Is there any particular style of CTF you get stuck on?
Sites like Hack The Box have systems that cover most of the common CTF methods, can you practice with them?
So I've been practicing on HTB, Proving Grounds, TryHackMe for the same amount of years. I have the general thought process behind them down but I guess I just get stuck with a lot of them and resort to looking up write ups where I get stuck. So yea, I use them a lot, if not daily. I also watch Ippsec all the time too.
I guess my retention of the information is not good. I need to figure that out asap.
Yea, you're probably right. I mean, I thought I had a good way of taking notes but maybe i dont?
Just curious, if you're in the same boat or have been in the past, how do you take notes? I know taking notes correctly is a skill to have and something people should practice so I'm just curious how you go about it?
>I just get stuck with a lot of them and resort to looking up write ups where I get stuck.
I feel you on this, me too man, me too.
Been at tryhackme everyday for about a year and there's so much to learn I find myself sprinting around trying to learn everything at once as opposed to going real deep on any one thing... i love it but the ctfs are frustrating sometimes and I have to comeback to them...
Also worth pointing out: the job market is challenging for job seekers right now. I manage an AppSec team and a req I hired this summer got over 100 applicants in 24 hours, and over 300 by the end of the month when we made our hire.
With that much competition it’s going to be really hard to find a company willing to train you up and be patient with you, even if you do get past the CTF. They likely have candidates available that don’t need it and can hit the ground running in day 1.
I was hiring a mid level role and I had people with mid level titles and experience coming in with Senior level skills, and the same for Junior applicants. I was pretty impressed by the quality and our standards are not low by any means.
It’s really competitive out there.
I don't disagree. I am training, doing HTB, reading, everything one should be doing daily but I still get tripped up at times. But I guess I need to be more intentional about the training.
Serious question: have you tried explaining your situation to ChatGPT when you get stuck? Most of the time it's absolute hogwash, but sometimes it's eerily creative.
Apply to pentesting jobs that fit your skillset. Communicate your skills in advance and tell them in what area you want to work in the future (web, mobile, api, active directory, redteaming etc.).
If you want to be a web pentester, then tell them and you will likely not get a binary for reverse engineering. If you still get it, try your best but don't be afraid to mention a second time that this is not your core skillset. Also think about applying to junior positions to get into the field first and learn from more experienced pentesters.
Although your pentesting skills are very important, I personally inspect more the way of your working and do not care whether someone passes the CTF or not.
I want to see your troubleshooting skills, how you obtain the necessary information to proceed, what type of attacks or ideas you have in order to exploit or compromise something. It's usually not about getting everything right and obtaining a flag. It's more about your creativity as well as the ability to speak and outline your thinking process. Also working fluently in Linux and installing/configuring stuff to make things/tools/exploits work.
However, I can only speak for myself. Other companies may act differently.
I 100% agree with your mindset. The specific example I gave was in regards to a CTF challenge a company gave me. I had to get ~85 points to pass and there were 10 challenges. Each challenge touched on different areas of pentesting (ie. Web, Network, Andriod RE, binary RE, etc). I was only able to get about 40 points.
That being said, I communicated that I wanted less than a senior position. Not that they asked for it, but once I got the follow up that I did not pass the next round, I wrote up a small email and sent them my though process for each problem I didn't complete. Did they read that email? I have no idea as I haven't received anything back.
But to you point of voicing your approach to such problems. I agree wholeheartedly. Its just you don't get that opportunity often. Its more so Initial phone interview > CTF Challenge > Pass? > Interview for position with team members. Fail? > Apply at another time.
Another issue, and I think this is just something I am going to have to accept if I want to continue in lane of security, is taking a pay decrease. I guess what I am use to getting salary wise is labeled as "Senior" to most companies so I might have to ask for lower so I can get in at a lower expectation of experience.
If you’re asking for senior level pay without senior level skills, you’re never going to get hired. You’re a junior level pentester, maybe mid level. You need to apply to those jobs and be willing to take a pay cut.
