Still searching for work. I don’t really know what to focus on. I’ve just been kind of all over the place. It’s been constant latenighters figuring out things that would only make sense to me.
After I graduated, I wanted to get into bug bounty while searching for work, but it’s been a massive challenge so far. I finished the Hacking APIs book from Starch Press. I spun up Alpine virtual machines with Docker on them to run the vulnerable web servers on containers. It was recommended to do it that way I think in the book instead of putting them all on one machine in case one container causes instability to the machine which could affect the other containers. Anyways, this tedious process of installing each application on each VM helped me better understand Linux and virtualization in general. I was using VirtualBox and learned how to take advantage of the snapshots feature, which surprisingly I haven’t been before. I’ve used Alpine in the past, but I got to work with it more closely this time around, especially setting it up from scratch instead of pulling from a registry. My rationale for learning APIs and API bug bountying instead of learning the “normal” bug bounty stuff was because I thought I’d be able to apply this knowledge in a way for automation. I’m not a software engineer.
Applying these skills successfully is something entirely different. I tried some domains on Hackerone and it just felt very overwhelming. And so, I tried to fill in the gaps with labs from Portswigger Academy, reading more stuff like Bug Bounty Bootcamp another Starch Press book, and following the zseanos bug bounty methodology which I came across on Reddit. I think not finding stable work yet has kind of dragged my mental down. I applaud people who have the patience for this, but at the moment, it’s just been doubly pressing when I don’t have an income to turn to while being frustrated coming to dead ends and I’m just staring, waiting for fuzz results while my Kali VM doesn’t want to get along with my host machine’s VPN (I should probably just consider just putting one on the VM).
So, I just focused on other things. I got a response to a DevOps application, but it turned out to be a bootcamp which I didn’t join in the end. While preparing for it I kind of quickly got to learn AWS CodePipeline and the other related Code services on AWS. I’ve used GitLab before to set up CI/CD pipelines on my own, but I wanted to freshen up what I knew, so I turned to LinkedIn Learning for this. I also read and followed a bit of the Oreilly Azure and AWS Cookbooks. I got to dabble in the CLIs for both cloud providers. They kind of map to what you would usually do through the AWS Console or Azure Portal, but working with the CLI makes you really think how to apply things step by step and consider many of the small details. I even got to use and learn a bit of the AWS CDK and then got to do my first ever pull request fixing some of the AWS Cookbook’s repository code.
I set up an OpenVPN server which was pretty cool, but also very challenging. I think it was kind of straightforward conceptually, it just had many steps to make the certificates and adjust the settings. The book I followed was Cybersecurity for Small Networks from Starch Press. I put the servers up on Azure VMs. The servers were split into a certificate and VPN server. The setup was tedious, mostly from keeping track and transferring files between the servers. Figuring out what minute thing I missed that I didn’t set correctly was mald-inducing, but I got to enjoy the sight of ipchicken showing a different IP address on my laptop. Among other things I’ve managed to set up is the OpenVAS scanner appliance. I also revisited setting up the Qualys Scanner and LibreNMS appliances. I’ve managed to set them up before, but I wasn’t really satisfied with the way I did it, and I did it much faster this time around and with way less kinks (mostly by working with VirtualBox instead of VMWare Workstation Player).
I learned Python and PowerShell stuff that tied into cybersecurity (mostly from Pakt books). On the way, I configured my Splunk server to ingest logs from PowerShell script block logging. I learned more about the Event Viewer like this. While learning Python stuff, I got to use WSL much more than I have before, by gliding back and forth between my PowerShell terminal in VSCODE and VSCODE terminals for WSL and Git Bash as well, where some applications weren’t on the other. I’m loving the Full Stack Python Security book from Manning. I’ve learned these concepts before, such as encryption and hashing, but actually applying these concepts in scripts is way different and makes you appreciate all the thought that goes into them more. As a bonus, I also learned how to manually create and sign my own certificates. As for other cybersecurity stuff, I finished the Become a Master Hacker book from Occupy the Web. I learned Metasploit by setting up and hacking a Metasploitable VM and an old Windows 7 VM which can be exploited by EternalBlue. I also read through a bit of the Learn Computer Forensics book from Pakt. I got to fiddle around with Autopsy and FTK Imager. From what I can gather from brushing through digital forensics stuff, I can definitely say it’s a beast of its own from all the other cybersecurity stuff I’ve learned. Another thing is learning PHP from the Oreilly Learning PHP, MySQL, and Javascript book, which I am yet to finish. It kind of demystifies some of the web application hacking stuff for me where I felt like I was doing this hacking technique because X source told me to do this instead of knowing the why. I also learned proper bash scripting from another Oreilly book Cybsecurity Ops with Bash. So far, it’s helped me understand other people’s scripts better and in general being a better Linux user – regex especially which I never really took time to sit down and focus on having a good grasp before.
As for DevOps stuff again, I read and followed through the DevOps for the Desperate book from Starch Press. I liked how it incorporated system admin type stuff and it helped me brush up on my Linux skills. While not entirely in-depth, it did scratch the infrastructure itch of mine. It was practical which I like compared to other books talking about the same things. As a newbie trying to enter the industry, I appreciate more practical and technical books like these.
To end, I’ve started learning “how to hack” on Hack the Box Academy lately. All of the stuff I’ve learned before especially from the failed attempts at bug bounty have kind of helped me progress through the modules smoothly. I just hope I can connect all these things more and more. I might create single posts for the different stuff I mentioned and other stuff I didn’t mention like AWS pricing their IP addresses and me fumbling how to keep the costs down, but anyways this has been a sort of rough summary of what I’ve been up to.