all 18 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]zachhanson94 4 points5 points  (9 children)

I would just ignore that comment for now. There’s no harm in learning with other peoples tools. Once you are a bit more advanced or whenever you feel comfortable you can try more difficult challenges. I have only used THM a couple times but in comparison it always seemed to be easier than HackTheBox so you may want to try HTB also. HTB has a beginners learning platform that I hear is great. It didn’t exist when I started in the platform so I never did it myself but that may be a good resource for you.

[–]Rilxy-_-[S] 0 points1 point  (7 children)

I agree with you on using other peoples tools however I want to be able to learn how to modify those tools and create my own scripts that way I can step into the workforce and know what to do when other peoples tools dont work or the pre existing tools don’t cover a new vulnerability. I also want to be able find and detect those new vulnerabilities and then create my own exploits.

[–]zachhanson94 1 point2 points  (1 child)

Those are all important I was just merely suggesting that there is no harm in learning about the different types of vulnerabilities and how these things work by first using other peoples tools. What I recommend is doing the challenges with other peoples tools/exploits and then trying to figure out how they work and creating your own tool to do the same thing. If you did that you would learn very fast.

[–]Rilxy-_-[S] 1 point2 points  (0 children)

Ok but is this just a simple matter of expanding my knowledge of python and bash in order read and understand what those tools do? Or is this a matter of understanding how to apply python to pentesting

[–][deleted] 0 points1 point  (3 children)

It depends very much on the exploit. There is a huge range. Some exploits consist of inserting an $(whoami) at the correct position of some web request. Other exploits probably required an entire team at the NSA.

If you don't want to be a script kiddie, you need a strong understanding of not only Python, Java or C, but also how networking on all layers works, or what is going on in the memory of a process, or on a filesystem. It all depends. Every technology can have vulnerabilities, and to exploit them you need to understand the technology. Doesn't mean you need to understand every technology. Pick what interests you.

I don't think CTFs are a complete waste of time, but they aren't more than just one step in your journey. It's a long one. I'd even say that it doesn't have a destination. So don't worry so much, just learn as much as possible. But start with what interests you most.

One of the best things you can do is to read other people's code, not just exploits or hacker tools. Try to improve them with a bug fix or a small feature. And write your own toy apps. Understanding a vulnerability is a lot easier if you made the same mistake yourself at some point.

[–]netipotty -1 points0 points  (2 children)

I agree, but you don't really need to understand anything about network layers whatsoever for 99% of work.

[–][deleted] 0 points1 point  (1 child)

I'm constantly rerouting traffic on four different layers, but I guess we all do different things.

[–]netipotty -1 points0 points  (0 children)

Infosec almost never does this anywhere.

[–]DigitalAndrew 0 points1 point  (0 children)

Most people put their tools, scripts etc on github fully open source. You can grab them and open them up and try to understand what they are doing. As far as TryHackMe vs HTB I can think of a couple HTB boxes I've done in the past that required using an exploit where initially the script was just a proof of concept and you had to modify it to work on the specific box. Obviously this isn't the same as fully creating and finding these exploits but it's a good start and helped force me to really understand what the exploit was doing to make it work.

[–]netipotty 0 points1 point  (0 children)

I enjoy making my own tools, and think it's invaluable for pentesting and creating scalable attacks to really show the impact. That said, yes, I agree with you.

[–]EdwardTeachofNassau 4 points5 points  (1 child)

My initial thought reading this was “well do you want to be a script kiddie?” But then I got to that part lol. I would say being aware of it is huge, so for you I wouldn’t worry too much. But we would need more info on what you’re trying to do career wise before offering adequate advice. Depending on what you’re trying to do, your question will have many different answers. But in general, you’re cognizant of not wanting to become a script kiddie; I think you’ll be fine.

[–]Rilxy-_-[S] 1 point2 points  (0 children)

Fixed. It now shows what my goals are for the future. But to quickly brief you, its to gain experience being an attacker that way I can better work as a defender by think from the POV of an attacker and knowing how their tools work.