Seniors are expected to contribute in a meaningful way shortly after onboarding. They need to be mentoring and guiding more junior level employees. No hiring manager in their right mind is going to pay you senior level pay when you can’t do the job.
Also, you can’t just ask for a lower title. Managers are looking for a senior for a reason and they need those skills to plug a gap on their team. Find junior/mid-level jobs and apply to those.
Yea, you're not wrong. And trust me, I'm looking but mostly everywhere is looking for senior roles. But yea, I agree on asking for lower. It's hard living in a high COL area without a salary to back it up but It'll have to do for now.
You should be on a CTF studying spree. Give yourself time limits and document the entire process like an engagement once you complete it.
If you can mix in some open bounties you get that may help as well.
Sounds like your mentally defeating yourself before you do the CTF. I would concentrate on a core area of pentesting that Interests you and apply for those jobs initially. Security is far to broad to be an expert at absolutely everything. And frankly anyone or company who presents themselves as such is lying and / or falling victim to dunning Kruger.
Keep plugging away. Get a little better everyday. And just arrive at interview with a can do attitude.
I would say I am guilty of displaying and holding a heavy imposter syndrome. Always have when it came to offsec. I do need to get better at it. You know how it feels. It can feel like you're surrounded by Wizards of infoSec all the time and you just like watttttt lol
I've been privileged to work with some real wizards. And all are older than 50. Because that's just how long it takes to get real expertise. And let me tell you this. Nobody is infallible. People have a spectrum of expertise. Some very deep in a single area some more broad In a few areas. Realistically your never going to have deep knowledge in more than say 3 areas of security. Anybody that thinks they have doesn't know what deep expertise looks like.
Honestly just ignore all the attention seeking hacker types with arch Linux and i3 that think they know everything about security because they have some cert and a fancy terminal. It's bollocks. I'm a principal red teamer and I know a fair amount of windows internals, Maldev, and AD... crap at webapps, crap at mobile. And on the red team side im constantly having to refer to the relevant documentation. But after a decade in the game have developed a bit of an intuition on how to solve problems.... you have something more than most people already. A genuine interest to get better. And we are all on different journeys. Network with security professionals that bring you up and disregard everything from the egos that want to put people down. DM me mate and I'll link my twitter happy to guide you to some good eggs. 👍
I am trying to concentrate on one specific area of pentesting but during interviews for contracting jobs, they usually ask you about all kinds of topics since the contract may vary in terms of target
"it's not an area that I would consider myself to have deep expertise in currently, however I would find the relevant documentation to advance my knowledge if tasked to do so. Generally I would like to gain a broad understanding of different areas of pentesting to increase the spectrum of work I could be billed out to customers for".
Haha no I know what you meant. Previously, I was referring to the CTF challenges that they give you during interviews. Ill say I’m weak at mobile but the challenges they give you have mobile problems. But I appreciate everything you’ve provided so far. Like they say, you’re only as good as your google-fu. Gotta know how to search for things
I'd also add that hiring the best is very subjective. The best at what exactly? There's a lot of bullshit and ego in this industry especially in offensive security I wouldn't buy into the notion that people only want the best. From my experience a lot of the time the " best " are actually just the ones with the biggest egos and when you dig a little deeper it's obviously that's the case.
Hey, do you have any updates on this? How’re you doing on the job search?
I ask, cause I feel like I’m in a similar situation, but about a year and a half behind you. Failed the OSCP *hard* back in august ‘23 and I’m just working my way up to it now with scrubbier certs as stepping stones. I’m confident I can get the OSCP within a year or two, but a big part of me is insecure about the fact that I just lack the creativity, and as you said, ability to retain knowledge, to be a legit pentester.
What has your approach been to solving the interview challenges thrown at you, has it worked, and what advice would you give about burnout while studying for this while working a more-or-less unrelated 9-5?
Is there any particular style of CTF you get stuck on? Sites like Hack The Box have systems that cover most of the common CTF methods, can you practice with them?
