many years the things that struck me the most were the high prevalence of CTFs in cybersecurity! CTFs were everywhere and I thought it would be a fun way to try it.

First overthewire CTFs

I started with the bandit overthewire CTF and I was immediatly hooked: I was learning a lot in a challenging and fun way. I went over Linux basics, bash, git, etc. I then jumped onto natas CTF in order to strenghten my web skills: I went over web apps, PHP, javascript, python, basic web attacks, SQLIs, XXE, LFI, RFI, …

First cybersecurity book

Along the way I felt that I needed foundational knowledge in cybersecurity and offensive security and looked for books: although It was from 2006, a lot of people seemed to recommended it so I started reading the Art of security assessment - identifying and preventing software vulnerabilities.

It took me 6 months to go over it entirely: I kept a notebook where I was writing all the key points that I found interesting. I learned a lot during these 6 months: software vulnerabilities, Application security reviews, C language, Linux and Windows internals, … I think that what struck me the most was that many of the concepts covered were still applicable, even for a book from 2006!

2021

Programming

I felt like programming skills were needed so I wanted to improve in this area in parallel: like Natalie Silvanovich from Google Project Zero said: the most important thing someone can do to get started in vulnerability research is develop strong coding skills. I started doing a few levels of the Google Foobar Challenge (which was discontinued in 2024) and kept improving on programming skills: I went over popular framework like Angular, Spring Boot and kept learning new languages/framework over the years.

CTFs: overthewire, Hackthebox first attempt, TryHackme, Portswigger

I kept doing overthwire’s CTFs: I did Krypton which was a good intro to cryptography and then Leviathan. This CTF was the starting point of low-level vulnerabilities and I made my first encounter with x86 assembly, radare2, Linux ptrace and strace tools, I also discovered race conditions/TOCTOU vulnerabilies.

During the 2020 summer I discovered Hackthebox platform that promoted several “easy” popular boxes for free. I tried a first box but quickly felt It was too soon: I had little cue about how to proceed when provided with a single IP to attack. Overall I felt that I simply lacked experience.

This is why I switched to Tryhackme platform: although I dislike the fact of being guided during a challenge, I felt this was what I needed: starting with easy box and with advices on how to proceed. In parallel I began doing Portswigger web challenges to strengthen this area. At that time I covered topics like Oauth, XSS, SQLIs, SSRF, CORS. I began experimenting with tools like Metasploit, Frida, nmap, Mimikatz.

Windows Lab

Since the beginning I was using Kali Linux and I wanted to go more in depth on Windows side: I switched from Virtualbox to Vmware player as it was quicker on my laptop and started to create a Windows environment: personal Windows VM, Windows 2019 Server VM, standard domain-joined Windows 10 VM. I started experimenting and discovered Active Directory, I looked at the Wireshark captures when someone logs into a domain-joined machine, I practiced with mimikatz, tried to dump some credentials.

I looked also at Windows courses on Windows drivers, WinDBG and kernel debugging. Overall it was a first approach on Windows world.

CVE study: Log4j

I mention the famous log4j vulnerability because at that time I already began to transition to a more IT security-focused job and was hit like everyone by the vulnerability. I remembered discovering it on a friday night and taking the whole weekend to check whether internal apps were vulnerable. I built a log4j scanner along the way and by monday morning I had a good view of the impacts on my perimeter.

At that time I went over java vulnerabilities, unsafe deserialization attack, I built a lab to reproduce the vulnerability: I stored for the first time a java class in an ldap directory (OpenLdap) and deeply studied the internals of the log4j library. I thought I knew how the exploit worked but It would only be 6 months later that I discovered my mistake, as we will see.

2022

2022 was the year I started to take it to the next level in term of time spent on cybersecurity topics! I was taking something like 2 hours a day on weekdays and maybe the double on weekends to study. With the feeling that I had to catch up the years where I didn’t do technical stuff, I went on try-hard mode to recover the “lost” time: 3 hours a day on weekdays on more than 4 hours a day on weekends.

