After the cancelling of the MCSC2020 and other on-site events we were willing to compete in due to the Corona virus, we hold a meeting to discuss ways so that we can improve our skills, we thought that maybe playing CTFs regularly isn't enough, and we wanted more, something closer to real-life would be cool, and we have already discussed HackTheBox but didn't quite organize the way we are going to proceed, should everyone play solo? Should we play as a team? Some members even thought that they aren't ready, and wanted to hold the HTB sessions till everyone is ready - spoiler alert, they were wrong!
What have we decided
We decided that if members are free to play alone if they want to, but it would be more fun and interesting if we play as a team, that's when we had the idea of HTB sessions! So what are HTB sessions?
Each 2 days or such, or whenever we feel like it, we gather around, get some pens and a board, prepare our workspace, boot up our Kalis, and attack a machine! Yesterday we had our first session, and it was AWESOME!!
The world of HackTheBox is way different than CTFs, unlike direct challenges, you are given a machine with no other information, nothing to guide you or tell you what is the challenge, this philosophy is very much like in-real life, when an attacker is trying to hack into a server or a victim's computer, he got no information at all (excluding social engineering, that's for another day) he only got an IP address, and that's it. We attacked OpenAdmin, an easy-level linux based machine. We can't disclose any information for the meantime about how we attacked and what we discovered because that's against HTB's TOS, but as soon as the machine gets retired, we will make a writeup for it! But I think the most important thing we discovered yesterday wasn't the tools or CVEs, but an important aspect that I was willing to write a blog post about for quite a while now...
The skills you develop
Learning pentesting is weird, you don't really learn pentesting like you learn physics or maths, there isn't a clear path to become a pentester, I think that it was very well explained in this video "The Secret step-by-step Guide to learn Hacking", a video that I watched a long ago and the meaning of it becomes clear to me each day. Back to our subject, a lot of members yesterday discovered that CTFs do really help, one of the biggest aspects of pentesting in my opinion is enumeration, we call that word in our language "tb9chich", and I think that's one of the skills that comes with practice, and a lot of practice. I am sure that most of you, if not all of you, when you think back years ago when you were a kid, you loved exploring (in the context of computers), this love of exploration have grew with me and it is why now I love CTFs and pentesting.
Overall it was a great experience, with each challenge, whether it was HTB or CTFs, we learn an enormous amount of skills. We are still aiming for better ranks in HackTheBox, especially the academic ranks, and we will soon fulfill our goal to become the first Moroccan school in HTB, just like CTFTime ;)