First week of 2024

Well, a lot has happened in the last week, and I want to talk about that, at least in part, and also about a topic that has come up in my discussions lately.

New year, new job

I have started a new position at a different company, this one being specifically oriented towards penetration testing. It has been one week, but there have been some great findings so far:

  • Devices: I was told I can put anything I want on my work laptop. This means Debian on host (light as hell), and QEMU for everything. I’m surprised how quickly QEMU works on the machine, but I had to make the QEMU change one day.
  • Workspace: This company does not use Microsoft Teams I was using for three years, but now I have to learn Google Workspace. It hurts, but I have all the more motivation not to put anything in there that relates to me personally.
  • Projects: Even before I started, I got onboarded into the “project timeline” schedule, and it’s nothing short of incredible. It’s all local projects, but ranging from financial companies, online businesses, all the way to goddamn critical infrastructure! The project types are much deeper as well, not just general “test this new server” projects, but internal, external, red-teaming. This company sells it all, and if all goes well, I’ll be a part of that!

Overall, it seems like a great job to start.

The first week

In the first week, I was onboarded into several projects, took part in multiple meetings I should not have been allowed in (as the manager said, to “show me the ropes,”) and I will be shadowing my colleagues for a few weeks more before getting let off the leash to take part in stuff as a proper hacker. The onboarding, I must say, was quite smooth, they didn’t explain useless stuff to me, only the things that are new, i.e. everything around the actual pentest. One thing I have to say is that I’m quite weak at web applications, and I am not going to hide that fact. As I hear a lot, a lie has short feet and cannot run very far, so it’s better to present all my shortcomings now than to say “yeah, well, I don’t actually know shit about what you asked me.” Furthermore, this way everyone knows when to talk to me like I’m five years old.

Thanks to my early onboarding, I knew that I’d have a “shadow” project, where I watch and work together with my colleagues to learn how things are done. That’s awesome. What I did not expect is to be writing SOPs on the first day. This may sound dumb, because I am very very new to the company, but at the same time who would be most suited to update an onboarding document than the guy who’s currently going through onboarding? If you’re a manager and are onboarding someone, have them update the onboarding document. You’ll be more up-to-date and better off for it.

The rest of the week, I was basically jumping from meeting to meeting, getting to know the people at the company, and solving the few issues that I had with my Linux setup. Over time, I think I’ll ditch XFCE4 on my laptop for i3wm, because I always find myself using the i3wm shortcuts I’m used to.

A motivation to learn

During the first week, I have found that a change in motivation can make learning much easier to digest. As an example, the Portswigger Academy.

What is the Portswigger academy?

Portswigger is the company behind Burp Suite. To make understanding their tool easier, they made the Portswigger Academy, which has exercises and explanations to why an exploit works and provides exercises to try them out for yourself.

Every time I started the academy, I ran into one issue: It was never a necessity and something like WiFi or internal networks seemed more fun. When I started in my previous job, I was told “if you want, you can try these.” Well guess what, I never wanted to do webapps, because it was a year between my starting the course and some actual pentest needing that skill. By then I lost all thought of Portswigger academy and I was as lost as the first day.

Now, when I came to the office, I sat next to my two colleagues, and the motivation was palpable from the get-go. There is a reason why I was asked to go to the office more often during my probation period: To learn how people communicate. And it was the motivator I was looking for ever since I got into security.

Let me explain. Up until now, I didn’t feel like I had anyone to talk to or learn from about stuff like cross-site scripting, SQL injections, SSTI, CSRF, SSRF, and all the good webapp shit. I was alone in the office, then with a colleague, but apart from him, I couldn’t easily strike up a conversation and learn from someone around me. Fast-forward to the first day, and my colleagues are talking about a cool XSS finding they found, some other findings and exploits, and I found out that to fit in, I have to understand. It’s not really like getting dropped into a foreign country and not speaking the language at all, but some details and nuance went over my head.

This means that Portswigger academy, the previously boring and forced training, now feels like a thing I have to get good at. To quote my colleague, “this is literally 80% of the work you’ll do here, so it’s good to read up on.” He was also kind enough to give me a specific goal, not just “Hey, go into Portswigger and do labs.” He said (and I urge you to do the same if you want to get better at webapps and haven’t done all the labs yet):

Take 3 vulnerability types (XSS, SQLi, SSTI, etc.) you’re comfortable with and understand. Do 2 labs each, Apprentice or Practitioner level. Then, pick two vulnerability classes you are not familiar with, read up on them, and then do 2 Apprentice labs each for those.

Not only is this a great way to start (don’t push for expert level and get frustrated on your first day), but it’s also an actionable goal I can reasonably achieve! The dozens and dozens of Burp suite labs that you can just lose your mind on is pared down to 10 which can take 30 mins each with reading up on them. If the next task is “do 10 more from Practitioner,” I’ll be okay with that!

The change is remarkable. Years ago, it was boredom central, now it’s the beginning of a new potential specialization of mine!

What the future holds

I don’t know about your plans, but my plans seem to revolve a lot around hacking the planet, training on ocasion, and getting more 1337 than I am now (i.e. zero). I hope your plans for the year are as exciting as mine, and I hope you enjoy the rest of your day.

See you in the next one!