We have all been watching Mr.Robot recently and dreaming of becoming some b4da55 133t hacker who can conquer the world with just the terminal and a few lines of code. But…soon you realize you are a Frontend dev… and you spend most of your time dwelling in masses of HTML, CSS and the most hipster new framework. This is not going to help you much with achieving your dream😢. Or will it?
For some time now (around a year) I have been dedicating myself solely to web developing. Coming from a design background I found myself most comfortable on the visual side of things, and although I occasionally dive into the backend, for the most part I spend my time on the front of projects.
I’ve always been extremely curious, and since little always felt attracted towards the field of Security. Trying to break or access into something I wasn’t supposed to, always sounded like a lot of fun to me 😁.
So recently, (and appropriately matching the release of the new Mr Robot season 🙄) I embarked myself in the journey of teaching myself Cyber Security.
After reading quite a bit on the topic and devouring article after article I arrived to a conclusion… to be somewhat capable in Computer Security you have to be proficient, in MANY fields: Networking, forensics, reverse engineering… not speaking about the foundations of Computer Science themselves. If you want to exploit a system, you must first know how it works, and…I didn’t. Until a few weeks ago.
Looking for ways to practice what I was learning I came across PICO, and here is where things get very exciting…
🚩 What is a CTF?
As some my already know CTF stands for: Capture The Flag. Its a kind of competition where a test environment has been set up so that hackers can play around. Usually its a set of challenges, materialized in any shape of form: a vulnerable website, a vulnerable machine, a set of web challenges etc… that the hacker has to solve in order to get the flag.
And how does a flag look you may ask? Like this:
It can be of any form, but in the case of PICO for example its just a string of text you have to discover and then input on the site for validation
If the flag you found (or you think you found) is correct, ecstasy invades your body. If not, back to frustration land.
🤔 Why PICO?
There are a TON of CTFs out there:
awesome-ctf — A curated list of CTF frameworks, libraries, resources and softwaresgithub.com
So being a complete newb and not knowing where to start, I started reading. Everyone seemed to recommend PICO, but I wasn’t sold so fast at the start, this is how my mind looked more or less:
It is aimed towards Highschool kids and Im a pro 1337 web developer, it sure can’t be that challenging…
i…it..ca..can’t right? 😬
So after solving the first few challenges with relative ease, things started to get complicated. I soon got stuck in some challenge, tried to pass into a different one, same result, then it is when reality kicked in. The challenges are perfectly designed in an increasing exponential difficulty basis. And they soon get DIFFICULT.
So far I have gotten to mid level 2 in a good bunch ofweeks working in my spare nights. And it looks like its going to be a looong journey.
Cool thing is that I’m learning A LOT. From working with binaries or hex, to network protocol analysis passing through encryption algorithms and many more things.
The way PICO sets its challenges follows this recipe:
- Hey! We found this stuff where we suspect the flag is.
- Find it. Good luck 😉🖕
- *Pssht: You may find this useful <study/reference material>
- **Pssht: Maybe it has something to do with? <tip to point your research>
And that’s it. It literally throws you into the blue. I found that this way you really take the time to build a mental process and start to build up your research little by little. Instead of directly diving in like I’m used to to on my web development stuff. Once you are sure what you are working with, it comes the solving part, which usually requires you to implement some custom piece of software.
📡 The challenge
I plan to finish PICO CTF and I realized my experience might be useful to other people like me, those who are interested in Security but don’t know where to start.
It has literally been ages since I felt so challenged by a problem, or that I had to literally abandon something to pursue it in another time because I reached a total roadblock.
Which has the side effect of EXTREME SATISFACTION once you solve a problem. Its so rewarding when you see that little green message, that its starting to get addicting.
I have imposed to myself the following constrains:
1. I will build everything custom in Python
The main reasons for this decision are:
- I’m very interested in Machine Learning and Data stuff, would love to do some projects in the future. There is A LOT of instructional material out there referencing the use of Python, apparently its one of the most widely used languages used in ML so as a newbie I want to learn something widely supported.
- ☝Same thing happens with hacking stuff. A lot of hacking tooling is made in Python. So its a plus to be able to extend it/modify it.
- Completely personal preference, wanted to learn something different to what I use 8+ hours in my daily job, just for the shake of variety and cross pollination of knowledge.
2. I will read every “man page” of a new command
PICO challenges tend to make you use a lot of new UNIX terminal commands. So in order to understand them better I read thoroughly the manual pages of any new command I have to use.
3. Use VIM
This is a complete personal preference. I use Atom on my daily work, but always wanted to learn VIM. Its specially useful when you have to log into a machine using SSH. Which you will do a lot in PICO.
If you wanna do the same, I recommend you start here:
4. I will document my progress
So in order to record my mental process, to help other and for myself to learn. I have decided to document any challenge I find its worth analyzing. Tools used, time spent, process etc…
I will be using this template, so if you want, fork it and start using it:
So if you are interested in this journey keep tuned in. I will be periodically posting write-ups (one per challenge) not of all of them but of all of those I find interesting.
Hopefully in some time I will manage to finish PICO and fulfill my dream of becoming a Highschool Hacker…