Problem Solving
As I was working through some boxes recently, I think it finally clicked. The whole “try harder” mindset advocated for OffSec. Doing repeat boxes, specifically web app ones where you come across different technologies, setups, stacks, etc. it forces you to accept that you cannot know everything. There is no one course that will make you a competent, all-knowing pentester/hacker. It’s impossible to know everything. Now, don’t get me wrong, knowing things is exceptionally helpful, but knowing things to a point of assimilating knowledge is all that’s really needed.
There’s an educational theory that retention rates are siginifcantly higher when you’re able to assimilate new material/content with already known and understood concepts. So if you have a background in Marvel comics, for example, it’ll be very easy for you to understand the powers, limitations, storylining, etc. of a new hero or villain. But, if you have no experience at all with Marvel comics, it will take considerable more time, effort, and repetition in studying in order to create those structures in your brain.
There was one box in particular that dealt with web sockets—Soccer on HtB—that had me accept that I knew nothing about web sockets and, before progressing with the box, I had to take time to learn about web sockets. The learning process was actually quite fun and I discovered different pentesting methodologies for web sockets, how they’re used, and where they’re most often found. It was through this that I came to understand that the point of “trying harder” is not necessarily gritting down and throwing fuzzers at a problem hoping to automate your way out of critical thinking, but being open to assimilating new knowledge with the things you already know: don’t expect to solve a problem with what you know, expect to use what you know to solve a problem.
It brings me back to when I was learning French. I remember doing a conversation exchange in French and I didn’t know the word for boat which was a word I wanted to use. I didn’t know any synonyms either. A common strategy for new language learners is to just look up the word and use it (most likely forgetting it seconds later). But I took this opportunity to think about the words that I did know. I knew the word for ocean and I also knew the word for car. So I asked my conversation partner in French, “I don’t know the word, what would you call something like a car on the water?” To which they responded, “bateau!”
Pentesting is very similar. It’s so easy to get overwhelmed by the sheer number of technologies, programming languages, CVEs, methodologies, etc. in the same way one could get overwhelmed when learning a new language with tens of thousands of words. The thought of “there’s no way I’ll ever learn all of those to become fluent” so easily rises to the surface. But, when we can recognize that once we gain a base level of fluency, we can use what we know to solve the problem. This takes time, patience, and curiosity, but that’s just part of the process. Try harder.