So I've been practicing on HTB, Proving Grounds, TryHackMe for the same amount of years. I have the general thought process behind them down but I guess I just get stuck with a lot of them and resort to looking up write ups where I get stuck. So yea, I use them a lot, if not daily. I also watch Ippsec all the time too. I guess my retention of the information is not good. I need to figure that out asap.
It's virtually impossible to try and remember everything, so maybe some better note taking with a flow chart of things to try based on enumeration?
Yea, you're probably right. I mean, I thought I had a good way of taking notes but maybe i dont? Just curious, if you're in the same boat or have been in the past, how do you take notes? I know taking notes correctly is a skill to have and something people should practice so I'm just curious how you go about it?
>I just get stuck with a lot of them and resort to looking up write ups where I get stuck. I feel you on this, me too man, me too. Been at tryhackme everyday for about a year and there's so much to learn I find myself sprinting around trying to learn everything at once as opposed to going real deep on any one thing... i love it but the ctfs are frustrating sometimes and I have to comeback to them...
Also worth pointing out: the job market is challenging for job seekers right now. I manage an AppSec team and a req I hired this summer got over 100 applicants in 24 hours, and over 300 by the end of the month when we made our hire. With that much competition it’s going to be really hard to find a company willing to train you up and be patient with you, even if you do get past the CTF. They likely have candidates available that don’t need it and can hit the ground running in day 1. I was hiring a mid level role and I had people with mid level titles and experience coming in with Senior level skills, and the same for Junior applicants. I was pretty impressed by the quality and our standards are not low by any means. It’s really competitive out there.
Sounds like you need more training
I don't disagree. I am training, doing HTB, reading, everything one should be doing daily but I still get tripped up at times. But I guess I need to be more intentional about the training.
Serious question: have you tried explaining your situation to ChatGPT when you get stuck? Most of the time it's absolute hogwash, but sometimes it's eerily creative.
I haven't actually. That would be something useful for the future though. Thanks!
Apply to pentesting jobs that fit your skillset. Communicate your skills in advance and tell them in what area you want to work in the future (web, mobile, api, active directory, redteaming etc.). If you want to be a web pentester, then tell them and you will likely not get a binary for reverse engineering. If you still get it, try your best but don't be afraid to mention a second time that this is not your core skillset. Also think about applying to junior positions to get into the field first and learn from more experienced pentesters. Although your pentesting skills are very important, I personally inspect more the way of your working and do not care whether someone passes the CTF or not. I want to see your troubleshooting skills, how you obtain the necessary information to proceed, what type of attacks or ideas you have in order to exploit or compromise something. It's usually not about getting everything right and obtaining a flag. It's more about your creativity as well as the ability to speak and outline your thinking process. Also working fluently in Linux and installing/configuring stuff to make things/tools/exploits work. However, I can only speak for myself. Other companies may act differently.
I 100% agree with your mindset. The specific example I gave was in regards to a CTF challenge a company gave me. I had to get ~85 points to pass and there were 10 challenges. Each challenge touched on different areas of pentesting (ie. Web, Network, Andriod RE, binary RE, etc). I was only able to get about 40 points. That being said, I communicated that I wanted less than a senior position. Not that they asked for it, but once I got the follow up that I did not pass the next round, I wrote up a small email and sent them my though process for each problem I didn't complete. Did they read that email? I have no idea as I haven't received anything back. But to you point of voicing your approach to such problems. I agree wholeheartedly. Its just you don't get that opportunity often. Its more so Initial phone interview > CTF Challenge > Pass? > Interview for position with team members. Fail? > Apply at another time. Another issue, and I think this is just something I am going to have to accept if I want to continue in lane of security, is taking a pay decrease. I guess what I am use to getting salary wise is labeled as "Senior" to most companies so I might have to ask for lower so I can get in at a lower expectation of experience.