CTFs: end of overthewire and Hackthebox debuts

I kept doing overthewire CTFs and started doing binary exploitation ones: narnia, then behemoth, and then utumno. I discovered this fascinating world and covered compilation, debugging, x86 and amd64 architectures, shellcodes, C vulnerabilities, buffer overflows, executable and non executable stacks, format strings, GDB debugging, pwngdb, objdump, objcopy and so on. I began to exploit a few memory vulnerabilities.

After ending this series of CTFs, I felt I was ready to tackle Hackthebox: I started with learning path and after finishing it was confronted to the vast number of boxes and challenges!

I wasn’t sure on how to proceed and took the decision that I still follow today: I sorted the boxes in increasing user difficulty rating order and started doing them all!

In that way I wouldn’t be missing an interesting subject! I did the same thing for the challengesbut allowed myself sometimes to skip some retired ones because Hackthebox adds a lot of new content along the way.

Hackthebox strategy

This the strategy I used and still follow today:

• Boxes:
  • I do every box in increasing user-difficulty rating order (retired and livebox): I keep doing retired box and I only do a live box when its difficulty is less or equal than the box that I already did. Progressively I could do more and more live boxes as I solved retired boxes. The idea was that I prefer taking less amount of time doing easier boxes so that when I arrive to harder boxes the skills I gained would allow me to solve in less time than If I was tackling them first.
  • I allow myself to look for hints only for retired box (compromise between time spent/skills gained), but I never do it for live boxes. This way the live points I gain are earned without any help and better reflect my skills. This means that I sometimes wait for 4 months between the time when I’m stuck on a box and the time I look for hints in order to continue it (when the live box is retired).
    • The only hickup of this technique is for “permanent” challenges like fortresses: they never retire so I am on my own to try to overcome obstacles, even if I am stuck.
• Challenges:
  • I use the same idea: keep doing live and retired challenged in increasing difficulty order. Because there are multiple categories I rotate the categories so that I always pick the one with the least percentage of completion.
• When I solve a box or a challenge I always look for writeups and especially ippsec and 0xdf ones in order to see possible alternate paths. This additional knowledge is invaluable and I sometimes learnt more when watching an ippsec video than when doing the box!

Yeah, It will take several years to complete even 80% of the tasks but overall I learn a tremendous amount of knowledge and skills, and in a way I have the feeling of going over the history of vulnerabilities by doing all these boxes!

Hackthebox challenges and especially boxes are frequently a rollercoaster for me: I can try hard a box during days and at the beginning was regularly having the impression to go for every rabbit holes before finding the correct path. What I also like is the variety of domains involved: I dont’t feel the need of doing other CTF’s platform because of this diversity.

Topics learned

On this year I learned a lot on the following domains while doing Hackthebox boxes and challenges, for example:

• Cryptography: RSA, PKCS#, padding, ASN.1, DER,…
• Game hacking: cheat engine, using IDA free, Ghidra …
• Web: Zip cracking, ruby deserialization, heartbleed vulnerability, mobile hacking,…
• Windows security: SMB basic attacks, Active Directory, Windows forensics, memory forensics on Windows with Volatility, …
• Network and others: smtp, spf, dkim, dmark, email spoofing, OSINT beginning, …
• Binary exploitation, reversing: angr, symbolic exeuction, Z3, return oriented programming, ret2libc, ret2plt, …

Experiments / CVE analysis

• I practiced on the PwnKit Linux CVE in order to build a POC myself based on the Qualys writeup.
• I went back on log4j vulnerability and took some time to discover that it was infact more of sending a JNDI reference than a deserialization vulnerability. I practiced around rogue jndi topics, ysoserial tool, Apache tomcat.
• I wrote an encryptor/decrytor for Weblogic internal keys thanks to decompiling the class of the framework to see how it did.
• I stepped into Linux containers world: namepsaces, docker, Kubernetes, minikube.
• I practiced around Windows basic exploitation: first rogue DLL, reverse shell, dll injection, used mona.py, pykd, windbg.
• I took some time to practice and reproduce the Spring4Shell vulnerabilitiy on a personal lab to see the flow of the code when the exploitation is made.

2023

2023 was the logical continuation of 2022. It also was the start of Cloud experiments with AWS and also with more blue teams CTFs challenges with the arrival of Hackthebox sherlocks. I kept the momentum of studying different subjects (binary exploitation), from low-level stuff to high level ones (cloud security).

