We all know the old adage: “Rome wasn’t built in a day”
It’s widely known for a reason. A large project takes hard work. It takes dedication and time. But I propose that there is a secret, implied continuation of that phrase:
” … and it wasn’t the first thing the Romans built, either.”
Setbacks!
I recently completed the redpanda box in HackTheBox. It was categorized as “easy” on the site, and I went in confident.
I still struggled with it. I completed it, but do you want to know a secret?
I CHEATED!
That’s right – I used a writeup. I started the box about two days ago and spent hours researching different things and throwing stuff at it. Once I got the webpage to display a unique error page, I discovered with some googling that it was running a framework called Springboot. So I got to work looking at CVEs for Springboot. I spent a bunch of time trying to get Spring4Shell aka CVE-2022-22965 working. I ran a few different payloads I found on exploit db related to it to no effect. I tried another angle based on CVE-2022-22947 using a python script written by Carlos Vieira with no success. I looked up injection techniques and finally – FINALLY found something that at least looked promising.
After looking into different XSS vectors and finding nothing useful, I wound up looking into SSTI instead after a clue from the official HTB forum post on the box. Trying many different SSTI techniques from this page, I found a way to run code: #{7*7} returned some garbled output, and the number 49. It looks like the server calculated my equation, which was great! But it left me with one big question – what now??
Feeling like a failure…
I had no idea. I thought to myself – “I have no idea what I’m doing”. I know Javascript decently well, I’ve used Python in the past and I’ve even written a simple game in C++, albeit a long time ago. But Java? I’ve never touched it. I felt lost. I felt dejected. It was late at night, and I was on day two of spending hours looking into fruitless avenues for an “easy” box – that label taunted me. I was fighting imposter syndrome, and wishing I’d started learning pentesting years ago. My thoughts were starting to spiral. What if I’m not good enough – not “smart” enough – for this world?
…doesn’t mean being one.
I shook it off and reminded myself of all the cyber videos I’ve watched that emphasized, among many things, the important of persistence, and of constant learning. I started thinking: You know what? I have already learned a lot here. I have notes in Obsidian (shout out to a great note taking app!) on two different CVEs. I’ve learned about a new injection technique and found a great resource for future pentesting endeavors in the online hacking tricks book. In his TryHackMe videos John Hammond said there is no shame in looking at a writeup – after all, how else can you learn when you are just starting your cyber journey?
The only failure is failure to learn.
So I peeked at the writeup and I was floored by what I learned. The escalation techniques were things I would never have known about. I would have run LinPEASS and spent hours combing through the output, maybe finding something useful, maybe not. But through the googling and prodding, I would have learned new things regardless. Rather than looking at it as “I didn’t know enough, so I must bad at this”, I turned it into “Wow, I just learned a lot and now I have some great notes for the future”. I learned that the “real” boxes in HackTheBox that have no hints about what to do next. I know from videos I’ve seen, as well as from a chat with my friend and fellow Cyber learner Lyle (whose knowledge of tools and techniques always inspires) that the rooms that TryHackMe offer guidance much like the Starting Point machines in Hackthebox – and I had a lot of success with those.
Up to this point I haven’t looked at TryHackMe in detail yet, because I felt like I had already ‘committed’ to HackTheBox, but I think I will jump over to TryHackMe for now as the guidance the rooms there provide is something that benefits me with where I’m at in my journey of learning and discovery. And I’m ok with that because:
“Rome wasn’t built in a day, and it wasn’t the first thing the Romans built either.”
I hope this post inspires you as I’ve been inspired: to stay positive, to keep learning, and to stay humble!
~ Mike ‘kefka’ Babineau