During my time at university - I'm currently enrolled in a master's degree studying Computer Science - I've come to realize that the world of Computer Science is extremely vast. Both in the theoretical landscape as well as in the practical one there are so many things to study, to learn and to understand that one has the constant impression that no matter what you know, there will always exist a context in which you are just a beginner.
Up until the third year of my bachelor's degree, theory is pretty much all that I did. I certainly wrote some programs to implement a bunch of algorithms that we studied during lesson, and I enjoyed getting my hands dirty for sporadic assignments and projects, but that was not much overall, and the theory was way way much more than the practice I was doing. And since I enjoyed theory, initially I thought that it was a good thing for me. Yet, as time progressed, I could not help but feel like I was missing something. I was studying a lot, and I was learning a lot, and I liked to do pretty much everything related to Computer Science, and yet I felt like my practical skills lacked quite a bit. I had this constant feeling that I was using my computer in a very limited way, at least if compared to the way I could be using it. In the theoretical aspects of Computer Science I was progressing, constantly learning something new, but in the practice side of things I was stuck, and I did not know how to move forward.
Looking back at the situation just described with some new insights, which I discovered along the way, I am pretty sure that the reason for my feeling of "stuckness" regarding my practical knowledge of Computer Science came down to the fact that I had no real objective to follow. I always tried to learn new technologies just for the sake of it, but I always forgot to do something interesting with them. I would start trying to learn something new with the best intentions, and then, after a couple of weeks of trying and not getting meaningful results, I would simply quit learning, and I would continue to use technology the same old way I was used to, without improving a bit.
To bring a personal example of something I was constantly failing to
learn, let me introduce to you the command line. For those of you
who do not know exactly what the command line is, well, the basic
idea is that a program can mainly be used in two ways:
-
By using a
GUI, that is, a Graphical User Interface.This is the common method of using software that we are all accustomed to. Think about your browser, like
Google Chrome, or your typicalMicrosoft Word. All these software work by creating a visual graphical interface, and you interact with it by using the mouse to click on buttons, menus, and things like that.
While this method is known by pretty much anyone that has used at least once a computer, it is not the only method that can be used to interact with a computer.
-
By using a
CLI, that is, a Command Line Interface.With a CLI we interact with software by typing commands using the keyboard. There is no mouse, no clicking, just straight up text. Each command does something different, and can be used in a lot of different ways to do a lot of different things by using the correct options and configurations.
The main difference between a CLI and GUI is that when using a GUI we interact with the program mainly by clicking on visual things that we can see, while using a program with a CLI requires us to use the keyboard and write on a prompt various commands.
When people who are used to GUIs are shown that there is a different method of using the computer, they immediately think: why would anyone use the computer like that? Isn't it hard to remember all the commands? Isn't it easier to just see what you need and click on it? All these concerns are understandable, and I also thought these things once. Anyhow, it's crucial to point out where they come from: they come from the fact that when we grow up we are used to graphical interfaces. The hard truth is that if one wants to truly learn how to interact with a computer, then one has to drop the convintion that a GUI is always better, because it simply isn't. There are times when a CLI is a much better way to interact with software. There are times when a CLI is the only proper way to interact with software. I am not of course saying that the CLI is always better, I am just stating that it is worth learning if one wants to use more efficiently modern technologies. The problem is that when one is only used to GUIs it is hard to understand why anyone would use a command line interface, which in turn makes it hard to actually learn how to use it.
So that's the wall I was facing: I came to the realization that the CLI was a powerful tool to use, sometimes much better than a GUI, and yet I could not bring myself to learn it properly. The story of how I finally learnt how to use the command line is an interesting one, because it shows exactly what I mentioned before: learning just for the sake of learning sometimes does not work; sometimes a well-defined and attainable objective is needed. So, let's get started and tell this story.
It was the second semester of my third year at university, and I had to choose which courses to follow. I already had the intention of following some heavy-theory cryptography course, which I discovered thanks to a dearly friend, so I was looking for more pratical courses. In general I was a bit tired of all the theory I had done, and to finish off my bachelor's degree I wanted to follow some course which focused more on the practical aspect of Computer Science.
During my previous years at uni I had heard that there was a course
called VDSI (Vulnerabilità e Difesa dei Sistemi Internet, in
english "Vulnerability and Defense of Internet Systems"), which was
offered by the Ingeneria Informatica degree (that is, Computer
Engineering) to cover the basic aspects of computer hacking, which
in technical terms is called penetration testing. I had zero
pratical knowledge on the subject of hacking, but, as most people I
think, hacking has always fascinated me. I used to read the stories
of important hacks and of the people who did them, and I always
felt like it would be cool one day to understand what it means, in
practice, to hack a system. Since hacking seemed like an extremely
pratical subject, and since there was a course which I could follow
that discussed these things, the decision was pretty much taken: I
would follow this course to finally learn something practical!
It shoulnd't come off as a surprise that things did not really go as expected. What actually happend is that during the first couple of months of the course I hardly learnt anything. The lessons were pretty boring, and even the "practical" things were kinda boring aswell. At some point I actually felt pretty disappointed with the course, and I was starting to regret my decision of following it. I liked the subjects that were discussed and the technologies that were shown, most of which used the command line in one way or another, but I felt distant from all of it. I felt distant from the course itself.
