Interview with Ippsec

Many people have wanted to know more about ippsec, the person who always manages to stay out of the limelight while putting out videos teaching people his methodology for researching new services and hacking machines on a weekly basis. Thankfully, I know myself quite well and was able to convince myself to take time to answer a lot of the questions that I continually see asked.

What drew you to Hack The Box?

I remember seeing HackTheBox advertised in an IRC Server, then ignoring it because I had trouble with the invite code and honestly didn’t see the value in joining. Then a friend in one of my Google Chat groups was trying to bypass some XSS Filter that required encoding an IP Address in a unique way. From reversing malware, I'm pretty used to seeing IP Addresses encoded in hexadecimal form, so 127.0.0.1 becomes 0x7f000001. I do not believe this is specific to malware, but there are just very few times I'm opening up a legitimate binary in a debugger to examine exactly what it is doing. However, I told the friend to try encoding the IP Address differently, and surely enough, the filter was bypassed!

Eventually, I found out this was the Holiday machine on HackTheBox which g0blin (now CTO of Hack The Box) had created. I wanted to see what other fun tricks these boxes would teach, so I tried to sign up for Hack The Box. I say try because the signup challenge gave me a lot of trouble and I remember following a guide. After seeing the solution, I was ashamed I went down the SQL Injection or Auth Bypass rabbit hole for so long since the challenge just wanted people to read JavaScript. However, that is life and that feeling happens to everyone.

Once I finally passed the login challenge, I made it a point to solve every box, reaching out to the creators after solving it to see if there was anything I missed, which really helped me optimize my process and methodology. Eventually, I became #1 on the platform, and Ch4p (Creator of Hack The Box) joked about making me a moderator so other people would have a chance at the bloods. I gladly accepted it, as the amount of stress I put myself under to compete from these bloods was insane. It was a big relief to be a part of "the other side" of the operations, as I don't consider myself a Red Teamer by trade. I've spent way more time on the blue team side of things building and defending networks.

What made you start doing videos?

Before I spent so much time in CTFs, I played a lot of video games and was a commentator for Starcraft 2. I was actually among the first Twitch Streams to reach “partner status” which meant Twitch paid me money to use their platform. My motivation behind streaming back then was to improve my speaking skills, as I grew up with a speech impediment called Rhotacism, which was made famous by Elmer Fudd (Looney Tunes) or Kripke (Big Bang Theory). When I started my journey on HackTheBox, I couldn’t play games simultaneously. I uninstalled Starcraft and all my free time went into HackTheBox. My speech started to suffer, so I remember asking ch4p if HackTheBox would allow for writeups/videos on old machines, which would enable me to continue commentating and improving my speech. 

How did you learn everything?

This is a question that I get a lot and really dislike because I wouldn’t advise people to learn exactly the way I did. I didn’t go to school for this, in fact, I never went to college but still highly recommend people go to college as I think that is the “better way”. The main issue I think people have with college is they don’t value it and only do what the teacher asks for. There are so many extra things people should be doing while in colleges, such as cyber security clubs and private events like CCDC and NACL. 

Security has always been a hobby of mine, for example, I was featured in a PCWorld Article back in 2007 for “hacking” the Apple TV. The “hack” wasn’t anything special, just taking the hard drive out of the AppleTV and enabling SSH before putting it back in. However, the field was really different back than even five years ago the “import pty'' trick wasn’t widely known to improve a reverse shell, let alone all the enumeration scripts like LinPEAS, and HackTheBox didn’t exist. I learned by making goals, spending a lot of time on google to learn how to do it, then sharing my research on my blog which was called TutorialNinjas. 

I think the key thing to “becoming ippsec”, was posting what I did online because people would reach out and correct me or take my research to the next step, letting me know what I missed. Additionally, people would reach out when I didn’t post for a while, which kept me motivated to always keep learning new things. 

Nowadays, there’s so much more material out there to learn, I’d highly recommend reading the interview I did with TheSecurityNoob and Its Okay to Use Writeups blog post for getting started. 

But how do you teach yourself new subjects?

This is a tough question, I think this is where my mindset differs from most people's. The biggest mistake I believe people make is trying to always find the best or most optimal route and not just enjoying the experience. For example, I try to read one technical book a month and it’s not always going to be something I’m working on. I read a book on “Ruby on RAILS” but have never made a RAILS Application, I just wanted to familiarize myself with a different web framework. So when it comes to a new subject, I can generally poke at it and relate it to something I know to get by. Then if I find it interesting enough, I’ll buy a book on it, or attempt to build/set it up myself.