Cloud beginnings

I started practicing on AWS with the provisionning of a few EC2 instances. The need was to crack somes hashes when doing Hackthebox challenges or boxes! I learnt and practiced on my personal account around python boto3 aws sdk, aws cli, lambda dev, lambda enumeration, S3, ec2, IAM, API Gateway, ECS, ECR, Fargate, IAM Identity center, AWS Organization, Cognito and so on.

I started the flaws and flaws2 CTFs, and began Cloudgoat challenges.

Cloud environment is something I immediately liked because of the broad and vast skills and technology they involve: networking, low-level topics for containers, namespaces, programming, interesting attack vectors…

Practice

Amongst other things, I learnt/practiced on the following subjects:

• Web: NoSQL injections, JWT, JWE, JWS, Web sockets, server sent events, Jackson databind library and vulnerabilities, polymorphic typing , Spring Cloud Function SpEL injection, SSRF, gRPC, HPP/2, Python bytecode, uncompyle6 tool, code object, Burp suite plugin creation, …
• Crypto : Linear congruential generators (LCG), linear congurence equation, PRNG, quantum computing, lattice problems, length extension attacks, oracle padding attack, entropy, hash rate (and don’t send hashed version of password during authentication!), diffie hellman, logjam attack, jasypt library, ssh cetificate uauthentication, chosen ciphertext attack, chosen plaintext attack, known plaintext attack, Bleichanbacher 2006 rsa signature forgery attack, …
• Binary exploitation: alphanumeric shellcode, egg huntings, x64dbg, heap exploitation: malloc source code analysis, tchache bins, tcache poisoning, use unsorted bins to leak libc base address, malloc/free hooks, unsafe unlink, fastbins double free, …
• Mobile hacking: rooting AVD, bypass ssl pinning with Frida, …
• Hardware, ICS : car hacking (CAN bus), ICS environments, SCADA, modbus, …
• Windows security:
  • Active directory attacks, Kerberos theory and attacks, delegation attacks, Kerberos relaying, rubeus tool, harmjoy blog, nt hash, net-ntlmv1, net-ntlmv2, Potatoes attacks, ASP roast, DCsync, ADCS, certipy, certify, domain escalation techniques, …
  • I studied the code of mimikatz tools and gained knowledge on credential dumping, SAM, lsa secrets, overpassthe hash, …
• Blue Team: Widnows event logs and different “telemetry” sources, Sigma (generic signature for SIEM), chainsaw tools, NTFS, MFT Table, MFT parsing, volatility 3, velociraptor tool, …
• Linux: Fuse filesystem, X server, X window System, kernel exploitation debuts, kernel compilation, …
• Networking: Wifi hacking, 802.11, WPA, WPA2, DNS rebindingb …
• Web3: Blockchain, merkel tree, byzantine fault algorithm, smart contracts, solidity, foundry, jsonrpc, cast call vs cast send, …
• Dev, Programming: git internals, C++, g++, mangling/demangling, reverse c++, comparison Ida vis ghidra, experiments with Rust and go languages, study of the docker environment chain: docker-cli -> docker daemon -> containerd -> runtime-shom -> runc, …
• Red team theory: infrastructure, tooling, kill chains, …

2024 so far

PECB Certified Lead Ethical Hacker certification

I don’t do a lot of certifications, but because I transitioned into a cybersecurity role, I went on this one which was one of the few offensive security certifications available at my position.

I consider it an entry-level certification, less known and easier of course than for example OSCP or Hackthebox CPTS but I chose it because:

• The exam was a practical one and not Multiple Choice Questions: I had to compromise several machines in different subnets in 6 hours, and then do a full pentest report in the next 24 hours.
• It was a way to show knowledge to others: although it hasn’t changed much the way I see myself, It seems to me that some people do not consider you seriously if you have no certification when you transition into cybersecurity.

I enjoyed the preparation because I finally took some time to study a domain I haven’t really looked into so far: lateral movement and pivoting. I practiced a lot and really appreciated ligolo-ng tool that makes pivoting really smooth. Amongst other things I studied for pivoting: sshuttle, nmap analysis, throughput comparison of nmap scan between chisel and ligolo-ng, …

The exam by itself wasn’t difficult and was near the level of low easy Hackthebox boxes, but I experienced the pressure of the time-boxed exam situation, which is always a good experience.

