Penetration Test vs the CTF

The purpose of this blog post is to bridge a gap that I have noticed from those coming into cybersecurity that might want to become pentesters but focus their time only on services such as Hack The Box and TryHackMe.

On Hack The Box and TryHackMe, users are able to complete rooms and run through something called CTFs or Capture the Flags. This idea uses a box with a vulnerability that needs to be exploited in order to compromise the box as a user and to obtain a user.txt. From here the goal is to escalate privileges and become the root/admin user and then get to the root.txt file.

What CTFs/Capture the Flags allow users to do is practice and learn about:

  • Enumerating services
  • Finding vulnerabilities
  • Writing code to exploit a vulnerability
  • Operating systems
  • Command line

These are fantastic services that I would recommend to anyone wanting to learn about becoming a penetration tester/red teamer/hacker.

The truth, though, is that CTFs are not real world. Most CTFs can be considered gamified, which means they are setup to be more of a puzzle to explore and exploit. This is not normally something you would find in the real world of cyber security.

The issue I have seen many times is that this type of practice can send someone down a path that might give the impression that it is how professional pentests are performed. It’s easy to get caught up in the mindset that service X, version Y has an RCE (Remote Code Execution) vulnerability and checking, downloading source code, and running it against the target can compromise the box.

Let’s say you are on a job interview and it’s simulating an external pentest for client X. You are given a couple IP addresses. How would you start? Often I hear “I would start to port scan the IP addresses with Nmap.”

What is the issue with this? It’s not exactly wrong, but in the real world, the direction I might expect an analyst to take is:

  • Confirming the ownership of the IP addresses. Figure out that the IP addresses belong to the client.
  • Learning what is allowed in scope.
  • Perform recon and learn about the client. Gather intel such as emails, DNS, files, etc.
  • Going through Social Media, checking LinkedIn, Twitter, and Facebook to learn about the company.
  • Finding leaked credentials using Have I Been Pwned and DeHashed.
  • Try and find the company’s GitHub and gather source code with possible credentials or API key.

This is only part of the job as a whole, but the idea is that we aren’t just jumping to port scanning as the first step. We have steps before we can even start actively enumerating. This is one of the ways a CTF is different than an actual pentest.

Going back to the port scan, let’s say after the scan you discover that you’ve found a VPN Login and Web Mail Service. How would you continue? What I normally hear is the typical file/directory fuzzing, enumerating the version, and trying an exploit. Again, this is fine because the services might have a vulnerability to exploit.

This time, though, the client patches software monthly and doesn’t have a vulnerable VPN or Web Mail Service.

Performing recon, we can gather a list of email addresses and usernames relating to the target. We could perform an attack called Password Spraying. This is taking the list of emails/users and pairing them against a single password with the intent to gather credentials.

Poor password Policies are a vulnerability that I have seen quite often in real world engagements.

Some examples of poor passwords are:

  • Winter2023 (season year)
  • Password123!
  • Password1!
  • CompanyName2015! (the company and year founded)

These passwords meet a complexity requirement with length, capital letter, number, and a symbol. However, they still pose a threat due to their elementary nature.

Now let’s say we do some password spraying with our user list and Password1! on the VPN to get a hit. No MFA is needed, so we are free to download the VPN configuration file and connect to our client’s network.

What’s next? If this was a CTF you might begin enumerating the internal network. However, since this is a real world example, you would contact your client to inform them that you have compromised their internal network.

What I’m hoping to show and express with this post is that the path of a CTF is different from how a pentest is actually executed. Pentest are designed to find as many vulnerabilities as possible. The job of a pentester is ultimately to bring these weaknesses to the client, not to gain flags in a game.

Personally, I use CTFs like Hack the Box and TryHackMe to keep my skills sharp. I encourage anyone that is interested in becoming a penetration tester to watch this YouTube video by The Cyber Mentor on a Mock Job Interview. It’s about an hour long, but it covers a lot of important information that may help out those  looking to apply to become a penetration tester.

If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!