Walking the path: october 2021
This post is the first of its series, which I intend to update on a monthly basis. As I've been working / studying in offsec and bug bounty hunting on my own for a good part of the year, I want to keep myself accountable by making my goals public and reflecting on my progress.
Who knows, some others might benefit from this, especially if you're studying in a similar field! Sharing breakthroughs and struggles alike can't hurt either way.
In september, my main goal was to find my first bug on hackerone from a program I picked a while ago. I did find vulnerabilities (and harmful ones at that) but sadly, those I found were either out-of-scope or obvious duplicates (like an s3 bucket already filled with... test files from other bug hunters).
This experience proved to be enlightening nonetheless: I've mainly been a CTF person, practicing on TryHackMe and similar platforms and it certainly feels good to know that the skills I acquired do translate in a real scenario. It might be dupes or simply out-of-scope, but those are still real vulnerabilities. I just have to keep looking, and keep learning along the way.
All in all, I am currently juggling with the following goals:
Finding my first valid bug, from that same program on hackerone.
Finish reading Bug Bounty Bootcamp by Vickie Li: it's a fantastic resource and I wish I had it around when I was learning the ropes with Portswigger's web security academy.
Keep reading Python Tricks: I'm going back to my roots by learning intermediate / advanced Python concepts. Even though Go is a language that I find incredibly pleasant, Python will benefit me more in the long run. It's everywhere, integrates with many tools I already use, and is a required skill for many jobs in my region. Oh, and I also really click with some features like decorators and list comprehensions.
Start reading the last edition of Black Hat Python, to put that knowledge into practice and have some fun.
Those are the most important items on my checklist, but I have secondary goals I'd like to tackle too. I won't put too much pressure on myself, but it'd still be nice if I could get around those at some point:
Join the local hackerspace. I'm lucky enough to have one nearby so I gotta stop being an introvert and try this out, should be fun!
Finish and post some writeups of past CTFs from TryHackMe, this blog needs more content and some boxes were really interesting to exploit.
Writing two posts on this blog that I mentioned a while ago on Twitter: one about recommendations on studying for CompTIA Pentest+, and another one about my attack box setup, using QEMU + SSH and X11 forwarding. The latter could probably benefit people who are seeking an alternative to VirtualBox and VMware.
One (anxiety-inducing) fact that I keep reminding myself of is my limited time: in 4 months from now, I won't have the financial means to keep working full-time on my micro-company. This essentially means that I'll have to find some other source of income and do bug bounty hunting on my free time, unless I get good enough to earn some basic revenue out of it.
I'm fully aware that this is unlikely to happen so fast, yet I have nothing to lose. Worst case scenario, I will learn a lot and be able to make use of that knowledge in my free time.
Anyway, that's the plan for this month. Gonna put my back into it, see you soon!
~ Want to leave a comment about this post? You can send me a message on CuriousCat without an account, or reply on Twitter if you like!