USA. Working in Information Security. White hat. Gamer. Dad. Views are my own. Though feel free to use my notes. I’m not going to pretend to have all the answers, but I took down a lot of notes and I feel like I should preserve them somehow.
Thus: this site.
I initially bought this site to host my 2020 Holiday Hack Challenge Writeup, and I figured that I was considering adding my notes to a public page, so why not? Additionally, I have also created writeups for the 2021 Holiday Hack Challenge Writeup (which I received a ‘Super Honorable Mention’ for), and the 2022 Holiday Hack Challenge Writeup.
This comes from a nickname of mine, “Angry Dan.” My gamer tag is Agro_dan. I just shortened it to Agro, and since Agro is taken in most places I just stylized it and made the last “o” a zero. Besides, shouldn’t all hackers have a cool handle?
Also, a side note…I think I’m a pretty nice guy. I don’t have a quick temper and I’m certainly not mean. I’m just cursed with a face that always looks angry. It’s nothing personal I promise.
I have an immense collection of OneNote documents and Obsidian notes that I’ve created over the years as a means of remembering things I’ve learned previously. I figured I might as well publish some of what I’ve learned. This makes it easier for me to recall since it’s on a public medium, and I also get the benefit of saying “I wrote about that on my site, you can see my notes here.” Then I smile, throw in some finger-guns, hit a three-pointer from downtown and moonwalk out of the room like I own the place because that never actually happens but I hope one day it will.
In my profession I’ve always found it better to remain OS-agnostic. I game on Windows, I code in Arch BTW, I pentest on Kali, and sometimes I even use MacOS for things. Y’know, as long as someone else is paying for it. Use the right tool for the job.
I got my start in IT as a ColdFusion web developer once upon a time. I eventually became a system administrator for Unix/Linux infrastructure. After that I transitioned to Cyber Security, and with a background in learning how to build things, it was a pretty smooth transition to learning how to exploit that architecture. Since becoming a full time Information Security Specialist, I have obtained a fair amount of SANS training, as well as a large amount of self-training. The sheer amount of help and informational tools available to people who just want to get into the field these days is staggering. So much more than 10 or 15 years ago, and I can attest to that! All it takes is a willingness to learn.
That said, when it comes to places to learn things online, my biggest recommendation is Hack The Box. Not only do they have a full academy for specific attack methods, the entire platform is based on the concept of investigative learning. No hand-holding, just figure it out. Learn the technology. Get engrossed in it, then exploit it. I have found that not only is it extremely humbling in some cases, but I always walk away from it learning more than I did before. And no, they are not paying me for placement, I am just a really happy customer.
pwn.college is a great resource if binary exploitation is your thing. It really offers a great way of learning from the ground up. Some of these challenges are incredibly eye-opening, you’ll learn how to do things with the standard linux libraries you never knew possible! And it’s free!
Advent of Code is a yearly set of coding challenges that they release (not surprisingly) around December. It’s not information security based, but if you’re a developer of any sort, or especially if you are trying to learn a new language, I can’t recommend this resource enough. I honed my skills with Go in 2022!
If you’ve spent any time messing with HTB, you have most likely heard of Ippsec, a fantastic sherpa through the older retired boxes. His youtube videos are extremely useful in explaining how to tailor attacks, what to look for, and how to approach different scenarios.
Additionally, Oxdf is another fine resource for more written examples of HTB, as well as random CTF challenges and other exploits. He has a really great set of videos for coding through the Advent of Code challenges that I used to help me complete it for 2022.
And finally, I can’t recommend John Hammond enough. Not only is he a super cool guy, he has a really awesome way of explaining things that really resonate. One of my favorite infosec influencers (if that’s a thing), hands down.
I always give the same advice to anyone that asks this, and it’s to start up your own personal lab. I tend to use VMWare to do it virtually, but when I first started I just snagged up old PCs that people were throwing away anyway and tried out different Linux/Unix operating systems. From there I started on self-made projects: run a website, host a wiki that you can store your recipes on, run a DHCP and DNS server, or go for broke and just make stuff up to add to your network. A long time ago I wrote a little script that just alerted me whenever a new device joined my wireless network. The point is, the more you create, the more you learn about the service. Knowing how things work is the key to understanding how they can be exploited.
Additionally, I tend to learn best while doing. A lot of courses on Udemy and Pluralsight can help you learn the fundamentals of things, but if you’re anything like me you’ll learn best getting your hands dirty actually performing the exploitation. For things like that I highly suggest using the tools that are available to you, and in some cases completely free as well. CTFs are awesome to hone your skills, but by-and-large I find that CTFs are mostly just for fun and barely ever based on true-to-life scenarios of an actual pentester, with a few choice exceptions. For that reason I suggest things like HackTheBox, TryHackMe, and for the binhackers, pwn.college is an incredible resource.
Nah. I tried it a couple of times and personally I just don’t have the time to do it all that much. I love CTF challenges, but if I have to do it on a schedule then that’s just not going to happen. Being a dad that also works full time means I have very specific times where I get to do fun non-dad things, and usually CTF challenges are not conducive to my schedule. So really I would only drag your team down. Sorry!
No one has ever actually asked this of me, but just in case the answer is no. That is illegal. Make no mistake, hacking something you’ve not been given explicit permission to hack by the owner is a crime. I do not advocate anyone use their powers for evil.
You can find me on LinkedIn, Twitter, Github, etc. It’s best to contact me through one of those platforms, but you can always shoot me an email too.