Category: learning

ChatGPT hacking buddy

I’ve given many talks on cyber security and ethical hacking over the past few years and one of the things I tend to say a lot is: “There is no such thing as cheating in hacking”.

What I mean by this is that as long as you are learning you are not cheating. It’s only when you take shortcuts and learn nothing in the process that you are cheating yourself.

So when attempting a CTF or Hack the Box or Try Hack Me machine and you get stuck and you have exhausted every technique and trick that you know and nothing is working, sure, go search for a writeup or forum posts on how to progress. Read just enough to get yourself unstuck and then keep going. Learn the technique, tool, or whatever you needed to know to progress. Add it to your knowledge-base.

This is learning not cheating. Finding the answer but not learning how and why it worked is just cheating yourself.

Recently I found myself stuck on a CTF that I was taking part in for fun. It was brand new so there were no writeups or forum articles to peek at. And I was stuck. In theory I could just move on to the next challenge and come back to this one later, time allowing, but I was having fun and I wanted to figure out why my solution wasn’t working. I wanted to learn, now.

I decided to see if AI could help. I’ve been playing around with the free version of ChatGPT recently and wondered if I could make use of it in this situation. I gave it a copy of the code from a program I had disassembled as part of the CTF and asked it to tell me what the code was doing. It did, in great detail. I then asked it how I could extract certain data that the program was storing in memory. It gave me detailed instructions using a tool that I was unfamiliar with. I asked if if I could do the same with another tool I was familiar with. It kindly said no and offered to teach me how to use the tool it recommended. I agreed and learned how to use the tool and managed to make progress.

I then continued hacking at the CTF asking ChatGPT for assistance when required. Although technically cheating, I was constantly learning throughout, and allthough I managed to get some virtual points on a virtual scoreboard, they were worthless in the real world, but the knowledge I gained from hacking with ChatGPT was priceless.

So now when I get really stuck and I’ve exhausted everything I know, I turn to ChatGPT as my AI hacking buddy. Only after I’ve finished the challenge, or both ChatGPT and I have failed to come up with a solution do I go looking for a writeup.
  

Temporary email

It’s very annoying when you come across something useful online that you want to access like an ebook or article that states that it is completely free, you just have to provide your email address before you can access it.

When we think of something that is free we tend to think in terms of monetary value. But cost comes in other forms as well, such as our time, and our data. By providing your email address you are giving away information, for free. The individual or company that you are giving this information to may use it to sell you something or to sell the actual data that you just freely gave. There are data brokers, email harvesters, etc, that will pay real money for valid email addresses, especially if it comes with context. For example if you were trying to access a free eBook on investing they now know that your email address belongs to someone that is interested in investing and that is valuable information.

The trick with such sites and asks is not to give your real email address yet still get access to the free content. To do this there are free temporary email services. Just google temporary email to see what I mean. With the click of a button you can create a randomly generated email address with a short time to live in minutes that you can use with the site offering the free content. You can then read the article or download the eBook (obviously scanning it for viruses and malware before opening) and when you are done no one has your real email address. Simples! 

HTB peer snooping

HTB (Hack The Box) offers a free and premium (VIP) tier for its members. It’s a great platform for learning ethical hacking (along with Try Hack Me). I promised myself that after I’d gotten through the free content that I would treat myself to VIP membership, but have yet to do so. You see, I discovered that there are unintended benefits of free membership. In addition to lots of free content including the seasons machines, there is a little known way of learning on HTB: Peer snooping.

You see, when you access a machine via a non-VIP account you are essentially sharing the (virtual) machine with other users. And when you have a foothold on a box and you are stuck on privilege escalation you can snoop on other players. You can look at who else is logged on and you can monitor what they are doing. You can see what tools, commands, CVEs, etc they are trying and can learn from them.

So next time you are trying a HTB machine and you have a foothold (a login with shell) try snooping on others that are also trying to pwn the machine. You may learn something.

Car modifications vs insurance

Over the years I’ve modified many cars that I’ve owned. Everything from small modifications that improve security or passenger comfort, to engine, suspension, and braking modifications. And there’s one thing I’ve learned with insurance companies. It’s how you explain the nature of modification in terms of how it affects performance and risk that affects the cost of your insurance.

One of the many jobs I’ve had in my career was working on the development of car insurance software and I got to see first hand how the process works behind the scenes. You essentially start off with a baseline insurance quote based on the stock version of your vehicle. Then you add the modifications, and the underwriter, the actual company that will insure the vehicle, reviews the modifications based on their understanding of the changes made, plus algorithms involving risk, the amount of time the car is likely to be driven on the road, etc. Then an additional amount is arrived at and added to the baseline cost to provide you with your individual quote.

So the key here is to ensure that you correctly inform your insurance company about all modifications that have been made to the vehicle, while trying to get the lowest quote you can. And there is an art in doing this.

Note: You must inform your insurance company of every and all modifications that have been made to the vehicle otherwise your insurance is null and void. It does not pay to lie! Many modifications are now standard, in that they are a selectable option, such as alloy wheels, wider wheel arches etc. Here I am talking about modifications which can be interpreted or stated in different ways.

As an example I once modified an Austin Mini by installing a ‘stage 1 kit’. There are at least two ways of informing the insurance company about this particular modification, those being that:

1 – I have increased the vehicle’s bhp by 20%
2 – I have increased the vehicle’s bhp by 8bhp

Both are factually correct. However as an experiment when repeating statement one to the potential insurer I was quoted a three-figure increase to my insurance, whereas with statement two they said it’s so low that they will note it on my policy but that it would not affect the premium in any way.

Notice the difference?

Never stop learning

One time I was asked to take a junior tester under my wing and show him the ropes. One day he says to me “It must be hard for you to learn new things at your age”. He wasn’t being funny or anything. He genuinely believed that the older you get the harder it is for you to learn new things. I corrected him on that.

This thinking is supported in our culture. We’ve all heard people say you can’t teach an old dog new tricks, or that it’s better to learn a new language at a young age. I’ve thought about this a lot and my thinking is this: that you can learn something new at any age, but as you get older you become more stubborn and resistant to learning something unless you absolutely need to know it or you find it interesting.

As I write this and look over at my bookshelf I see books on finance and investing that I’ve been reading recently as I’ve been fascinated by how the world of money works. And because I’m interested in this subject I’ve been devouring books and other media on the subject and I now know a lot more on the subject than I did a few months earlier.

You will also find that on occasion a client will ask you to learn or master a new tool or technique in order to be able to complete the work for them. Not learning in this scenario can cost you both money and reputation. I’ve met people who will say things like “I’m a tester I don’t write code”. What they really mean is that they are afraid to try. Don’t be afraid to leave your comfort zone but do manage the risks!

Never stop learning. Whether it’s new tools and techniques being developed for your profession or subjects you are interested in like finance, business, the economy, coaching or consulting. We should all never stop learning.

A good tip I’ve learned is to never be the smartest person in a room or on a team. It might boost your ego but that’s the only thing that will grow. Everyone else will have you to learn from but you won’t have anyone. I like to work with smart people so I learn something from them.

So remember:

You can teach an old dog new tricks!
Don’t be the smartest person in the room, understand your client’s business, and learn from other people’s mistakes (it’s cheaper).