June 27, 2019

Getting started in Infosec

On Wednesday April 10th, Misec Lasning held a panel to discuss getting into infosec. Four members of the infosec community shared their stories and advice. I was honored to be on the panel with three others; Kyle Andrus, Melissa Terwilliger, and Brian Martinez. Check out the recorded presentation below to see everyone’s answers! Transitioning from other disciplines to infosec, how should it be done? There is no wrong way to get into infosec.

April 13, 2019

CMU SEI releases tools to build realistic labs

In order to learn something, you need to practice it. When it comes to becoming a hacker, that is done by attacking machines in a lab. There are many ways of doing this, such as building your own, spinning up an OWASP or Metasploitable virtual machine, or using a service like Hack The Box. There’s one common flaw with these labs though, they’re not realistic. To build realistic labs that look like live environments is a hard task to accomplish.

March 16, 2019

Replacing a forgotten WordPress password

What is the best part of creating a new blog? You create everything, move content, and then get back to the daily grind. Come back to write the next post and, wait, what did I set as the WordPress password? Looks like we’re going to have to overwrite the hash in the database. <pre class="wp-block-code">``` mysql> SELECT ID, user_login, user_pass FROM wp_users; +----+------------+------------------------------------+ | ID | user_login | user_pass | +----+------------+------------------------------------+ | 1 | admin | $P$BThiRip7s2lXh/PBVW7yFnKbQWvDtc0 | +----+------------+------------------------------------+ Here’s the problem though, we need to know how WordPress hash passwords in version 5.

March 11, 2019

The power of scripting

On March 9th, I was a part of an awesome class hosted by @Ashioni that went over the Bandit challenges from OverTheWire.org. While I’ve attempted the Bandit challenges a few years ago, there are new additions and it’s always good to review how to answer these puzzles. There is never a single solution! In this article, I want to show a few ways we attempted the last challenge of the day.

December 31, 2018

2018 in review

This year seemed to fly by, but looking back a lot has happened. This is a summary of what I did in 2018. Tackling the OSCP If there’s one thing I’m going to struggle with recording on the internet… it’s that I’ve struggled with the OSCP exam three times. With each attempt I have gotten better and better, but I still need to try harder. Looking back, there’s more I need to do in the PWK course.

December 16, 2018

My experience with RuCTFe 2018

This year was my fourth attempt at the RuCTFe competition. I was leading the #misec team this year along with some smart and talented people. For those who are unaware. The RuCTFe is a Russian capture the flag event, held online and open to everyone around the world. This year’s event was in November and it was my first time leading the team. The CTF is an active “red vs blue” game, where each team is given a server of vulnerable applications.

May 13, 2018

Round 3 at Converge

Converge 2018 and Bsides Detroit was May 10-12. 3 days of infosec talks, workshops and challenges. I volunteered this year and had an amazing time (as I usually do at conferences). In case you missed out on the fun or are looking to catch up, check out Irongeek’s website for the recorded talks. Converge is a smaller conference if you’re used to hearing about Conferences like Shmoocon, DerbyCon, and Defcon. However we still manage to fill three days with awesome content.

March 31, 2018

How to quickly get into infosec

A lot of people ask “How do I get into infosec?” but that is a tough question to answer. There is not one path to follow and there is not one destination either. However if you ask anyone who’s already in the position you’re searching for. A common theme arises, that is years of experience or thousands of dollars for training. Until you’re able to join a company to pay for that training.

December 31, 2017

2017 in review

Like years before, I want to share a summary of what I have accomplished. While there has been months where I feel like I focused on everything except security, my notes for 2017 turned out to be pretty extensive. One of the first things I did this year was go to Shmoocon. I was not able to get a ticket, but that did not stop me from getting on a plane and tagging along with Infosystir (Amanda)!

November 15, 2017

Online Brute Forcing 101

A good friend once mentioned how cool it’d be to practice brute forcing for a website login. I created a simple web page with a login form. Incorrect logins display a red error message while successful logins show the rest of the web page. There’s no database or complex code behind the webpage. It simply hashes the user input and compares it to a stored value. Before we continue, I must make it blatantly obvious that hacking any online service without consent could land you in a lot of trouble.