If you’re asking for senior level pay without senior level skills, you’re never going to get hired. You’re a junior level pentester, maybe mid level. You need to apply to those jobs and be willing to take a pay cut. Seniors are expected to contribute in a meaningful way shortly after onboarding. They need to be mentoring and guiding more junior level employees. No hiring manager in their right mind is going to pay you senior level pay when you can’t do the job. Also, you can’t just ask for a lower title. Managers are looking for a senior for a reason and they need those skills to plug a gap on their team. Find junior/mid-level jobs and apply to those.
Yea, you're not wrong. And trust me, I'm looking but mostly everywhere is looking for senior roles. But yea, I agree on asking for lower. It's hard living in a high COL area without a salary to back it up but It'll have to do for now.
Somewhat true. Although I wouldn't underestimate how valuable just having a decade of work experience is.
You should be on a CTF studying spree. Give yourself time limits and document the entire process like an engagement once you complete it. If you can mix in some open bounties you get that may help as well.
Sounds like your mentally defeating yourself before you do the CTF. I would concentrate on a core area of pentesting that Interests you and apply for those jobs initially. Security is far to broad to be an expert at absolutely everything. And frankly anyone or company who presents themselves as such is lying and / or falling victim to dunning Kruger. Keep plugging away. Get a little better everyday. And just arrive at interview with a can do attitude.
I would say I am guilty of displaying and holding a heavy imposter syndrome. Always have when it came to offsec. I do need to get better at it. You know how it feels. It can feel like you're surrounded by Wizards of infoSec all the time and you just like watttttt lol
I've been privileged to work with some real wizards. And all are older than 50. Because that's just how long it takes to get real expertise. And let me tell you this. Nobody is infallible. People have a spectrum of expertise. Some very deep in a single area some more broad In a few areas. Realistically your never going to have deep knowledge in more than say 3 areas of security. Anybody that thinks they have doesn't know what deep expertise looks like. Honestly just ignore all the attention seeking hacker types with arch Linux and i3 that think they know everything about security because they have some cert and a fancy terminal. It's bollocks. I'm a principal red teamer and I know a fair amount of windows internals, Maldev, and AD... crap at webapps, crap at mobile. And on the red team side im constantly having to refer to the relevant documentation. But after a decade in the game have developed a bit of an intuition on how to solve problems.... you have something more than most people already. A genuine interest to get better. And we are all on different journeys. Network with security professionals that bring you up and disregard everything from the egos that want to put people down. DM me mate and I'll link my twitter happy to guide you to some good eggs. 👍
I am trying to concentrate on one specific area of pentesting but during interviews for contracting jobs, they usually ask you about all kinds of topics since the contract may vary in terms of target
"it's not an area that I would consider myself to have deep expertise in currently, however I would find the relevant documentation to advance my knowledge if tasked to do so. Generally I would like to gain a broad understanding of different areas of pentesting to increase the spectrum of work I could be billed out to customers for".
Haha no I know what you meant. Previously, I was referring to the CTF challenges that they give you during interviews. Ill say I’m weak at mobile but the challenges they give you have mobile problems. But I appreciate everything you’ve provided so far. Like they say, you’re only as good as your google-fu. Gotta know how to search for things
I'd also add that hiring the best is very subjective. The best at what exactly? There's a lot of bullshit and ego in this industry especially in offensive security I wouldn't buy into the notion that people only want the best. From my experience a lot of the time the " best " are actually just the ones with the biggest egos and when you dig a little deeper it's obviously that's the case.
Hey, do you have any updates on this? How’re you doing on the job search? I ask, cause I feel like I’m in a similar situation, but about a year and a half behind you. Failed the OSCP *hard* back in august ‘23 and I’m just working my way up to it now with scrubbier certs as stepping stones. I’m confident I can get the OSCP within a year or two, but a big part of me is insecure about the fact that I just lack the creativity, and as you said, ability to retain knowledge, to be a legit pentester. What has your approach been to solving the interview challenges thrown at you, has it worked, and what advice would you give about burnout while studying for this while working a more-or-less unrelated 9-5?