With most people, I think they spend almost as much time trying to follow in someone else's steps as they do learning. This creates two issues, the first one being it creates a task before learning. So people will look for a good path, then get distracted and do something else and that time set aside to learn is wasted.

The other issue this creates is the problem of “instant gratification”, which I talked about a little in my interview with TheSecurityNoob. Essentially, if you target your learning in order to accomplish a specific task. You become an “assembly line” worker able to do that one task really well but all the other foundational skills get left out. Not to say this learning is bad, but if it is the only way you are learning it makes it hard to branch out because you aren’t becoming a master in the subject, which makes it difficult to relate it to the next thing you are learning. 

A lot of the reason I can grasp advanced topics somewhat quickly is that I’ve gained a really strong foundation which allows me to relate the new topic to something I’ve seen, done, or read about before. I have that foundation because I’ve read books and built meaningless applications to learn how things work and where developers could make mistakes. Additionally, when solving boxes, I almost always will read over the code of the custom web application after solving. This teaches me new tricks the author may have used when coding that I don’t know, or just keeps me up to date with all the various ways an application can be created.

Why do you prefer Hack The Box?

In my opinion, the quality of the average machine from HackTheBox has always been incredibly high. This was key because I remember trying various platforms and I’d solve a few boxes before finding one I wanted to do a video on. That bar has only gotten higher in the last few years with great people like 0xdf, Arkanoid, TRX, Mrb3n, Knightmare, and myself joining as full-time employees to act as an “initial firewall” before it gets to our testing team who are all amazing. This has enabled us to have the expertise and time to remove the “Bad CTF Elements” from boxes, examples being:

• Steps being hard for the sake of wasting time. For example, one of the common things we ask from authors is to remove some cracking steps if the box is already heavy on cracking/dirbusting/etc.
• Communication with players, like a todo.txt. While this does help a player move forward, we believe it robs them of really good recon information which is the most important step. We’ll often leave better clues behind that make files stick out such as making sure the timestamp of a binary is at an interesting time.
• Unrealistic modifications that allow for exploitation. For example by default MySQL Servers now are protected by both MySQL, Systemd and AppArmor. We’ve seen a lot of authors disable the MySQL SecureFilePriv, Systemd private /tmp, and AppArmor preventing reads/writes to uncommon areas for that service. For easy boxes things like this are fine, but anything beyond that I don’t like it because players never find out their methods learned won’t work on modern systems and fail when replicating it against real systems.

So to sum it up, I don’t think any other organization puts as much time, effort, and money into machine quality. This means, I never feel like I’m wasting my time when I’m on HackTheBox. 

Gamification is a word used a lot. What does it mean to you?

I believe there are two key elements to gamification, the first one being that it is constantly hands-on and challenging. When you are solving a machine, the keyboard is your controller and you are trying to figure out how to beat the level. There may be times when you go to google to search for tips on how to beat the machine/boss. However, right after researching you pick up the controller and return to hacking. There’s a constant loop of learning, doing, and improving. Just like in video games.

The second element is the ability to just quickly get loaded into the environment. When I first started in the early 2000s, I learned by reading about a vulnerability class, then creating my own program to learn about it. The earliest sites I remember were HackThisSite or OverTheWire, but for some unknown reason, I didn't spend much time there, I honestly was probably just intimidated as I wasn't "a hacker". I believe in 2012, Vulnhub was created, which hosted vulnerable virtual machines for people to download and exploit. However, I wasn't disciplined enough to not cheat with Vulnhub machines, I'd often struggle then just cheat by rebooting the VM into recovery mode and looking at the source code. Hack The Box changed all of this by hosting all the machines on their platform, and allowing users to access it over a VPN. It wasn't revolutionary, as other training environments had similar labs but at that time I believe the competitors charged over $500/m, whereas Hack The Box had a free option and ~$10/m plan. Which, I guess is the third aspect of "Gamification" as it has to be affordable.

