A different approach to write-ups

Many sites have write-ups of how they hacked a challenge or box. I want to do more than that. The walkthroughs that you will find here are going to show you what I did throughout the entire challenge, how I did it and why.

The methodology of a pentester

Starting out in the world of pen testing, it can be a little rough. For real life penetration testing a professional would have to perform reconnaissance on their target, then scan what they can, gain access, escalate privileges and write a report. For challenges, typically recon is skipped and scanning is minimal. Enumerating is the most important step because if you don’t know what you are dealing with, then you’ll have a hard time trying to find vulnerabilities. When you are new, it is even harder because you don’t always know what is misconfigured, or vulnerable.

Warts and all

Even the best people in InfoSec sometimes bark up the wrong tree. That’s all right too because sometimes challenges will be designed to have false positives that are explored but don’t lead anywhere. Most people won’t write about those, but I will. New people need to see not only that everyone messes up sometimes but what to look for, when to stop and how to avoid it.

Hack the box write-ups

Bashed user

Bashed root

PentesterLab write-ups

Basic SQL Injection info

From SQL Injection to Shell part 1

From SQL Injection to Shell part 2

Practical Pentester Lab

I’ve completed a couple of these simpler challenges

Here are some write-ups