An ex psychologist’s journey into Cyber Security
2024-7-29 19:28:2 Author: securitycafe.ro(查看原文) 阅读量:12 收藏

How it all started

What if I told you that the machines with 99 percentage fail chance wouldn’t do it… but a human with 1 percent chance of achieving it? The idea obsessed me and after some time I realised that was about my chance. You don’t usually see the struggle, only the results, but let me tell you how it all went.

It was my last last year in college, psychology, top grades, learning scholarship, head of the class, had it all, but felt like I had nothing. Something must’ve been wrong, right? You’re right. Something was terribly wrong. College, you must have a degree to do what you want, to be who you want. Well, no. Not if it’s the wrong thing you’re after, at least. Thoughts, night after night, the obsessive idea kept on going, what could’ve stopped it? Nothing was good enough, nothing!

But, then, one day, after hearing a college professor talking about her interviewing a hacker in the penitentiary who turned himself up because of paranoia, made me remember that once I wanted to be a hacker myself, but reading about script kiddies made me back off. Foolish, I know. Everyone is a script kiddie in the beginning, but it was not a matter of backing off anymore. Hell, even now I have thoughts of being a script kiddie and it makes me laugh. Anyway, the night I got home I opened the laptop and downloaded a python course for offensive hacking. I do not know what happened, for the first time in years hours passed like minutes. I was all there, no thoughts, nothing. Just absorbing. Well, if that’s not the thing I should go for I do not know what else would make me feel that good. Starting with that day I decided to switch. Leaving all behind. The shock on my parents face should’ve been priceless upon hearing that I want to drop out to be a hacker, but we were talking over the phone.

A few days passed, reading all over the internet on how to get into the industry, how to succeed. Networking, networking and more networking, like being a hacker meant to be a networking guru. No. You had to know the basics, yea, but more than that you’ll learn on the way. Anyway, I started reading about networking until I came upon Network+ Certification, which had it all and is not vendor specific which meant you’ll do good in all environments, right? That’s what we are after, to have a good methodology, to go on any attack surface. Well, I went over the course 2 times, trying to understand all it had to teach, even signed up for the exam but never took it, it was still too theoretical for me.

Planning, deciding, taking action

After that and some more days of reading I discovered CEH ( Certified Ethical Hacker ) and right after OSCP ( OffSec Certified Professional ). I still had this problem, I knew too much theory wouldn’t do it for me and after more reading I decided to go after OSCP as it met all the qualities, good basics, gives you the hacker’s mindset, makes you understand how to move on any surface and more important than all, IT IS PRACTICAL! Too much theory doesn’t do it, at least not for me. Well, after a quick negotiation with my father I ended up in debt to him and was ready to tackle OSCP. READY? Omg, That was so wrong. Had the motivation, ambition and the nerves necessary, but ready? Not even close. Good thing I was living alone but you will understand why a little bit later.

The computer ready, VMware Workstation installed, Kali. Processed the payment, received the course and it began. F**K ( as in FUCK ). How many pages were there? 800 and something? Faint. Never mind, go on. Started reading the introductory part, the “welcoming”. Excitement, anxiety, mixed feelings just like a relationship. From there on I had the luck I could do it for 15 hours a day, every day. Every single day with the luxury of not being disturbed. It didn’t matter if it was Saturday, Sunday or Monday. Every single day, from the moment I had my eyes open I was learning. As the days, nights, weeks passed by I was just doing it, nothing else, no time to complain, nothing.

As the first month went by, I did half of the course and exercises when I felt I was moving too slow and didn’t have enough time to go over the lab so from there I decided to start learning more practical, read and understand what’s in the course, leave the 10 points you got then for reporting the exercises and accelerate the learning. The course provided everything you needed, so after going through the manual, watching videos only on the topics that I didn’t understand well it was time to tackle the labs. Beginning with the easier ones, I was looking for hints and clues all day long on how to do them and still get a proper methodology.

Wait, wasn’t the course enough? It would’ve been to a technical person with a background of ethical hacking. But still, doing non-stop, trying to understand the “whys” and “wheres” and going further. IT WAS SO MUCH INFORMATION. NOT A SINGLE THING REPEATING, everything was new, every technology that I came upon was new, it was intense. As the time was passing, I bought a time extension and prolonged the lab time with one more month. But as I was doing the labs, learning, studying every day, the 4 months were coming to an end and I completed somewhere near to 51 lab machines, so I decided to schedule the exam. WHAT? I knew I wasn’t ready, but had to know where I’m placed and what I need to improve. So I scheduled it. The day of exam came, nerves, tension, I still had hope that maybe I will be lucky.

This is no place for luck. Failed. Miserably.

For me, it wasn’t enough. The very next day I had to step up my game. Took TJ NULL’s list for OSCP-like machines and here the real fun began. My target, complete as many machines as possible to get the methodology right. HackTheBox, Vulnhub, Proving Grounds all day long. I was still not able to complete a machine without reading hints about it. Still nothing was repeating. Still pushed further.

