Overview and What to Expect:
the First reason me writing this blog is that, i suffered a lot while learning without knowing the difference in between the Penetration testing and CTF, while learning skills for my PNPT i Tried to apply them on HacktheBox and mostly failed as you all know that even the Easy boxes in HacktheBox are not that easy. Even though i was able to gain the required knowledge and solve that particular box, it affected my confidence in Pentesting and put me in NOT ENOUGH state. Keeping that in mind, For that people who are jumping on and off between the line of the Penetration testing and CTF, here’s my first blog for you…. 🙂
Penetration Testing VS CTF:
Firstly before Jumping into CTF directly, i want you guys to look at Penetration testing deeply.
In Penetration testing, we have Internal Pentesting and External Pentesting.
In Internal Pentesting(GreyBox testing) we will be placed inside a Network and can have some access to the network, where as in External pentesting, we will hack just like an Outsider (BlackBox Testing) not knowing any specific Information about the target except the target IP/Domain name. We will start OSINT from that point and Gather as much as Information as we can to Hack our way through it.
Pentesting Consists of Phases those which we also use in CTF’s but the Major difference here is:
Playing CTF’s will improve your skills there is no doubt about that, but before jumping Right into them, you have to have Your Skills ready to be used for. CTF’s are Gamified version of Penetration testing, the tools that you use in CTF’s and Real World Penetration Testing are mostly same, but the Scenarios are Different. The CTF’s are specially designed hard for anyone to Crack through and this might not be the case always in Real World Penetration Testing.
Let us take an Example of Cars 🏎, First you learn what is what and how to Operate it, then you learn to put use of your knowledge by Implementing what you have learnt overtime, then You will learn to ride the Car Without any issues. Congrats You learned the Pentesting. Didn’t Understand..? Let me Explain..
First you start Off with the Basics of Pentesting and learn all the required Individual modules Such as Programming, Operating Systems, Networking, Linux and Pentesting etc, and perform on Labs or some Machines for practice and learn more during this process. At One point, you will know you Knew something, not everything but Something.
But when it comes to CTF’s, its the Race Car Competition. the Hackers that are there on the platforms are Professional racers, they know the tricks and tips of the Car(I hope Im making Sense). they know the Machines well and to perform which scan in which condition and to perform which enumeration technique on that Specific port and Knows where to perform an Injection attack and Where to look the Output for. This makes the difference.
Im not Discouraging anyone from playing CTF’s to gain some experience but Im saying Just know that, it requires some mastery over your Skills. and these platforms are built for the people who has some Mastery on their things and knows what they are doing. Whether its a Platform like HacktheBox or Proving Grounds.
Some Other websites like OvertheWire and TryHackMe are the Exceptions, you can learn at your pace with them as they are beginner Friendly(Mostly).
Bug Bounty is about the Web Application Security, you will be given a specific range of Domains and you will have your own Checklist of Vulnerabilities or Logical errors and things that you want to look for in that specific target, like Command line Injections, CSRF, SSRF, Information Disclosure etc. and when you find any bugs which compromises the security of the Company or the Organization, you report them.
So what is the best time to Jump into CTF :
Well, no one is as good judge as you, So when you are tired of learning the content all day and want to check how good your practical skills are, You can go and try playing some machines on the Platforms like TryHackMe and HacktheBox. Feel free to watch some Walkthroughs, Explore similar content, Read and Debug the exploit code, learn how things work…repeat this process again and again…
Thankyou for reading 🙂
I Appreciate your Feedback on this post of Mine..
Until then, Phani Mapvs Signing Off…