I gave a presentation at the local DEFCON610 group talking about my journey with Hack the Box. My main motivation and point of the talk was to motivate others to also dive right in.
- If you don’t know how to do something, that is OK and perfectly normal.
- You can hack stuff, even if you never have before.
- If you feel like you’re not smart enough, not talented enough, or any other excuse, you’re 100% wrong.
- Simply dive right in and learn as you go!
- There is a ton of info to learn, but you can learn it over time.
- Emulate ippsec and other big players, stand on shoulders of giants and accept virtual mentorship.
Slides
Recommended Books
I recommend these books to get started and in this approximate order. The first 3 are an absolute though, you really need to get your hands on them and consume them.
- “Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman (Amazon)
- “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws 2nd Edition” by Dafydd Stuttard, Marcus Pinto (Amazon)
- “RTFM: Red Team Field Manual” by Ben Clark (Amazon)
- “Breaking into Information Security: Learning the Ropes 101” by Andy Gill (Leanpub)
- “The Hacker Playbook 2: Practical Guide To Penetration Testing” by Peter Kim (Amazon)
- “Hacker Methodology Handbook” by Thomas Bobeck (Amazon)
- “Hash Crack: Password Cracking Manual (v3)” by Joshua Picolet (Amazon)
- “Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity” by Marcus J. Carey, Jennifer Jin (Amazon)
- “Dissecting the Hack: The F0rb1dd3n Network, Revised Edition” by Jayson E. Street, Kent Nabors, Brian Baskin (Amazon)
- “Pentest+: A Practitioners Study Guide” by David L Evenden (Amazon)
Vulnhub
This is also the post I was referenced during the presentation, about Vulnhub or HTB machines to hack into (OSCP prep focused helps because those machines are more “real world” and not so much CTF-silliness): https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-_TJNulls_Preparation_Guide_for_PWK_OSCP.html#vulnerable-machines
With VulnHub you can download the virtual machines to your computer for use in VirtualBox or VMware (Player/Fusion/Workstation Pro), and do it offline (I started doing them at lunch time at work and at home in isolation before going to HTB).
All of this is free (except for VMware Fusion and Workstation Pro). I prefer VMware Workstation Pro.
For infosec and hacking stuff, everyone is on Twitter. Here is a good list to get you started. Check out my “Hackers | Pentesters” list.
Remember that it is a social network, so be sure to engage with folks. Don’t be a lamer that only reposts things without comment. Add to the conversation and converse with real humans!
OSCP Reporting – Markdown to PDF
I mentioned using markdown to take notes and then using a tool to convert the markdown into formatted PDF documents. Here is the awesome teacher John Hammond talking about it.
- Tooling to convert markdown to PDF: https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
- John Hammond’s little helper scripts: https://github.com/JohnHammond/oscp-notetaking