2017 in review
Like years before, I want to share a summary of what I have accomplished. While there has been months where I feel like I focused on everything except security, my notes for 2017 turned out to be pretty extensive.
One of the first things I did this year was go to Shmoocon. I was not able to get a ticket, but that did not stop me from getting on a plane and tagging along with Infosystir (Amanda)! While there I was able to score a ticket from Lintile by completing his crypto challenge. In DC, I met Amanda’s co-author and her publisher of the Defensive Security Handbook. After shmoocon, Amanda and I rented a car to go to Shmoocon Epilogue. A “bsides” style event where we attended a training session by Mubix on the Metasploit framework (msf). This was the first time I got to see how msf really worked.
In February, I got a chance to take another swing at a CTF made by my friend, Jayson. I first attempted CTF-NG at Converge in 2016 and tried my best to find cards, which were the CTF’s “flags”, using Armitage. This time around, I was able to find better results by using an approach that Jayson recommended. He said to treat it “like a real pen test”. Find all the targets, scan them for information, and enumerate the services before trying to attack anything. The information found this way led me to a lot more answers then what I saw by attempting “random hail marys”. I lost the picture I took, but was able to find a rare card by doing one of the things I learned from Jayson while we did the overthewire bandit challenges.
Also in the beginning of the year, I worked with Taco_pirate and Misec’s leadership to rebuild the misec website. I also worked to bridge the IRC channel with a new Slack channel. Now members of Misec can see a calendar of events on the website and talk about all kinds of topics on Slack.
In April, there was a panel in Southfield about building a community in information security. The speakers were great and it was awesome to be at one of the larger Misec meetings. I learned that if you want to grow your local community, go to conferences then find people on Twitter. Find the closest citysec group or band together with friends and start your own.
Another project I worked on was to setup a VPN. Instead of paying for a professional VPN, I setup an instance of Algo and wrote about my experience. I have since switched to a paid VPN service called ProtonVPN. Issues started when the Algo VPN could not stay connected when I needed to be online.
In May, I had a lot change. I stopped working on the web application security team at Vertafore and started working at another company. I eventually moved back in with my parents to start working from their basement like every other young hacker. Since I moved away from Lansing, I also handed the reigns over for the local Misec chapter to Jedi_solomon. Converge Detroit was also in May and I volunteered. Kevin Johnson and Vajkat of SecureIdeas gave training on web application security. It was based on Kevin’s Samurai web testing framework, a virtual machine with tools and vulnerable applications to practice on.
The Cyber defense team of Baker college in Jackson invited some of the folks from Misec to participate in Hack the Arch. Of the team composed of CCDC students and Misec members, we ranked in the top 20% of all teams (some of our teams did even better). It was a good learning experience because challenges ranged from network analysis and steganography to application security and database interaction. I want to give another shout out to Vajkat for letting me crash at her place so I didn’t have to drive to the CTF early in the morning.
In July, I gave two talks for Misec. In Jackson, I shared a talk with Hilary on ways to brute force a web login. She covered Hydra and the theory behind brute forcing while I covered using Burp intruder and how I built a simple php login form that looked like a google login page. In Lansing, I gave a full presentation on Web App testing. This was a collective effort to get through the challenges offered by OWASP’s Juice Shop vulnerable web application. As a group, we got through all of the 1-3 star challenges (out of 5 stars total).
Blackhat USA was in August and I was lucky enough to attend this year. In 2016 I volunteered at Bsides Las vegas and went to Defcon. This year at Blackhat I went to Offensive Security’s training courses (similar to PWK) and got to meet most of the OffSec team. I learned a lot and met with some awesome people. I even got to borrow a defcon pass for a day and slip away to see some talks and friends from Misec. Once I was home from the conference, I also spent some time with my 3D printer to make a case for a TV-B-GONE from Adafruit.
In September, I gave a lightning talk at Lansing. Titled “Intro to Metasploit”, it was an attempt to share my knowledge of msf. I tried to cover some of the basics. However it was not a complete introduction.
By the time October came around, it felt like the year had flown by. Attempted the OSCP I learned still have a lot of studying ahead of me. After struggling with the exam, I also started practicing with HackTheBox, a free collection of VMs to practice my hacking skills.
I volunteered at GrrCON and had a blast the entire weekend. GrrCON always has an amazing staff and interesting talks. While there I roomed with Taco_pirate and Hilary gave her first conference talk which was on open source intelligence.
My dad and I built a small lock picking tower. Which enabled me to move from practicing my lock pick skills on padlocks and handcuffs, to door knobs and deadbolts. I hope to share my tower with others and show how easy it is to pick locks.
December has been a fun, yet busy month as well. It started with the RuCTFE. This year the Misec team worked with the Cyber Defense team at Baker college of Auburn Hills like last year. This time around we had a rough start getting our team online and didn’t do very well in the rankings. The important thing to take away is that we were able to review the vulnerable image and discuss ways of finding how to get the flags from other teams. Last year we got lucky and another team posted their script for exploiting one of the apps. This year wasn’t as smooth.
Amanda put on HackerSanta again this year and it’s been a huge success. For one thing there are so many santas this year that Amanda learned how to script her emailing process instead of doing it by hand, yay automation. I hope my recipient enjoyed his gift. I really enjoyed mine, I was able to figure out who my santa was thanks to Twitter and one of my gifts. HackerSanta is a fun, friendly exercise in open source intelligence.
I gave another set of Misec talks for December as well. In Jackson I did another lightning talk about the brute force login page but focused on using Burp suite. In Southfield, I compared OWASP ZAP vs Burp Suite. If there is one thing I have learned from all my Misec presentations this year, it’s that live demos NEVER work the way you expect.
To wrap up the year I started researching cryptocurrency, specifically Ethereum and ether. I think there’s a base for cryptocurrency to make its mark on the future of online transactions. Wether or not I invest in the idea, it would be silly to not to learn more about the technology.
Goals for 2018
While 2017 was pretty busy, I have some big goals for next year. First and most importantly, I want to pass the OSCP. I’ve spent most of 2017 learning a bit at a time. Come January I plan on treating it like a a second job.
I want to put my bookshelf to good use by actually opening some of the books I’ve collected over the last few years. Books like Black Hat Python and PoC||GTFO have yet to be opened. While others have been skimmed but not fully understood. Not to mention I’ve gotten dozens of digital books from humble bundles and other repositories that are worth reading. Last year I built a desktop computer to use as a home lab. The computer currently sits in my room gathering dust. In 2018, I’d like to put Da_667‘s book on building a home lab to good use and build a home lab.
Going to conferences means learning more and supporting the community. I’d like to attend at least 3 or 4 conferences this year. I also plan on submitting to GrrCON’s and Converge’s CFPs this year if all goes as planned.
Of course I’d also like to post more blog posts as well. Posts been few and far between this year. This blog has been more of a collection of my experience in infosec. It is an outlet for me to share what I know with the rest of the community.
What are your goals for 2018? Happy New Year everyone, may things go well for all of us!