Then, one day, something unexpected happened. At the end of the 9th
lecture of the course, which happened on the 10th of April of 2018
(yes, I try to log everything), the professor of the course, that
from now on we'll simply call Alberto (because that's his actual
name), suggested that we tried a platform called Hack The Box, from
now on abbreviated in HTB. He said that what we did during lectures
was done in order to set the basic buildings blocks of pentesting,
but that each one of us had to practice on our own, because
otherwise the theory was useless. HTB was a new emergent platform
that offered a place where one could learn penetration testing by
practising on a bunch of vulnerable machine hosted by the platform
itself in a private network. Everyone could register and use it for
free, but there was a catch: to register you needed a registration
code, and to get the registration code, well... you kinda needed to
find it on your own.
When I got home that same day I went to their official site, I
clicked into the join now button, and I was welcomed with the
following screen
I had no idea what I was doing, but after a couple of hours of trying to understand what to do to move forward and get the code, I managed to get something. It was not the final code, but it was a step in the right direction. After even more trying, I got further and further in, until, finally, I managed to get the code. I submitted it and I was inside: I had done it!
Looking back at it, the steps required to get the code were not
complex at all. The crucial thing to emphasize however is that this
was one the first times were I was "forced" to learn how to do a
bunch of specific things in order to move forward. I learned for
example how to send an HTTP request with specific parameters to a
specific API endpoint, which can be done with the cli software
curl as follows
curl -X GET http://www.informatica.uniroma2.it/ # send GET request
curl -X POST http://www.informatica.uniroma2.it/ # send POST request
curl --cookie "cookie=2;" http://127.0.0.1:1337 # send request with cookie
I wasn't learning just for the sake of learning per se. Rather, I was just trying to get inside the platform; the learning came as a necessity.
Once I got inside the platform, I was amazed to see just how much there was to be done:
-
A constant pool of
20 active machineswhich were ready to be hacked, ranging from easy to extremely fucking hard; -
A ton of challenges, each of which specific to a certain aspect of computer hacking, like
Web,Crypto,Reverse, and so on and so forth.
At the moment of writing this artcle HTB grew even more and now it
offers pro labs, environments that allow one to get an even more
realistic hacking experience.
In the days that followed, I slowly started to do my first
machines. The first machine I ever completed was called Bashed, and
even though it was super easy, it took me a bunch of time to figure
it out. But no matter how much time it took, I kept making
progress, and everytime I made some progress - even the smallest
one - It was an extremely rewarding experience, all the effort I
had previously put in paid off, and I was motivated to put even
more effort into it. If you are interested in how I did it, go and
read my article detailing it: HTB Writeup - Bashed
As soon as I finished the first machine HTB grew on me. It
immediately became a sort of logic game, where technology was just
a means to pwn the machine, to get that root shell and the
inevitable dopamine release that followed. It is hard to describe
the feeling of making an exploit work and spawning a reverse shell
on a remote machine after hours of effort. One has to simply try it
to get what I mean.
A great help in learning the basics on how to proceed when doing a
new machine was found in the videos made by IppSec, available in
the following youtube account.
In general the HTB community was super helpful, and when I was stuck I would check out the official forum for some hints and tips that would help me move forward with the machine I was doing.
It is funny to look at some of the notes I have taken during my
time playing with HTB. I remember in particular Reddish, a machine
created by Alberto himself which took me quite a lot of time to
figure it out. It was a bit hard, but it was also extremely fun.
It is exactly by doing machine on HTB that I finally learnt how to properly use the command line. Initially I did not even realize it fully, but after a bunch of months of constantly doing machine after machine, I started to realize that the knowledge I was gaining by practising on the platform could be used even outside the context of penetration testing. I had finally learnt how to live in the shell. I had finally understood how to harness the power of the command line.
This is why I will never even come close to regret the decision of following VDSI, and why I will always be grateful to Alberto, because even if the course was a bit boring at the start, the inputs given by the course were all the right ones, and it is thanks to those inputs that I have gained a lot of practical experience in using modern technology.
After almost a year of HTB, around january 2019, I was about to graduate and I started to spend less and less time on HTB. I was thinking about other things and I didn't really have the concentration needed to keep doing new machines. Yet, even if I stopped playing on the platform, I was still constantly using the command line and I was still trying to use the technology around me in better and more efficient ways. I would thus suggest to everyone, especially those interested in learning the basics of computer hacking, to try out Hack The Box, because the time spent on the platform really pays off, in a bunch of different and unexpected ways.
Recently I started going back to HTB, and just yesterday I
completed my first machine in months (Blunder). It was an easy
machine, because I am still a beginner in the penetration testing
area (we are called script kiddies), but it was fun, and I plan on
doing more machines in the days ahead with a friend of mine (met,
incidentally, during the exam of VDSI). I am not sure what my
future holds. I don't know wheter or not I will want to have a job
in the cybersecurity industry. Yet, I have discovered that computer
hacking can be extremely fun.