I’ve been doing HTB for more than a month now, (started on November 9th according to my previous blog post), and I feel like I’ve stagnated, or I’ve just stopped learning as much any more. I feel like I’ve hit the learning plateau, where the content I’m picking up is no longer interesting nor enlightening anymore. If there’s anything that I’m learning now, it’s obscure CVEs, which I would really question the utility of that in my arsenal.
Drawing on lessons of flow, learning is best done when it’s between the realms of Too Hard and Too Simple. Doing simple boxes are indeed quite simple for me now, but pushing up to the hard (or insane) boxes makes me question their utility. Would it really benefit me if I learnt about all the “Hard/Insane” techniques, which would highly likely not be transferable anywhere, since it only affects that version of that software?
The steps for all the boxes are really similar
- Find a way to get into the box as user
- This can be done either RCE to execute a reverse shell, or LFI to read credentials (e.g. SQLi load_file)
- Find a local privilege escalation to get root
- This all revolves around incorrect permissions to various binaries or commands. The only hard part is trying to figure out what binaries have wrong permissions. Thereafter, it’s how do we exploit it to get root
While it was definitely fun for the first few boxes, I started seeing a pattern, and ultimately, there are only so many ways you can achieve steps 1 and 2. The variability in the challenges are typically not “useful knowledge”, but at times hidden gotchas. (e.g. one of the many exploits listed here: https://gtfobins.github.io/)
Short of sounding like a know-it-all, I feel like I’ve learnt enough from HTB, covering basic, intermediate, but not yet advanced pentesting skills. Dare I challenge myself to the gauntlet of OSCP? I don’t think so, solely because I do not wish to put myself under such pressure. I’m sure there are gaps in my knowledge here and there, but I believe, if it’s not an obscure CVE, it would not be something that would surprise me.
As a Cyber Security Researcher, I’ve definitely gained a lot of knowledge from doing these boxes, but as Pen-testing is not in my career nor my sole interest, I’ve decided to stop doing HTB like CTFs. Which circles back to the title of this post. There are 3 quarters in a year, and if I dedicate 4 months of my time learning something new, and of course related to my development, in the long run I would have achieved semi-mastery over multiple skills.
4 months is not enough time to become a master at a new skill (10,000 hours?), but it’s long enough for me to learn something at a level that I would be well versed about it. And as someone who works in a job that isn’t focused on a single field, but instead flourishes with the synergy of various fields, doing this would hopefully benefit my career. And, as someone who has a relatively short attention span, doing this would hopefully benefit my sanity.
Conveniently coinciding with the new year, it would be a great place to start a new theme at the start of the next year. I’ve yet to decide the theme for the next quarter, but I would want it to be brand new, and not something I’ve dabbled before in the past. (e.g. Reverse Engineering or Data Science, which I’ve already spent considerable amount of time on.) With 8 days left to the new year, it would be sufficient for me to contemplate over this matter!