I'm making this blog post[s] mainly due to the fact that I've seen inadequacies within my own knowledge base when it comes to reverse engineering. The most fun and effective way to learn anything within security, is through CTF. that goes without saying as not only does it encourage one to get their hands dirty, earning them exposure badges, it allows one to incorporate auto-didactive learning, a learning technique that involves one taking the time out to do online research to, step by step, gathering technical information relevant to the challenge, adding them all together to finally get to the flag, of which that earns one points. It's sort of like a treasure hunt. The flag is the treasure and the clues are the tiny bits and pieces of information Google assist you with (Google's the plug fr lol.). I've been engaged in CTF for a number of years and only now, I realize that the points that one earn, does not matter. the real reward/treasure is the actual learning experience. What technical detail were you exposed to before finally getting the flag? How did it challenge your current knowledge base? It's those questions that one needs to ask themselves...especially if you utilize CTF as a means to have fun and also build real world technical skills.
Everybody has a goal in the field (obviously), as with every field out there besides Cybersecurity. And the path towards that goal is never straight-forward. However, in the context of reverse engineering programs or software, the path is clear cut. Of course you can cut corners, depending on your overall IT skills and how "tech savvy" you are. Do so, if you so wish to. Eventually, the need for a deep understanding of fundamentals will catch up with you and you'll find yourself going back to the beginning, as is the case for me at the time of writing this.
Why didn't I just start out with fundamentals from the beginning? It's simple. Because when I first started, the basics were way too boring. Luckily, CTF filled that void by integrating gamification and real world technical skills together, allowing me to see my progress and move further. Trial and error, reading writeups and just emerging myself in the challenges over and over again allowed me to at least have fun while learning the topics I loved the most.
As stated earlier, my skillset has now reached a stagnant point and I'm definitely not satisfied with it. CTF challenges are now boring, not because they are not engaging and enticing enough, but because my "amateur" skillset does not suffice any longer. I have to increase my knowledge base within reversing to once again rekindle the joy I once had.
Aside from reverse engineering, is writing exploit scripts, or being an exploit developer. this blog has actually showcased quite a number of CTF binary exploitation challenges write-ups. I've well documented the process, techniques and patterns of discovering vulnerabilities within these challenges and writing the exploits that will leverage the vulnerabilities found to ultimately get the flag. These challenges peak my interest just as much as reversing does, but I can easily and confidently say that reverse engineering remains as a paramount skillset for all exploit developers. professional or CTF player alike. After all, the vulnerabilities are all memory corruption based.
So if I am to eventually achieve this goal, I have to increase my skillset. I have to leave CTF alone for now and hit the books! I'm confident enough to say that I believe in my ability to achieve this goal.
Thanks for reading this far if you have. Just wanted to lay a bit of foundation as well as express my own motivations as to why I'm making these next few blog posts. I'll go over quite a bit: Assembly language, using gdb as a debugger to debug software, understanding stack and heap memory and how it relates to reversing, understanding GUI reversing tools like IDA as well and many more so be sure to look out for those. Lots of planning will go into these next few so i'm amped for the challenge. Maybe at the end, I'll do a 'crackme' reversing challenge showcasing how a typical workflow and thought process will look like.