Share this page!

Lesley Carhart Profile picture
Twitter logo
25 Jan, 9 tweets, 2 min read
So what CTF stuff did I see at @HackingEsports today that I can pass on to other young hackers in training?

1) There is a *fabulous* and global next generation of hackers out there growing up, and we should be really proud of their hard work and sportsmanship. I definitely am!!
2) No matter what, don't give up, and don't quit the CTF.
Nobody knows everything about hacking or cybersecurity. Even if you're struggling with a CTF, just relax and learn what you can. The point isn't to be first place.
3) Learn when to move on. Today's Windows-based challenge stalled all the participants up for a bit. The difference between the people who finally got flags first and those who got them later was a decision to move to a new host or tool when one wasn't working or going anywhere.
4) Use the effective tool for the job, even if it isn't the trendiest. A Windows-based challenge meant that simply using native RDP and SMB was sometimes faster and more reliable than Linux tools. The more complex the solution, the more potential points of failure.
5) Enumerate and understand the environment, first. I saw a lot of people jumping through exploitation methods, scripts, and attacks, before even identifying what hosts, protocols, ports, and specific operating systems were in use.
6) Take good notes. Have a good method for note taking and keep track of where you've been on the network and what you're doing, even if you have limited time. Otherwise you can miss something obvious or redo work, later.
7) Don't judge every CTF simply in relation to the OSCP. Sure, there are CTF-like elements in the exam, but it also includes mental challenges and constraints that are very unique. Use CTFs to learn tools, tactics, and techniques, and don't poo poo them if they're simpler.
8) CTFs are for learning skills, networking, building your confidence, and trying new tactics. Winning the gold medal shouldn't be the point. Most offensive CTFs aren't particularly representative of modern red teaming or adversaries, anymore. They're educational.
9) I don't really believe in 'purple teaming', but blue-teaming skills are really important for red-teamers, and vice versa. Everyone should cross-train. Delving through pcaps and network miner tripped a few of the participants up. I have to do that daily. Adversaries do. too.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lesley Carhart

Lesley Carhart Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hacks4pancakes

Lesley Carhart Profile picture
26 Jan
Good morning to all of you well rested infosec folks who are just now waking up to this newest catastrophe :)
Fine, fine, I’ll be nice. While you were sleeping, Google security notified of a long term (allegedly DPRK) SE campaign targeting infosec researchers on Twitter, ingratiating themselves into the community with minor research and blogs, then sending them malicious links and code.
The list of accounts is in the blog and 3 or 4 accounts were very active, messaged and drew in a ton of researchers, and successfully got some to execute malicious code in the name of exploit research. My thread is full of stories and screenshots. They hit a ton of people.
Read 9 tweets
Lesley Carhart Profile picture
25 Jan
Stop blaming users for security issues caused by *your security team* failing to give them widely usable and secure ways to perform their part of the *mission of your organization*.
*the mission of your organization is likely not keeping malware out.
JFC... with regards to this Facebook phone data leak I see people blaming users for SIM hijacking, even even locks don’t reliably prevent it at carriers, and blaming them for using SMS 2FA, even though most banks still don’t offer another MFA method.
Read 5 tweets
Lesley Carhart Profile picture
23 Jan
Gee golly, we just got Illinois back to almost manageable COVID-19 stats, and are keeping our ICUs slightly over a 20% threshold. Guess that means allow high school wrestling again (when a bunch of new mutations are floating around).
BuT LeSleY KiDs CaNT lIve wiTHouT sPOrts
jfc I was supposed to
go
overseas
to test
to become a professional martial arts instructor in 2020
after a decade of intense study
I get what missing out feels like.
Can we please just work together to kick this virus so that then we can do all the athletics?!
Read 5 tweets
Lesley Carhart Profile picture
20 Jan
It's Tuesday night on January the 19th of 2021, therefore time to burn it all down. Let's talk politics and infosec.

Let's try to put some very basic, hopefully not-too-terribly controversial concepts out there in discourse:
1) Tech (including infosec and hacking), is deeply political.

Technologies invented, hacked, or adapted in a well-meaning bubble will frequently be abused for political purposes, or have an unforeseen political impact on society. See: mobile phones, social media, facial rec.
2) Forget or ignore Rule #1 at your own risk, and the risk of the next generation.

This is why learning about history and ethics is really important to even the most isolated and insular tech communities. Stuff from the way back can come back to bite everyone in stunning ways.
Read 10 tweets
Lesley Carhart Profile picture
19 Jan
The Solarwinds incident is breathtaking in its scope, but it was also such a huge and delicate house of cards. It will take a long time to clear every organization, but really, one flagged bad device login brought so much infrastructure crashing down.
This really lends credence to the “adversaries only have to succeed once and defenders have to succeed all the time” mantra being bunk. One defender was successful once at a point in basic defense, and a bite got taken out of a very costly instrusion into multiple organizations.
Something else important to note for multiple reasons was the reuse of TTPs. A well resourced, state style adversary can scale up impressively to compromise multiple orgs simultaneously, but it came at the cost of some cookie cutter tactics that could be tied to one another.
Read 6 tweets
Lesley Carhart Profile picture
18 Jan
I'm just instantly blocking people who try to gaslight me this week, be it on infosec, minimum wage, natsec, or human dignity. Don't care if they're blue checks, execs, or have 8000 infosec followers. I'm all out of bubblegum.
I'm getting a lot of questions on this:
Gaslighting is different than debate, even bad faith debate, because it involves a person with some kind of power or authority persistently trying to convince you or me that what we personally experienced with our own senses didn't happen.
For instance, we all watched the capitol riots from a dozen cameras in real time, but there are people persistently working to convince us we saw something else, and that on-camera events didn't happen.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @hacks4pancakes has new unrolls!

Check out other threads from @hacks4pancakes!

Read all threads by @hacks4pancakes