Turning CTF skills into Pentesting skills
Track 101 – 10:30am
Isaac Potts Penetration Tester at KPMG UK www.linkedin.com/in/isaac-potts
Bio
I am Isaac, a penetration tester at KPMG! I am a graduate from Abertay university, and I love doing CTFs. I first got into hacking from learning on try hack me, (and breaking my school laptop) and I went on to study ethical hacking where I made, and did a lot of CTFs. Sometimes (mostly) instead of university work. I have since made CTFs for a conference, had a job making an ethical hacking course, and spent way too much of my free time actually doing CTFs!
Pronouns
He / Him
Talk Abstract
CTFs are a very common tool to teach pentesting. But, where are the blind-spots when switching between CTF’s and pentesting? I aim to answer this, and to help improve the skills that don't cross over, by looking at precisely where the skills overlap, from the perspective of someone who has spent a whole lot of their life doing CTFs.
I’ll discuss the mindset that comes with CTFs, which reward speed, fuzzing, and curiosity and how to translate that into pentests, which value understanding what you are testing, curiosity, and the context around vulnerabilities. I’ll also share strategies, and ways to set goals that have helped me improve as a pentester, after doing CTFs!
Alongside this I’ll talk about different attack paths (with some real world examples!) how they fit into CTFs, and how to improve on the skills that CTFs do not teach, like remediation, and fixing my personal downfall, how to stop looking at walkthroughs.
Then I’ll move into post-exploitation: turning a finding into a solid proof of concept, and how to test systems at the point where you would finish in a CTF.
I’ll then talk about tunnel vision, and finally how to become a better pentester, outside of just doing CTFs!
Thanks for reading, and hope to see you there!
Intended Audience
intended audience is beginners, so students or general CTF enthusiasts
How NSFW is this talk?
(How spicy is your talk in chilli's?)
Very chill.