Reality of My Skillset
Well fuck.
These were the only words I had after working for a week and a half on a pentest of a machine a company gave me to pass for an interview.
Let me back up for you so you have a modicum of an understanding. After my interview that I referenced in my “What is your talent” blog I sat twiddling my thumbs curious if I would get a call back from the company.
(I did have another interview with a completely separate company but that was blue team so IDGAF about telling you about boring things.)
January 17th I got a message back from the recruiter telling me I have moved onto the next stage of the interview process and had to do a pentest and write a report. I was given 2 weeks to work on the pentest and write a report, which to be honest is fantastic because it freaking sucks to work and have big tasks like this.
The pentest essentially was a CTF box you download and host on a virtual machine, it’s used verify your level of skill. Some of you may listen to this and find it a little dumb. However, I kind of liked the idea since it was more fun than anything else. I viewed it as a “test your might” kind of obstacle from Mortal Kombat. When you take that view it seems way cooler right?
So armed with the virtual machine, the weekend, caffeine, a hoodie, some “hacker” music playlists I found on YouTube and my wifes blessing to ignore her and focus solely on my task I began. (I kid you not I found a “hacker” playlist and its actually kind of awesome, I’ll link you my favorite one. You can blame me when you actually enjoy it.). https://www.youtube.com/watch?v=Z-VfaG9ZN_U This is the link to my favorite “hacker” song if you’re interested. That’s what I looked like low key during this whole stint.
I ventured forth into cyberspace, awaiting me, a glorious report and a possible job offer. So, I sat down performed reconnaissance and enumerated my target and got familiar with the website. I found injection points that could be maliciously targeted and was super excited. I even dug down in some documentation in a couple areas and found possible issues and vulnerabilities. However, I could not find a way to root the box. I’ll be direct, it made me sad.
Surprisingly, I did not get upset once during this test. I just became much more curious if I could get certain payloads to work or if I could learn different ways of executing the same kind of attack. I found myself having way more fun than I probably should have even with a job on the line.
But I had an epiphany during this pentest a week later. Maybe I was never meant to root the box. I was meant to perform a PENTEST. You will not always get into the environment, but you may find tons of vectors that are still problematic for the client. I shifted my perspective, rebuilt my idealogy and started using the OWASP top 10 checklist to check for possible issues and surface vectors in the website. This gave me much more to work with to create a well written report.
I had until the 31st to turn in my web-app report. I wanted to turn it in a little early so I began working on it Monday evening with a goal to finish it Wednesday morning/afternoon and have it sent on its merry way.
Now, usually I keep things like this on my laptop but I wanted to make sure nothing happened to it. I got a tad paranoid of the laptop dying and never turning on again or me leaving it plugged in over night a storm happens and fries it. So I did what every average Walmart American would do when they have an irrational fear like this one. I saved the thing on an external hard drive.
AND THAT’S WHERE IT ALL WENT WRONG. Wednesday morning I go to finish up my documentation to try my best to land a job and my file won’t work. Wouldn’t open and could not salvage it after I whispered it sweet nothings. I even tried to close my eyes and pretend like I didn’t want it to open anyway, sort of like we used to do when we put a Nintendo 64 cartridge in our 64 after blowing on it and it giving us a hard time hoping that would make it turn on.
Well, to your surprise it didn’t work. The file was corrupted, just my luck. Explain to me why I did not save the document on my local machine as well? Who the hell does that? Do I have an IQ of 2? Because if I had at least a room temperature IQ I could and would have done that.
But alas, I had to accept my foolish ways and restart the documentation. This pissed me off. Here, we have arrived back to my first sentence of this long post. Time was ticking and it just got real.
Fortunately, I had all the screenshots saved on my actual desktop where I did the work so transferring that was simple and I began again. I could have been doing something much more useful such as playing hardcore World of Warcraft, yet instead I had to rewrite something I already practically finished.
Instead, I worked my ass off and stayed up embarrassingly late Thursday night to deliver what I would like to say was my best piece of documentation in my career. I did this while working my full time job mind you and it sucked but I am so proud of that document, so proud, that even if I do not get hired I feel like I would not be too upset.
Who am I kidding. The disappointment would be immeasurable and my day ruined. I sent the company back a 33 page beautiful report with my findings and suggestions on how to remediate their vulnerabilities. I did not tell them about my documentation problem. For one, they only care about end results, I am not about to give an excuse. And two… Bro that’s way too embarrassing I work in cyber which is tech… if my dumbass does not realize to have backups in different places what am I doing with my life?.
I honestly am clueless if you were supposed to root the box. Seriously, I hope not. If it was supposed to be rooted I hope they grant me little respite in their discussions and maybe it can go a little something like this.
Scenario:
This is how I imagine it. Not in an office but out in an alley both of them with a beer in their hands sort of like the late “King of the Hill” show we all loved.
(To the hiring manager and team lead if you read this I hope it gives you a good chuckle at the very least.) To everyone else, yeah I know I gave them my blog and attached my name to this, what am I doing?
Hiring Manager: Welp.
Team Lead: Welp.
Rando on the team: Welp
All take a sip
Hiring Manager: I liked him but he went and failed the pentest.
Manager takes a sip
Team Lead: True, but the report was great. And that is like half the job.
Hiring Manager: You got me there.
All take a sip
Team Lead: He also has a good background so he can learn fast.
Hiring Manager: These are good points.
All take a sip
Team Lead: I kind of like his blog, it’s kind of funny.
Some rando on the team: Hey uhh, this guy might actually be retarded.
Hiring Manager: True too, screw it, lets hire him.
All chug and laugh
Then fireworks go off they all start shooting revolvers, and shotgunning their beers, a lone tumbleweed passes in the distance and they all get transported and beamed back to the office.
This was a joke. Drink responsibly. This isn’t a frat house.
Accept your shortcomings. It means there is room to grow.