The Second Week
Going into the week extremely optimistic, after reflecting on my first week I'd realised rapidly that I had been extremely hard on myself. Anyone in my position would have performed in exactly the same manner. The main thing was taking the positives! I did find a number of things worth reporting and that is what matters!
I logged on at the beginning of the day, and received my brief for the week. One project for the next week, a large web-app test with a number of different domains. Starting off with the usual as expected; basic scans and enumeration before testing the platform.
If the first week taught me anything, it was that developing a firm methodology to stick to is 100% needed, so during my time off I decided to start making notes to stick to and check for every time.
This wasn't by any means glamorous but it certainly helped going into day two, going into it I had a fairly decent understanding as to how the application worked and had a list of different things to filter through in order to identify what vulnerabilities exist.
I wish I had more information to drop into this weeks blog post however it hasn't been all that eventful other than a massive growth to confidence so I'll drop some takeaways below for this week.
Takeaway for the week
- Don't be so hard on yourself. If you're like myself and this is your first time in industry, it won't be easy and you won't understand everything. That's fine, use it as a learning experience in the long run!
- Implement a methodology and stick to it, you won't regret it!
- Take your time to understand the application and identify potential vectors for exploitation! (This I can't emphasis enough!)
- Take plenty of notes on how things are working! You can fall back on these as you progress with testing.
- Research outside of your working hours. This is one I'd usually have a problem with but it helps so much with your daily work, especially as a penetration tester. After all, it is your job to identify potential attack vectors! Keeping up to date with new vulnerabilities will help. I can't emphasis how useful platforms such as HackerOne and their Hacktivity feed can be, alongside following bug bounty hunters on Twitter!
Thanks for reading and I hope this series continues to develop as I progress within this role. The learning for this week was to ensure you develop a methodology early on and take plenty of notes. That's something I never really had in place when completing rooms on HackTheBox however, as I've been doing rooms lately I've been using it as a chance to improve my note taking so I don't have to return after and update them. It's better to refine what you have already done instead of repeating it!