3 min read

Categories

AMA with Adithyan AK


OSCP Holder 🔏 | Red Team Member @SynackRedTeam ✨ | Incoming Student @CMU 🎓 | CEH (Master) 📜 | Offensive Security Researcher 👦


  • Q1) What are the certifications you think one should have in resume to have good chances of getting selected in interviews(for pentester/security analyst).

  • Q2) Is taking eJPT helps for someone who already have a good knowledge about owasp top10 and hunts regularly?

    1. No certificate will help you get selected in an interview. It may help you get you a callback from HR. No one’s gonna give you a job solely because you’ve a certificate. You still have to attend all rounds. But to impress & get a callback, OSCP, OSWE, OSCE, CRTP, CRTE helps.

    2. I would suggest OSWE in that case.


  • Q1) How to join SynackRedTeam (eg. experience, certs, bugcrowd or h1 rank, etc)?

  • Q2) How to deal with inconsistencies?

  • Q3) How did you started and where did you learn?

    1. SynackRedTeam takes multiple factors into consideration. Not just a certification or rank. No ones aware of their exact criteria but you should be able to prove that you are a worthy add to’em. They also take exploits, blogs you’ve authored into the account. You can be expert in one or intermediate in all.

    2. I deal by taking a huge break. It might sound irony but it works. Inconsistencies will wreck the flow. So, instead of taking small breaks in between, take a week(or 2) of rest and work for a month straight. Though I don’t work in breaks, I read Infosec articles and watch videos.

    3. I was inspired by Hollywood movies and started learning in 2013-14. Back then, there were only blogs in google and FB groups. Had to browse and read every articles. YouTube is no good back then and even if it has been, I didn’t have that much internet. 1GB 3G data/month.



  • If you get your initial shell on a machine then what will you try to do next?

    • First, I’ll visit the misconfig that let me in & check whether it’s the intended way. Then check my privleges, what groups I’m a part of, do I have sudo permissions etc. Then I’ll look for interesting files & folders, SUID binaries, network information & credentials. Finally, enumeration scripts.


  • What’s your manual approach to find Server side bugs for features that aren’t obvious (Eg. SSRF on Webhooks is kinda an obvious test case)? Intuition? Spray & Pray? Experience? Luck?

    • It’s a combination of all I would say. But I primarily focus on Intuition. And intuition kicks in at appropriate time when you have enough experience. With appropriate recon and enough knowledge about the target, I would follow my intuition.


  • How much valuable is OSCP for indian jobs related to cyber security?

    • It has it’s reputation with big 4 and a lot of other companies as well. It’s one of the preferred certification for Security analyst and SE-L1 position unless your job responsibilities include some kinda compliance stuffs. However, it’s just a entry level certificate into offsec.


  • How to approach authentication bugs?

    • Depends on the type of authentication the target is using. If OAuth is used, I’ll test for hijacking auth codes and access tokens. We could try rate limiting attacks accompanied with race condition and IP rotation techniques.


  • Does anyone guided you or whether you learned hacking by your own in the beginning?

    • No one guided me because FB was a toxic place earlier, where so called 1337s will make fun of noobs. But everyone will boast their achievements. All I had to do was extract keyword from their braggings and search in google untill I acquire that skill they were bragging about.


  • What advice you would give to yourself when you just started learning cypersecurity?

    • Cybersecurity is not just about product security. It’s much more than that. I would have adviced myself to learn more about securing infrastructures as I was focused only on Appsec until 2 years back.


  • Which programming language you would recommend a beginner to learn?

    • Python is absolutely the beginner friendly language to learn. To get started with it, I recommend learning Object-Oriented Programming (OOP) and Socket programming in python.


  • If a beginner complete all the labs in portswigger lab then what should you suggest next?

    • Pentester lab’s web exercises are awesome things to checkout next.


The original twitter AMA can be found here :- https://twitter.com/sillydadddy/status/1397831918138232832