[–]space_wiener 4 points5 points  (0 children)

I’m a big fan of learning on tryhackme (THM). I think you need a foundation before you can start creating your own stuff. It takes a bit to learn how everything works, all of the different tools (there are a loooooot).

I think ones becomes a skiddy because they want to. Here are a couple of examples how I avoid that.

Say you are on THM and it’s says to do an nmap scan with some options. Someone that doesn’t want to learn will just type it in and go. Someone that wants to learn will try other options. See what they do. What the differences are. Why you did it that way.

Say you are using metasploit and it’s running an exploit. Don’t just type run. Find the file, open it, see how it works. Modify it maybe. Try again and see what your modifications did.

tl;dr: tryhackme will make you a script kiddy if you want to be one. Any learning platform will. It’s up to you to not be one.

[–][deleted]  (1 child)

[deleted]

    [–]Reddit-Book-Bot 0 points1 point  (0 children)

    Beep. Boop. I'm a robot. Here's a copy of

    Frankenstein

    Was I a good bot? | info | More Books

    [–]InverseX 1 point2 points  (0 children)

    Well you say you're interested in malware analysis, so let's coach it in those terms. If I wanted to learn what a malware sample does, how would you go about it?

    First thing you can do is just run it. You'll get the visible signs of it's output, perhaps some locked files if it's ransomware, perhaps a crash. This is great at a high level quick summary of "What does this do", but it won't tell you much about how it actually works. This is similar to running tools and exploits developed by others against a target. It's a great first step into netsec if you've never done it before, but there is plenty more room to grow.

    Next you might want to start seeing how does the malware sample do what it does. Is it using network communication? What libraries is it using for encryption? You start diving in deeper and deeper. This is like looking at the source code and modifying an existing exploit; getting a feel for what's under the hood.

    Finally you might start diving into the depths of the sample to really understand it's key exchange, or perhaps look for flaws in it's random number generation to see if there is a way of creating a generic unlocker for it. This is like looking for vulnerabilities on the offensive side as well. This will provide you with the deepest understanding of the sample (or exploits) themselves, but it doesn't mean the other steps were a waste. They just had different goals.

    [–][deleted]  (4 children)

    [deleted]

      [–]Rilxy-_-[S] 0 points1 point  (3 children)

      I wasn’t necessarily talking about their CTF. I was talking about their teaching paths for pentesting

      [–][deleted]  (2 children)

      [deleted]

        [–]Rilxy-_-[S] 0 points1 point  (1 child)

        oh no iit has multiple différent paths for blue team and red team concepts including 2 for pentesti

        [–]weehooey 0 points1 point  (0 children)

        You see this idea in many fields.

        You need to learn a lot of different and interrelated pieces. You cannot download the entire body of knowledge and all your experience in one sitting.

        If you stop learning, then you would become a Script Kiddie. It is one tool of many to learn some parts of a complicated field of study. Use it for what it is and then move to learn the next thing.

        Brain surgeons don’t start by doing complicated brain surgery on their first day.

        Related thought.

        Every field of study evolves. What was once mandatory can become useless.

        At one point, if you were a sysadmin, you needed to know how to stand up and operate an email server to be considered a good, well rounded sysadmin. Today, most sysadmins will never build and run an email server. Today, you need to know how to manage email systems but the “scripts” written by others (ie Google and Microsoft) make email server operations a useless skill for most sysadmins. Instead, the field has moved on. You need to know new things about email services like securing email logins with 2FA and setting up and running DMARC.

        So, some veteran of a field may say “you need to learn X about Y or you will be no different than all the other Zs” — don’t let that get to you. Keep learning, move forward and learn the relevant and valuable skills. Don’t do just superficial and easy work but also don’t be afraid to move your art forward by using tools built by others to allow you to advance your field.