war games / challenges

[Kiuhnm]

I read somewhere that war games and challenges are a good way to get some practice and prepare for CTFs.
But if I can't solve a challenge after trying hard and studying the relevant (or what I think is relevant) material, may I ask for some hints here? Or is it frowned upon?

[kenjoe41]

It is not an easy ride if you are riding along through the gates of Hades alone. When you get stuck, it is no shame getting any hints but not direct ones. You can for example get to know that it is an SQLi but the detail of how to exploit it re better left for your learning pleasure.

[lady__godiva]

I read somewhere that war games and challenges are a good way to get some practice and prepare for CTFs.
But if I can't solve a challenge after trying hard and studying the relevant (or what I think is relevant) material, may I ask for some hints here? Or is it frowned upon?

Most of the time you should just persevere. If you feel like you covered everything you needed about that specific topic than keep trying. Otherwise you should revise the material/technique. Getting a hint will help you completing the challenge but i wouldn't recommend that as in a real world scenario (eg. pentesting) you might not have any clue.

[Kiuhnm]

Most of the time you should just persevere. If you feel like you covered everything you needed about that specific topic than keep trying. Otherwise you should revise the material/technique. Getting a hint will help you completing the challenge but i wouldn't recommend that as in a real world scenario (eg. pentesting) you might not have any clue.

In pentesting you don't have to solve challenges. If you find a vulnerability then the app is vulnerable; if you don't find any, then the app is secure. In both cases, you did your job.
If someone hack into your clients' systems you can always say that they were hacked by highly skilled black hat hackers!

Seriously, I'll just need some help here and there from time to time...

[Kiuhnm]

It is not an easy ride if you are riding along through the gates of Hades alone. When you get stuck, it is no shame getting any hints but not direct ones. You can for example get to know that it is an SQLi but the detail of how to exploit it re better left for your learning pleasure.

Sure, my goal is to learn by doing, not just complete challenges. As a hint I'd also accept a link to a paper or a tutorial about a particular technique...

[lady__godiva]

In pentesting you don't have to solve challenges. If you find a vulnerability then the app is vulnerable; if you don't find any, then the app is secure. In both cases, you did your job.
If someone hack into your clients' systems you can always say that they were hacked by highly skilled black hat hackers!

Seriously, I'll just need some help here and there from time to time...

That is considered a bad attitude in pentesting. A vulnerability might not always be evident. The ability to spot these vulnerabilities makes the difference. It's not all about using automated tools, I think you know that. Anyway, there's nothing bad in asking for help.

[Kiuhnm]

That is considered a bad attitude in pentesting. A vulnerability might not always be evident. The ability to spot these vulnerabilities makes the difference. It's not all about using automated tools, I think you know that.

Yes, but the same way there is no complex piece of software without bugs, there is no app without vulnerabilities. Pentesters do miss vulnerabilities.
My point is that you should try to learn while you can. If you get stuck (after trying hard), you should ask someone to give you a hand. Learning by example is also important. It's true that on a pentest you're on your own, but does that mean that you should also learn on your own?

[Mr4ngel]

In pentesting you don't have to solve challenges. If you find a vulnerability then the app is vulnerable; if you don't find any, then the app is secure. In both cases, you did your job.
If someone hack into your clients' systems you can always say that they were hacked by highly skilled black hat hackers!

Seriously, I'll just need some help here and there from time to time...

What's your logic(if any)? What backs this up? You can't be serious. Pentesting is all about challenges.

[Kiuhnm]

A challenge is a problem with at least one solution. Either you solve the challenge or you don't.

In a pentesting things are different because you have no way of evaluating your job.
The only way would be to ask for a second opinion from other experts.

If you can't break the authentication in a web app does it mean that it's secure or that you weren't good enough? You'll never know for sure.
So the challenges in pentesting are ill-defined.

[d!amond]

I would go into the irc for these kinds of questions

[Xires]

In pentesting you don't have to solve challenges. If you find a vulnerability then the app is vulnerable; if you don't find any, then the app is secure. In both cases, you did your job.
If someone hack into your clients' systems you can always say that they were hacked by highly skilled black hat hackers!

Seriously, I'll just need some help here and there from time to time...

Just because you didn't find a vulnerability doesn't mean it doesn't exist.  Furthermore, it shouldn't be enough that you report a vulnerability but rather you should demonstrate knowledge of that vulnerability and the potential methods for exploiting it.  Many people try to disregard vulnerabilities if they feel it's unlikely someone will reach it, an unfortunate decision for which many companies have suffered.

If a client is hacked using something you didn't report as vulnerable or worse, something that you reported as vulnerable and then were paid to fix, the excuse that the attackers were 'highly skilled blackhat hackers' does not generally keep the client.  It matters very little to a client company whether they were hacked by someone highly skilled or not; their data has been exposed and their network is no longer trustworthy.  In addition, their faith in your pentesting company is severely diminished if not altogether eliminated.

[Kiuhnm]

Just because you didn't find a vulnerability doesn't mean it doesn't exist.

You tell me. That's the all point of my argument.

Furthermore, it shouldn't be enough that you report a vulnerability but rather you should demonstrate knowledge of that vulnerability and the potential methods for exploiting it.  Many people try to disregard vulnerabilities if they feel it's unlikely someone will reach it, an unfortunate decision for which many companies have suffered.

If a client is hacked using something you didn't report as vulnerable or worse, something that you reported as vulnerable and then were paid to fix, the excuse that the attackers were 'highly skilled blackhat hackers' does not generally keep the client.  It matters very little to a client company whether they were hacked by someone highly skilled or not; their data has been exposed and their network is no longer trustworthy.  In addition, their faith in your pentesting company is severely diminished if not altogether eliminated.

What if you don't find a vulnerability? That was the all point of my argument. Is my English so bad? [yes, it is!]
(http://tech.slashdot.org/story/14/01/08/1421235/23-year-old-x11-server-security-vulnerability-discovered)

edit:
I wrote "If you find a vulnerability then the app is vulnerable; if you don't find any, then the app is secure".
What I meant is "If you find a vulnerability then [you tell your client that] the app is vulnerable; if you don't find any, then [you tell your client that] the app is secure"

I also wrote other posts that should clarify what I meant.
Basically, finding errors and vulnerabilities is an undecidable problem, unfortunately, so no human being or company should be able to find them all (with some reasonable assumptions).