Three months ago, I embarked on Operation Suck Less, the journey to Git Gud [tm] by competing in every CTF I could. It’s been an exciting journey, but from here on, will temporarily slow down. Not because there’s a lack of will, but because:
Unfortunately, there seems to be less CTF events during the last half of the year. That said, there’s absolutely no lack of computers stuff on my plate. Some of the things I’ll try to do in this “quiet period” are, in rough order of priority:
- All the CTF challenges I didn’t manage to do: there’s a heap of stuff which falls into this category, especially from the more difficult (64-bit, heap bullshit, mitigations enabled, angr) exploitation-focused CTF’s. I’m not good at this, but I want to be.
- Exploit-exercises Fusion. In line with the above, one of the gaps I found I had during the last 3 months was tricky exploitation problems, where things needed to fit *just right* to make things work.
- Vulnhub. Like a more time-flexible version of something like OSCP, the idea of a “boot2root” VM is super cool, and I’m definitely keen to practice my skills against as wide a variety of targets that I can.
- Forking scapy. I’ve got a raging hard-on for writing my own toolsets from the time I wrote my first debugger because Fuck GDB [tm]. I like scapy, but I’m keen on making it into something I can understand and use more easily, minus the part where the packet class has a function for dumping itself into both PDF and PS. For real, it’s a packet library, not Microsoft Word.
- … reviewing Enterprise [tm] software. In today’s security landscape, you can pretty much put some cryptocurrency mining hardware into a server along with a Raspberry Pi running iptables and call it an Enterprise Database Cloud Firewall Secure File Transfer Backup Compliance Planning Solution, selling it for $20,000 per node per year. It’s like running scams, except you can put on a suit and it’s completely legal. If you do this, fuck you, fuck everything you stand for.
There’s also a metric shitton of community events which are coming up, which are looking to suck up a whole heap of my time from an organisational perspective (including an entire fucking “con”).
In other news, we made it into The Register: fuck yeah!
For those of you who have come with me on this magical journey, I can’t thank you enough. When I get home and I’m about to turn on my PS4, it’s the little ‘ding’ noises of your slack notifications talking about this vuln or another that keep me focused. Thankyou, thank you all – never stop being awesome.
See you all in WhiteHat Contest ’11 in a few weeks time.