The path becomes clearer

After 6 months of daily struggle since starting the OSCP journey something happened, something clicked. All the information I accumulated until that day finally came to a result. I started feeling more and more like home, the tensions was not the same, it all started to make sense and it felt awesome. The next 6 months I did machines, writing down everything I didn’t know, and pressed further. When I was close to 200 pwned machines  I decided to reschedule the exam ( I know, more debt to my father ). I had one month till the exam. Managed to complete the Dante Prolab from HackTheBox, one machine per day. The week before the exam I went on Proving Grounds again, everything I learned to that day worked. Doing the OSCP-like boxes from Proving Grounds, with no help or hints. Was feeling great. The day before the exam I just went out, doing nothing else but keeping my mind off the exam.

The day of the exam. Oh, boy. What a day. Webcam ready, all set up, this time really excited and hopeful. All my hard work had to pay off. As they were verifying my ID, something happened. My webcam broke. Damn, not now! I had to run to the closest market, bought the first good webcam I saw and ran back home. Please don’t buy cheap webcams. Everything was fine now, still got 23 hours. Got the email with the necessary information and started scanning. You have 23 hours and 45 minutes to complete 6 machines. 2 clients and a DC ( Domain Controller ) that were chained in AD ( Active Directory ) and 3 independent machines. Damn, good thing I completed the AD sets in the OSCP lab and Dante too was really helpful into tackling the AD machines. Didn’t feel stress, was all paying attention. Drank 6 energy drinks and 4 coffees in the course of the exam.

Started the AD, feeling optimistic, had all the scanners up, but after some time I had 4 hours of being stuck, squeezing my mind on one single step that blocked me to advance. Now I was starting to feel something, not panic, but all the wheels in my head were spinning on what could I do. Went over all the possible attacks in my head, I knew I was on the right path, but something was missing. As the hours passed, I felt a rush and the revelation came ( I can’t say it as the exam would be spoiled ). After 10 hours I completed the AD set, felt terribly good. The 3 independent machines were a matter of time now, somehow I did them in 2 hours. F**K! I felt great, jumped from my chair in excitement as I did every single one. Tired, but it was not over. I told them I finished the exam, now I had 36 hours to do the report. Went directly to sleep, slept for 7 hours, was too nervous and tensed. Woke up, made more coffee and started writing the report. 15 HOURS! For 15 straight hours I wrote every single step that it took to compromise the machines. Zipped it and sent it. Was feeling great, I knew I did well. Now it was the examinator’s turn to tell me that. A week passed, checking the email every single day , multiple times a day, and on the 7th day the answer came. PASSED! Feeling great that the hard work put in for the last year had paid off. But it was not over, I needed a job now.

Getting into the real world

Had to start making a living. Daily looking and applying for jobs. Was feeling kinda down, months went by and one day I got a call from KPMG’s HR. They wanted an interview with me. The feelings were intense. I was preparing questions and answers, told ChatGPT to ask me all the possible questions so I can get ready for the interview. Everything went smooth, I was prepared. The senior manager and the now director of the Cyber team were there. Really friendly, open and professional. Got a really good conversation with them about the skills, values and general mind set of the team, a professional team. The questions were there, and they were quite challenging. After a week I got a call. I made it. I was going to be hired. A dream came true. Signing everything that was necessary, I was ready to start hacking. Didn’t work in the industry so I didn’t know what to expect.

As the projects came, they were not so different from what OSCP teaches, I  got the time to apply the methodology learned, improve it, play a little with the exploitation and get money. Win win situation! I can say now that by working daily, doing project over project, the experience was lacking and I did improve. I noticed that I find vulnerabilities faster, developed an early intuition about what the attacking vectors could be and reached a level where upon seeing the used technologies, I already have some attacking techniques in my head which is awesome.

More to this, I had the luck to get into a team that is really professional, has lots of knowledge and does have the hunger for learning. From them I learned much more, not a single team conversation goes by and something new appears. This helps all of us to stay sharp, improve our work and do everything we can to deliver quality. By working, you learn how to improve, be better and not settle for less. It is great to be with them and every single project is a new chance to enhance your skills and learn something new. And, oh boy, I can’t say they aren’t pretentious. Everyone coming up with ideas, blog posts, new researches, they really get you into the game to aspire for more. This makes work a lot easier, funnier and enjoyable, as you have brilliant people, hard working people around. The mentality is healthy and together with a fruitful environment, it makes upping your game easier. So who says work can’t be fun and enjoyable? We don’t, as the passion is there.

So, the road was not easy. NOT. EASY. It took me almost 365 days, 5475 hours to be here. Which I am grateful to this day. As to sum it up, this is not a joke, not an average job. You need dedication, lot of effort to get into the industry. And the fun thing is that nothing is promised. You just have to work your a*s off to get what you want, where you want. The road is bumpy, not your straight ‘no curves’ typical road. It is a mental challenge to be able to put the necessary effort and follow your goal. And luck… plays a role, minimal role. You must create your own luck. You have the passion, you’re reading this then you want something for yourself, something serious. In the end it will pay.

 Thank you for taking your time to read a journey.


文章来源: https://securitycafe.ro/2024/07/29/an-ex-psychologists-journey-into-cyber-security/
如有侵权请联系:admin#unsafe.sh