From Developer to Pentester
So if you have been around here before, you’ll notice that everything has changed except the domain name which will soon. You may remember too, if you read the “about me” page before that I was saying I wanted to be a pentester. Well a lot of things happened since and now here I am, I’m on my waaaaaay to the pentester laaand (it won’t be funny unless you listen to AC/DC).
I usually get asked the question why I want to be a professional pentester when I’m a good developer and if I may say without being arrogant, one of the best among those I worked with. Well let’s go back to the origins, to the 90s actually, before I even touched a computer.
As a kid, I was a lot into comics, mangas, animes, video games and technology in general. I was the kind of kid that dismantle the TV to see how it was made (yeah I did that) or the kid mum and grand ma called when any of the “technology stuff” was not working. That lead me to be very interested in the movie
Hackers (1995) starring Angelina Jolie. At the end of the movie, I got lost in my thoughts about why am I not as skilled and cool as Zero Cool, the main protagonist, why don’t I have a cool nickname like them, etc. I got seduced at that very moment by the computer word.
Next, I watched a documentary about Kevin D. Mitnick aka The Condor and at that time, an infamous black hat. In that same documentary, they dived deeply into the world of hackers as described by Steven Levy in his book Hackers: Heroes of the Computer Revolution and they even talked about the Hacker Manifesto written by The Mentor.
That was it! I was deadly hooked. I was interested mainly because I felt myself in the manifesto, it was boring at school and all, but also because in my kid’s mind these guys were real badasses with cool nicknames even if they were doing criminal stuff.
Things got really serious when I got a PC under Windows 95. I remember my uncle talking about it as THE FUTURE. I didn’t have at that time any kind of mentor and not even a regular access to Internet because for those who don’t know, I live in Senegal in Africa. When Internet finally became available in my country, my dad got me access to an Internet Café 6 hours a week. Guess what comes next ?! I learned about assembler, and how to bypass license control for some softwares, haha.
Fast Forward to high school. I’m in an elite scientific class and they setup a lab where we could get free access to internet. I found that the school principal made a Samba share of his computer drive with his assistant and they were on the same network as the lab. I broke into it and discovered a folder holding all the math and physics tests for our class. They were made at the beginning of the academic year and sent to the principal who made sure they are double checked by other teachers to certify the difficulty level for an “elite” class. I’ve seen movies and documentaries about doing things like that so I got scared and shutdown the computer. If I were to be caught, I would be accused of cheating and it may be the end of my school life and my parents would undoubtedly kill me. I actually never went back to the lab…
Long story short, I’m in the computer world because I wanted to be a hacker in the first place. But due to the lack of formations in computer security and market offers in Africa at that time, I went into software development because well, bills need to be paid and I must earn my life fairly. However I never dropped “hacking”! I was in challenge websites like NewbieContest, ThisIsLegal, …, and sometimes reading security newsletters and blogs.
After the motivations well defined, you are probably asking about the motive (why now ?). I work in a corporate and they decided to setup a pentesting departement. So I said, this is it! This is the perfect moment to switch. This time I got a mentor who is certified OSCP, ranked Omniscient at HackTheBox, very experienced and most of all, patient, kind hearted and willing to share. This time I got someone and guidance is of essence for a “rookie” like me. I can finally take on hands-on labs and have real life experience.
As a former developer, I intend to take next the eWPT Family Certifications and the AWAE Certification. This choice is mainly guided by the fact that it’s only reasonable to take advantage of my previous years and huge experience as a software developer. Still working with software but from a perspective of a hacker, that is the goal!
As a software engineer, I was mainly focus on all things that would make me a better software engineer. And as the tech world evolves quickly, that meant being constantly up to date, using my free time to learn things about software languages, software architectures, frameworks, DevOps, etc. But at the same time the software world was evolving, the security world was evolving too, leaving me far, far behind. So the first challenge was to get back up to date because to tell the truth, I got rusty, swallowed by software development.
It is not an easy task to refresh some “lost” knowledge like buffer overflows, getting familiar with the new and abondant tools since the arrival of GitHub, the methodologies and all that stuff. I watched and I’m still watching a ton of videos, I’ve read and I’m still reading a ton of tutorials and books, I’ve executed and I’m still executing a ton of commands (the favorite part). I rediscovered the power of security linux distros like Kali Linux and the lighter one (my favorite actually) Parrot OS.
Little efforts later, I’ve become what is called Script Kiddie and went further. Now I’m bit by bit learning not only to think outside the box but to get as independant as possible from known frameworks and tools such as Metasploit. It’s a little difficult but Google and GitHub are my best friends and it’s working pretty well.
The second challenge was with the corporate. Let me help you get a picture why it is a challenge. Imagine one of your best developer, one leading a whole team, one providing guidance to fellow colleagues busting into your office with the idea to stop making softwares because he wants to become a pentester without a strong background to back it. How would you react knowing that the security world he wants to step in, while still growing slowly, is far from software development in terms of market opportunities (let’s not talk about how that gap is huge in Africa!) ?!
In the corporate philosophy, even if it is important to let employees enjoy what they are doing, it is a huge loss to let go a good developer whom clients, developers and managers love working with. And just like that, the “fight” between me and “the guys in suits” started, lol. And it’s still going on so wish me luck!
What Next ?
From now on, I will mainly write about my passion which is penetration testing. Of course I will let some of my previous articles in the blog and sometimes I can make one or two about development if I judge them interesting. I will post write-ups of some challenges from websites like HTB if I’m authorized to do so. I hope too that I will have to share some things that I found during real life jobs and even share my own discoveries.
But beware that my write-ups will be a little different from many I have seen on the web. On those, I noticed they kind of jump directly to the solution without completely giving the chain of thoughts that lead them there. In mines, I will post them like I did them. Thus, if I followed a rabbit hole or adopted a bad practice during the challenge, you will have to see it too. That will give you a real impression of how hard it was for me to make it but also, you will learn of my bad practices in order to clearly identify yourself the dos and don’ts. So take the time to go through all the posts before going back to your terminal.
In my opinion, this is important because when I was getting back in the game, I found myself doing a lot of things the wrong way like forgetting the trailing ‘' when listing a Samba share (that’s dumb but I did!). More, I see this method as some sort of support for the “newbies” to let them know that they are not the only ones following rabbit holes and struggling to get things done. In fact, by reading lot of write-ups,I sometimes feel dumb that it was so easy for the author to find the way when I lost days to do it.
That’s all folks, thank you for your time and follow me on twitter to get informed about new posts.