Oh.. hello

If you’re looking at this you’ve probably been linked to it via my resume or some other professional network. Thanks for swinging by. Loosen up your tie and grab a drink. This is the official long form of the resume, filling in all the gaps. I hope after reading this I sound like a pretty cool guy and maybe what you’re looking for. If you’re looking to hear about the professional experience click here.

Who I am

Okay so, by now you’ve figured out my name is Zack and I’m 30 and I do Cyber Security things. Here is the shortest version of the story.

Highschool

Mesmerized by media’s depiction of ‘hackers’ from movies like The Matrix, Hackers, 007 Goldeneye (Boris’ pen twirl is a must have skill for any hacker), and loads of other movies, hacking seemed to be some sort of high caliber, techno genius level magic trick show and I couldn’t get enough of it. But of course that meant massive intimidation. These people were super heroes in their own way. The best magic trick I could ever do was the coin behind the ear thing.

It wasn’t until a keyboarding class in 9th grade that I began dabbling. See I had mastered typing way before this class, making every 30 minute assignment about 10 minutes long and it was a 45 minute class. So like any other bored chap in 2004, all I wanted to do was watch cartoons to pass the time. Specifically the beautiful internet treasure that is known as Newgrounds.com. Of course a website with bloody and sometimes adult themed games was 100% blocked. The Barracuda filter mocking me each time I tried. So I did some Googling and found this cheeky little site called Hackthissite.org. HackThisSite just happened to have a post on barracuda filters and I quickly learned that it blocked based off of some weird thing called DNS and if I didn’t resolve the names, it wouldn’t get blocked. I went home and had my first round with the command prompt. Typing in that black box was pure magic despite the only thing I typed was a simple ping newgrounds.com. I was suddenly Neo and the world was just a command line execution away. I cast this new super secret hacker spell and it conquered out a set of numbers. The next day at school I did a little http://51.79.77.158/ in the browser. This was my very first “We’re in” moment. In my head I was a master hacker.

2004 Newgrounds screenshot

I was watching as much Salad Fingers and Weebl and Bob a 14 year old could fit in during a 45 minute class. But it was the other site, the sneaky one for hackers that really started to consume my mind after this. Geez…there is an actual site called Hack this site. Insane. This site became my only past time. I started posting on the forums daily. I quickly was yelled at by strangers on the internet in posts telling me

“… freaking script kiddie. learn html, javascript, how computers work before you come in and ask how to hack something…”

Embarrassing but… I’m glad they responded that way. Because that’s exactly what I did next. For the next 6 years or so. Learning Javascript injection, SQL, HTML, how cookies worked, and how to watch non SSL http traffic. This is where I started my deep dive into CTFs and challenges.

College

You’d think that with my interest being in Cyber Security I’d try to go to school for it, but this is 2007/2008 and back then Cyber Security was different. From what the advisors said, my best bet was Cisco CCNA and that I’d be better off considering engineering or becoming a programmer/developer. It seemed like the skill set and excitement for breaking things would only be useful if I did something legally questionable and hope that the authorities or company find me useful… and I wasn’t really interested in taking that kind of risk. So I went to school for engineering and the fun cyber stuff went on the back burner and became a really niche replacement for video games.

Hacking as A Hobby

For the next few years after deciding that Cyber Security wouldn’t be a field I could get into. I continued to test my skills in any way I could that was…ahem…legal. I found sites like Vulnhub.com, Hackthebox.eu, ctflearn.com, and spent loads of time watching Hak5 and Metasploit Minute. I even set up a small lab using a outdated gaming computer I had built during college. If I ran into a machine with a vulnerability I had never seen before, I dug into it and studied it. My goal at this point was just to get proficient enough to be good at CTFs, especially those I had heard about in DefCon YouTube videos.

The Turnaround

Roughly in 2015, a friend told me that the local college had a Cyber Security program backed by the NSA now and it was all over the news that talent in the field was hard to come by and that things had changed. So at 26 I went back to college. I’m a horrible classroom student, and I somehow convinced the Director that I could swing it. I expected to be the underdog in all the classes, assuming my self taught level of knowledge would barely be able to get me past the first semester. Come to find out, I was way ahead of the curve. This was the boost that I needed to really start the professional part of my journey.

The Professor

I had a Windows Server class my first semester. My advisor told me that he felt I could jump a few classes based off of what the professors were saying and his experience with me in the classroom. So I started the class. I had broken into a few Active Directory boxes before and had studied group policy so I was fairly experienced at the topic. About 4 weeks in the server class professor asked me if I was interested in a networking internship. I told him I had bills and I couldn’t be taking on unpaid work. “Zack, listen to me when I say this”

I’m moving and quiting my other job as IT Director and you know more than any CCNA certified applicant I’ve talked to”

Six months later I was hired as the IT Director, and the only IT employee at a private military school with roughly 300 users, 12 managed layer 3 switches, 35 access points, Barracuda web filters, web shaping hardware, 2 extremely outdated Cisco ASA, and a weird combination of Windows Server and Novell. Needless to say my two years spent as IT Director was a learning experience, but just futher fed my desire to keep going. The days the network started acting funny or would drop were my favorite days. Chasing down routing and starring at packets was the most exciting part of my job the few times it happened.

Teaching High School Intro to Cyber Security

My first year I was asked to teach Introduction to Cyber Security. My class was about 8 kids ranging from 13 to 18. I used a combination of a curriculum I found suggested by VirginiaCyberRange.org and other resources I found useful. The real challenge wasn’t teaching a room full of teenagers. But stepping back into the fundamentals and relearning from the beginning. Through all the years I had been working on CTFs, I had learned a sense of intuition for the skills, but never realized things like a pentesting methodology existed. Teaching a topic sometimes forces you to fill in the gaps. I also realized that the curriculum was extremely dry for a room of teens hoping for that same bit of magic tricks I had experienced at their age. After about 4 weeks of following the outlined curriculum we switched over to working on Vulnhub machines, having in depth discussions on topics like Stuxnet, Andrew Auernheimer’s AT&T iPad hack of 2011, WannaCry, and watched Red Team engagements. The classroom soon became the highlight of my day. Fifteen years after I fell in love with Cyber Security I’m surrounded by teenagers experiencing the same magic that got me started. It was during this time that I decided to schedule out my next couple of years with the goal of being a pentester by 2021.

Chasing the OSCP

So here we are. This is now. I won’t write a lot about this here. I will most likely blog the whole process from start to finish on a separate post. Here are some of the key notes on how I’ve gone about getting the OSCP. Specifically the preparation before purchasing the labs.

  • Find a Udemy class designed for OSCP. I have a few I really liked.
  • Find a professional that will be willing to be your mentor. Find more than one. Talk to as many people as you can about their process and to make assessment on your skill set. Having someone watch you work is absolutely the best way to learn how to get better.
  • Do any and every Easy or Medium HacktheBox.eu box you can. also the question of writeups come up a lot. Always have a writeup ready for reference if you get stuck, but don’t use it as step by step instructions if you can help it
  • Google how to enumerate each port you find. Make notes.
  • Write what you’ve done. Take the time to do this. Write the most basic version of what your process was like. A few weeks or months later, go back to edit the notes, forcing you to follow them and re-work the box.
  • Publish things and have a professional critique your process.