Week 4 Reflections

March 3 2019, 8:59 PM

This was the final week of the Cyber Security summer studio, and our task was to compile our research and technical development into a final portfolio.

The week begun with a presentation from an industry professional named Ruben, who was proficient in reverse engineering and begun a workshop demonstrating how to read reversed code, how to follow memory and extract information from it.
Expand Image

It was a little difficult to understand at first, and my team mates were being able to solve some of the challenges in a ‘faked’ way by using some translator software online to read line by line to find flags, but I was determined to do it the correct way within the debugger software itself. I used Ruben’s assistance to ask him if I was on the right track[1], and essentially wound up correcting the mistake by following method definitions and reading the gdb manpages and shortcuts, and learning how to use breakpoints properly. It took a little longer getting the first flag than hacking it the easy way, but it made up for the effort because the next flag took me about 30 seconds to find while my teammates still haven’t solved it a week later.[1][2][3]

I also started attempting Carrier again, however even after knowing exactly how to get to the point I was at before, since it was a free instance the server kept getting refreshed, as for whatever reason that specific machine is reset every 5 minutes, and can easily be ddosed as a semi-ddos is part of the first steps to gain an initial foothold.

Final Reflective Statement

Throughout the entire subject, not only were our tutors industry professionsal themselves, and provided constant guidance, but we were also granted the opportunity to meet with industry professionals for different topics. I started with 0 knowledge about the topic at all, and progressed in 4 weeks to being able to take down complicated and medium rated machines on HackTheBox due to the help from them.

I was able to define a set goal that I had planned at the beginning of the semester, which was to improve my technical knowledge enough that I felt comfortable in taking a certification exam such as the eLearnSecurity cert or OSCP, which I considered the problem I wanted to work towards this semester.

Design Thinking in this subject would refer to the topic of enumeration. This is where we use experience and practice in defining our own step by step lists in how to iterate through possible solutions to a problem. Enumeration was a brand new technique that I learned this semester, and through these blogs, writeups and reflections I have acquired new tools and steps that I can add to my list that I can bring with me to the future of my career if I choose to continue Security engineering.

The evidence of this design thinking process can be found more specifically in the writeups for Chaos and Curling in the pwn/hackthebox pages of this portfolio, as well as the formal security report in the previous post. I detail my steps of enumeration and design thinking to identify and respond to a problem that I have not yet encountered.

The technical skills I have learned and demonstrated can be found in my writeups for the pwns and ctf pages of this portfolio. Whether it be methods of enumeration or actual commands/tools used for exploitation, full writeups are available that will outline the use of these.

As part of the consistent delvierables for this subject, we were required to present our week’s worth of findings as a presentation, as well as have a quick 10 minute collaboration at the beginning of each class, in which we share with the class what we’ve done in the week, any progress we’ve made and most importantly the challenges and failures we encountered.

We presented topics based on ROKRAT, which is one of the first posts of this portfolio and has a write up available there; BeEF, which was a group presentation based on a certain security tool that we wanted to demonstrate and explain how it works; as well as some solo presentations.

The majority of communication during this subject however happened via Microsoft Teams, where we have a public chat channel that I used multiple times for assistance and was open to everyone. We also had a team based chat channel that was monitored by the tutors, and we used that for the primary communication of our team.

Expand Image

In communicating this way, I was able to feel a lot more comfortable in gaining information from other classmates, instead of just relying on google or a youtube video, as some students already had multiple years of experience in these subjects and had the answers to a lot of my questions.

All in all, I believe I have achieved my personal goals of gaining enough knowledge from this class in order to have a solid understanding of how to proceed independantly in the future, in gaining some more experience, gaining certifications or perhaps seeking employment in this field.
Early on in the class, the pressure was intense as the pace of the subject was very fast and there was a ton of content that I had to learn, but as I found myself more comfortable, and doing the homework and required tasks on time, I felt that the class became easier and easier to manage, even though the topics themselves were increasing in difficulty. This made me think back to where our tutor Luke described the best way to become knowledgeable in this field, which is to just practice, practice and practice. I definately understand now why that advice was so correct, as even just a little practice has made the content so much easier.

The only difficult part of this subject was trying to adapt the requirements of the Summer Studio itself into the requirements of the Cyber Security studio, as the type of content that is presented in this blog may not be appropriate, or technically correct for the requirements of the Summer Studio. We didn’t have a tangible model, design or plan to create some ultimate project, as our project was just to work every week to increase our knowledge step by step. This subject would be an incredible semester session or Summer session subject, as we have gained an incredible amount of industry specific knowledge in only 4 weeks, that having 12 full weeks could possibly cover a year or more of self study at a slower pace.

Regardless, I believe I wrote up these deliverables to the best of my knowledge and tried not to repeat much, but instead attempted to prove that I have achieved the Summer SLOs by linking to my previous posts and writeups.

Conclusion

I had an incredible time with this subject, and have learned an even more incredible amount of new content. This subject has given me the motivation to continue this type of work into the future, and has gotten me interested in the culture surrounding security. I have always wanted to be a part of this clique, however always found it difficult to approach or find entry.

I feel like I have been able to meet my intended problem statement that I defined earlier in the session, to gain a foothold and clear a path for my learning towards the eLearnSecurity or OSCP certifications and find a job in that way.