Hacking For All

In October of last year I stumbled upon a YouTube channel that looked super nerdy and fun. Indeed it was! Network Chuck is the guy’s name and he was building a K8s cluster using a Raspberry Pi. Bare metal install of K8s? Yes please! After thinking about it a few days, I decided I had to do it. So I did! I blogged about it of course and you can take a peek at K8s Part I and K8s PartII if you are interested. I had a blast building and configuring these and now I have this really great toy to play with.

While looking through this new channel I stumbled into a community that has totally sucked me in. I have always know about Hackers and Cybersecurity, it’s not like it was new information, but I had no idea it was something I could do. I had no idea it could be so fun either. My background is technically diverse to say the least. I have many years as a Linux SysAdmin working on clusters (literally the fastest in the world), many years as a Web Developer, many years in Technical Support, etc. I also have, well had, some of the same basic certification. RHCE, CCNA, VCP, A+, etc. So I have a lot of the same tools in my toolbelt that Pentester has, but never really explored that as an option. I am also not a computer scientist level programmer, and I assumed that because I was not, hacking was out of the question. But it’s not! Truth be told coding is fun as far as troubleshooting, but I only really like debugging code and making it work. Or peeling back the layers to determine why. As far as sitting down a coding, I’d much rather script tasks than write an app.

There are several roles within hacking and Cyber Security, and more importantly, a TON of resources for getting started on the journey. You can pivot into the field with a lot of work and studying. The thing you can not do quickly, of course, is gaining experience. That takes time, so be prepared to sink hours into this, which won’t be an issue if you love it. I personally am not looking to step into that role at the moment, mostly because I love where I work and I don’t see a path towards it there. My goal to have fun, eventually compete on a high level at HackTheBox, and knock out my very first Bug Bounty.

So how does one get started? I personally would start reading some books and watching some videos on YouTube. I have a page here that list these resources, but in particular I would start with a specific book and this article titled “The Conscience of a Hacker“.

Next head over to TryHackMe and HackTheBox Academy (HackTheBox as well) and start learning. Both have free resources and paid. The paid is worth it, 100%. I would then get connected on LinkedIn and start looking at what folks in this field do.

My next step is to dive in and learn some more in person with professionals. I am heading to WildWestHackinFest in May, which is a conference and training centered on hacking and Cyber Security. The eJPT is a certification I have my eye on next, As a basic entry level cert it represents all the hours I have poured into studying and demonstrates competency. Ultimately my desire is to contribute with the community at large to make the web a safe place.

Advent of Cyber

TryHackMe

Over at TryHackMe you can get into the Christmas spirit and hone some of your hacking skills at the same time! The Advent Of Christmas event is a free event geared at getting started with cybersecurity. It’s a lot of fun. So far it’s been very, very basic, but I hear the difficulty is going to be increased as the month proceeds.

There are prizes for completing the challenges and a cool certificate when done. I love that various hackers and security professionals in the Cybersecurity community are taking turns providing walk through video. I am finding it to be a really cool thing to do each morning until the 25th. I strongly suggest a cup of coffee or hot coco.

TIL: Injection

Today I Learned:

I studied for over 10 hours today! I learned quite a bit, as well as a lot of review. One of the most fun things I learned at HackTheBox was this:

Using Burp Suite and the repeater (as one method, you could also use cURL, etc.) you can send the following:

 username=admin&password[$ge]=0 

Along with changing the content type to:

 application/x-www-form-urlencoded 

to attempt injection. It won’t work on most web servers because of the brackets, but if a REST API is active, it may work, effectively turning the request into JSON:

{ "username" : "admin", "password" : {"$ge":"0"} }

This won’t work every time as it really depends on the code, but it was something very cool to learn.

Today I also learned about Xmind and Obsidian. Check them out, they are pre

OTP with Yubico YubiKey 4

YubiKey 4

Yubico makes this amazing device that supports two-factor authentication. The YubiKey. It has two slots that can be configured for different services. I have slot one configured for OTP (One Time Password) and one slot configured for a very secure static password. To use slot one, you place your finger on the gold “y” emblem that’s lit by a green LED. To use slot two, hold your finger down for 3-4 seconds.

This works great with LastPass so that entering a password for any site takes just the touch of a button. Every site and app can have a very secure password that I never have to remember. And logging into my laptop is the same. Slip the key into the USB slot and hold the key for 3-4 seconds and I am logged in!

I love the added security and ease. When I worked for the Government I had an RSA OTP that I loved. In fact getting my user’s linux machines to work with it was one of my first tasks as an admin. OTP is my preferred method.

Meet the YubiKey! from Yubico on Vimeo.