This summer, I am enjoying the incredible experience of working at Security Innovation in Seattle as a Security Engineer Intern. I get the privilege of working alongside seasoned engineers, conducting security assessments of web applications, IoT devices and internal infrastructures for a variety of clients. While at the time of writing this blog post, I've only been on board for a week, I've already learned three valuable lessons to share here.
1: Take notes (it won't slow you down)
Properly working for clients (as opposed to sitting hunched over my computer at 2 am trying to figure out a problem on Hack The Box) has meant a great deal of changes to my workflow. One of them is incessantly taking notes.
When participating in Capture the Flag (CTF) event, a rooted box is a rooted box. After getting a flag, no one really cares about how you did it - only that you did. That, of course, isn’t transferable to the business world where the “how” is incredibly important to clients and the breaking is only how you get there. The ultimate goal is fixing and preventing vulnerabilities and in order to do that, clients need to understand how a design decision, implementation or configuration is flawed. Although I began taking notes for the reasons I just mentioned, I was quickly surprised by how beneficial vigilant note-taking was to my productivity, especially since I had naively expected it to slow me down. The practice of writing down your work becomes a useful scaffold for when you find yourself unsure of where to go next - and as a constant reminder of what you're working towards on the engagement.
Personally, I keep a mind map and a markdown file open during my engagements. The mind map is excellent for keeping track of the different components of the software application I'm working on such as ports, the filesystem and API endpoints, whereas the markdown file is better for storing tool output (such as nmap scans and testssl.sh output) and detailing vulnerabilities and exploits. Currently I use XMind Zen (although I would be thrilled if there were a viable open source alternative) for mind-mapping and MacDown for editing markdown files.
2: Ask questions (no one knows everything)
An extremely refreshing realization after my first week is that, while everyone in my office has more experience than me, no one knows everything. Equally important, no one expects anyone else to know everything.
While I urge everyone reading this blog post to muster an honest attempt at solving any problem they encounter before asking about it, there is definitely no shame in realizing there are other people with expertise that differs from yours. With security being such a rapidly changing and complex field, there will be some people who are really good at reversing and reading android APKs, whereas their colleague across their desk might be an enumeration wizard. I have been incredibly impressed with the engineers at Security Innovation, who always seem up-to-date with most security news, while at the same time having their own niche.
Your coworkers are probably no more than a direct message away, and they can save you from wasting hours fussing with the wrong tool for the job or trying to re-invent the wheel.
3: Not every problem report leads to root access (but some do)
I'm exaggerating a little bit, but it is easy to fall into the trap of discounting vulnerabilities that don't feel particularly sensational when you’re used to doing CTFs. After reading hundreds of remarkable bug bounty disclosures detailing spectacular business logic faults that lead to arbitrary account takeovers or, indeed, a root reverse shell, it is easy to forget that the most common exploits are probably due to things like weak password requirements or bad default configurations.
Of course, one of the most gratifying feelings in penetration testing is when you're able to string together three chaining vulnerabilities to get that superuser access, but don't expect to get there on every single engagement. More importantly, don't think you're bad at your job just because you don't get that root access.