I guess to sum it up, I think of games as something I can play instantly and anywhere. Hack The Box, certainly provides that as you can just use PwnBox from a browser or connect to the VPN and start hacking. I remember traveling to Berlin for the "SANS NetWars Tournament of Champions" and solving a few machines while flying over the Atlantic Ocean. Then chatting with people after landing in Germany about how they solved the machine. Thinking back, it's funny because a decade ago when I would travel to video game tournaments for Starcraft, couldn't play the game on a plane as my laptop wasn't powerful enough and for that game, you can't just play it on a trackpad. So in a way Hack The Box provides me more of what I consider a good "gaming experience", than an actual game provided.

What is your favorite box?

This is a tough question, there are so many to choose from. I think I would have to go with Sneaky because I missed something in the recon stage, which made me struggle for days.  To give you an idea how much I struggled, the box is now five years old and I still remember that the initial NMAP Scan only has port 80 open and a member login form that is SQL Injectable but there isn’t anything you can really do with it. If you’ve heard me say “always be running recon” this box is the reason I’ve adopted that motto because the next step was to run a UDP Scan with nmap to discover SNMP is open, which would leak a IPv6 address that has port 22 available.

I remember getting a hint that the box was IPv6, but even then I didn’t go back to my recon. Instead, I started reading an old cisco book I had from my sysadmin days about IPv6. It was there that I learned that the FE80:: address in IPv6 was a “link-local”, which I knew but had always thought “link-local” was another name for “loopback” (ex: 127.0.0.1). However, I learned that it just meant it was only accessible to machines on the same broadcast domain (subnet), and if I got onto a box on that subnet then I would be able to access that IPv6 address! Additionally, I knew a lot of the link-local addresses were based off of the mac address, which can be obtained from other boxes on the same ipv4 network via ARP. So, I pwned a different box on the lab and used it to ping sneaky’s ipv4, grabbed the mac address from the arp table, and then calculated the link-local IPv6 address and used that to login. If this sounds confusing, I outlined everything in my video, along with a few other ipv6 things I learned to get the IP Address. The video is below, I start talking about IPv6 at 06:30, however if you go to the YouTube page, you can get a listing of all the timestamps which makes it a bit easier to jump around.

For the longest time, I thought I was a fool for spending so much time on the box. However, I was talking with people before recording the video and everyone was baffled at how I did the box since it was as simple as running a snmpwalk and getting the ipv6 address. While I hated the box at the time for how much time I spent running against a wall, it is the box that taught me the most, and ever since then I always take a minute when a recon task finishes to think up something else to run. It is very much how I look back on my old high school teachers, the ones I hated back then are the ones I cherish now because their painful lessons made me a better person.

What piece of advice do you think most people need to hear?

I think most people need to hear this is difficult for everyone and cyber security is all just learning curves. Every goal you set for yourself, will seem impossible until you accomplish it and then it seems easy. So the good news there is that it won’t be hard for long.

The problem most beginners are facing with getting into Infosec is not valuing “recon”. This is one of the most challenging tasks because people can skip this task and still complete the challenge, either through luck or just hints. When it is time for a person to take a test to become a “Penetration Tester”, they often will think they can just run a program (ex: autorecon, spartan, etc) and begin attacking the application. When in reality I think this does them a disservice because it provides information overload with all the lines of text.

Recon isn’t just running a tool and looking at the output. It is being able to read between the lines of the output and identify what it isn’t telling you. My favorite example is nmap reporting a JSESSIONID cookie from an NGINX or APACHE webserver. This tells you that the webserver is likely acting as a reverse proxy to tomcat, which has some really unique SSRF like attacks that may allow for accessing the tomcat management interface. If that doesn’t work, then I test for common java vulnerabilities like log4j, java deserialization, java SSTI payloads, etc. While having automated tools like SQLMap look for the more common vulnerabilities.

Hacking is still an art, not a science. Flow charts and automation is great, but if attacking things was really that simple then large companies like Tenable, Rapid7, NetSPI, NetSparker, Scythe, or MITRE would have come out with a magical product that can reliably secure a network without the need for a human tester.

How can people find you?

By far the best way is to follow me on Twitter (@ippsec) and subscribe to me on YouTube. If you want to search for something I've done in the past, I try to put everything up on ippsec.rocks. Recently I created a contributions page on that site to showcase all the non-standard content I publish, such as HTB Machines/Blog Posts, Podcasts I'm on, etc. Additionally, I am trying to stream on Twitch weekly, currently, I stream Sundays at noon UTC, but since it is live the time is subject to change, I'd recommend heading over to my calendar on Twitch.tv.