How I Landed My First Offensive Security Gig
Hello all! Today I am going to share how I landed my first Offsec gig.
Finding Direction
In my final year of undergrad, I was working part-time as an Application Security intern. While not at work, I enjoyed spending time mentoring students at the high school level who are interested in pursuing a career in technology, and most of all, I was dying to graduate.
I had a fantastic internship experience. If you are interested, I describe my internship experience and how I got my first cybersecurity internship [here]. As an intern on the Application Security team, I was responsible for delivering automated solutions to scale product security across the organization.
I started my internship with zero security knowledge or experience. I was not sure what area of technology interested me before this internship. But that experience gave me the direction I needed.
I worked on the Application Security team as an intern for a little over a year. Unfortunately, right before I graduated, I found out that there was not enough budget for me to join the team full-time after graduation. This happened right before the quarantine situation in 2020; as a matter of fact, a couple of days later my team began working from home.
So, back in the same spot of uncertainty as most new college grads find themselves in, I woke up and applied to as many jobs as possible before work every single day. Then one morning, I recalled that the Offensive Security team was interviewing for an open position right before we left office. I asked my mentor what they thought about me possibly applying for the job since I lacked real security experience. I spent most of the internship developing automated services, and I lacked the fundamental security knowledge required for offensive work.
Still, I desperately wanted to learn about security and stay in the field. My mentor spoke to the Offsec team manager, and soon after, the manager reached out to me.
My First Offsec Interview
My interview was a capture the flag (CTF). I was only expected to attempt the easy flags. There were four easy(100pt) flags: SQL Injection(SQLi), Cross-site Scripting (XSS), Command Injection, and System challenges. The rest of the challenges were similar but more difficult. The points for each flag increased with the difficulty of the challenge.
Usually, interviewees would attempt the CTF on-site during their interview. However, since we were in the quarantine age and approaching final projects for school that week, the hiring manager allowed me to attempt the CTF from home from Monday to Friday. Come Friday, we would have a video call to discuss what I had accomplished.
Ultimately I captured four flags but not the four flags I originally set out to. I was able to capture 2 SQLi flags, the easy challenge (100pt) and the difficult challenge (1000pt), and 2 of the Command Injection flags, resulting in 2200 points.
My understanding was barely scratching the surface, and that honestly now feels like a generous statement. I mentioned above that there were 4 “easy” flags: SQL Injection(SQLi), Cross-site Scripting (XSS), Command Injection, and System Questions, but they weren’t labeled as such, or at least not for a noob like me. I had no idea how to approach solving these problems. The hints that existed in the title went entirely over my head. I was flying blindfolded in there.
My folder of notes was huge and filled with unnecessary information. I saved entire HTML webpages. I was taking down all the information I could. I was hoping to gain as much knowledge about the target as possible, and then hopefully, I would have an idea of how to attack it from there. I did not think to use a VM or Kali or any tools of that nature. Besides using Community Burp Suite’s Repeater feature, all exploitation was a manual process.
The decision not to use any tools was not to demonstrate understanding; if I am candid, I did not think to use such tools. I was not too aware of the many tools that might’ve been useful, at the time.
To gain more insight into each topic of the challenge I was working on, I would spin up a container of Damn Vulnerable Web Application (DVWA). I went through each difficulty level and read a few blog entries for each vulnerability to gain a more thorough understanding of why a vulnerability exists and what kind of controls were put in place to defend against them.
After each flag, I had to continue reading some more. I spent a lot of time reading and a lot of time learning through trial and error. Having zero OffSec experience or CTF experience, DVWA helped a lot. I did not think to create a write-up. Though in hindsight, I wish I had.
As the end of the week arrived, I spent 33 hours on the CTF challenges, in addition to working part-time in my current position and finishing up final school projects.
That week, I couldn’t sleep. Each day I couldn’t wait to finish my homework or get off work and work on the CTF. I enjoyed reading blog after blog and understanding why a method I was using wasn’t working. Thirty-three hours felt like 10 hours.
The final piece to my Offsec interview - The Video Call
During the video call with the hiring manager, we went through each challenge I finished. He asked not only how I solved a particular challenge but also, “How else could you have done it? Why were you able to do something? What did that mean about the application? Why were you able to do one thing in a challenge but not in another?” He poked deeper and deeper into my understanding.
When I couldn’t answer a question he asked, he did not let me drown. He pulled up the challenge, and he taught me. As a result, my excitement about OffSec grew mid-interview!
I honestly wasn’t sure how the interview was going since I knew I lacked experience. I knew I didn’t get all the flags the hiring manager tasked me with. However, I did get some of the more difficult ones. No matter what, I knew I was interested in learning more about OffSec.
The hiring manager told me that they were initially looking for someone more mid-level in skill, but since we worked near each other all year during my internship, he knew I would work hard, and he could train me. He told me to take a few days to meditate on whether I truly wanted to start this journey into OffSec. He warned that it would be very challenging and it isn’t for everyone. He advised me to think it over for a day or two.
Ultimately, he gave me a shot.
If you are interested in reading more about my journey from college student to offsec, please read my next post of this series, where I discuss my experience being thrown into the deep end from college student to Offensive Security engineer.
Some Key Take-Aways
If you want to learn to hack, build something yourself, and hack it. Learning how to assemble your target helps you learn how to break it.
When interviewing, try your best to keep your nerves at bay. Don’t beat yourself up if things aren’t going as best as you would hope. Explain what you do know, stay curious about what you don’t, and stay honest.
When you can, do more than you are expected to do, I could not capture all of the flags I was tasked to. However, I was told that something that stood out to my manager was that I attempted the difficult challenges even though I was only tasked to attempt the easy ones.