Go hard on AWS

Because I was recently working with AWS environment, I went like I did before with other techs by taking a lot of time to study and practice. The subject is so huge that it took me several months before feeling confident in AWS security: there are so many services and in a way I find it at first difficult to isolate a subject: you somehow need a lot of knowledge to comprehend even one specific subject like S3 ( many services rely on core other services like IAM, KMS, etc).

I actually enjoy a lot working on AWS and took some time on AWS architecture, core services, experimenting, doing some Terraform, Gitlab-CI (I was working with Jenkins so far), and went on securing access to an AWS S3 bucket with data perimeter technique. Check my writeup if you want to know more!

Of course I study offensive and defensive AWS security and some of the tooling involved (Pacu, Prowler, Checkov, …)!

In parallel I progressively do the Cloudgoat scenarios: I always learn new things or trick when doing these challenges.

Other Cloud provider experiments

I had the occasion of experimenting with Microsoft Entry ID/Microsoft 365 environment: app developpemnt, delegated access vs app only access, Microsoft Grapsh, offensive azure, road tools, …

Books

3 years have passed since I started my first security book, and I wanted to take some time on subjects I felt I need to improve:

• Windows internals: I bought and began Windows Security Internals from the Windows Guru James Forshaw (If you don’t know him look it up ;))
• Javascript for hackers from Gareth Heyes (same).

Practice

I spent some time on different topics, for example:

• Web security: .Net deserialization, view state deserialization, Ysoserial tool, php filter chains, …
• Hardware: I bought a flipper zero and started started practicing with it. It was a first introduction to sub Ghz, NFC, RFID, infrared, BadUSB, …
• Windows security: amongst other things, I looked into evasion techniques, custom build of Winpeas, dotfucator, alcatraz, nimencrypt2, defendercheck, invisibilitycloack and winpspy tooling, …
• AI/Machine learning:
  • I recently started looking into AI/ML world with tensorflow, keras, poison data sets, lambda layers, distance matrix, pandas, numpy, sci-kit libs, kaggle, hugging faces, …
  • I really enjoy this topic so far and want to continue digging into it.

Today

This cybersecurity journey is still ongoing. I’m ending this post with my current “routine” in order to constantly improve (this is in addition to what I do at work of course).

Security news:

Tody I look at different sources of security information, mainly:

• Reddit: netsec, programming, red team, OSCP, AWS, machine learning.
• Newsletters: Medium, Pentesterlab, tl;dr sec, Entra.News, Cryptography Dispatches
• Hacker News
• oss-security mailing list
• Github advisories
• Social networks like X, mastodon, …

Skills:

My core training still revolves around Hackthebox, but I try to add more diversity. I am currently rotating between:

• Hackthebox boxes: the basis to practice offensive security on various subjects, progressively increasing the difficulty.
• Hacthebox challenges (all categories): to stay sharp on CTF-like challenges.
• Hackthebox sherlocks: to keep improving on the defensive side.
• Cloudgoat challenges: to keep practicing on AWS security (my main focus area at the current time).
• Miscellaneous: dedicated time for all the rest: technology study, analysis/practice on a specific topic, research, etc.

I consider adding another topic: bug bounty hacking. I have been thinking about it for some time, but haven’t really stepped in. The reason for this is simply that I enjoy doing challenges and boxes :).

Generalizing vs specializing:

Overall I currently like to tackle a lot of different areas instead of specializing. I like the fact of being at least efficient on many different subjects because it broadens the perspective and you can find interesting similarities. We’ll see how it goes, I am currently enjoying cloud security and have begun to tackle AI/ML subjects.

Notes taking:

I basically note down everything I do or learn. I keep a daily and monthly journal where I put more or less detailed security notes. Every technique, article, vulnerability, resource I find interesting, I add it to my notebook (I currently have something like 1700 notes gathered since 2020). Of course, all the challenges, boxes, etc. I do are also noted down.

I think it plays a crucial part for efficiency (being able to quickly look at my notes for a subject) and for learning. Maybe I will do a specific post for that.