Humans of HTB
Marshall Livingston, aka @tr33, joined Hack The Box on June 7th, 2021 as a Sales Engineer. He is based out of Colorado, and his day-2-day includes helping our business team enable corporate cybersecurity teams to join HTB for Business in order to advance their cybersecurity skills and be attack-ready.
Want to hear from Marshall about how he found his next career step? How he went from a Hack The Box community member to a Hack The Box employee (aka HTBer)? What inspires him every day? Read along!
Oh, this brings me back to 2017 when I was running my hardware repair business. At the time I was trying to fix one of the Python scripts I had written to help automate some workflow I performed on Macs. While I was googling how to fix what I had broken, a few links down I saw a website called Hack The Box. Curiously, of course, I clicked and was just astonished to realize I had just stumbled upon a hacking community! Realizing then, that to join I had to hack my way into the site to become a member, I was hooked.
Some of the things that I loved about HTB in the good ol’ early days were the content, the community, and the prestige that came along with the rankings. In the early days, the content was very challenging in a different way than it is now as there was no way to prepare for this stuff, you had to google everything and learn it without any guidance – today we solve that problem with HTB Academy. But prior to Academy, there was no hand holding or guides to anything so it really forced you to learn your stuff and learn it well, and if you did need help you had to reach out to the community, which was my second most favorite part of the early days. The people I met back then I am still friends with now, good friends, and we still engage with HTB training together. Some of us have progressed our careers together, for example, becoming Synack Red Teamers together. Bringing people together was something HTB did by nature, so many subset communities spawned from the core of HTB — KryptSec is one that I started, all of us met on HTB and we still to this day use HTB for training and getting people prepared to break into the industry.
When I think of my favorite box, I go back to the time that I spent 10 hours straight on the box called FriendZone with some friends. Our goal was to be the first group to root the machine — we called that getting first blood. We didn’t get first blood sadly, but we did get in the top ten! More importantly we learned a lot along the way. During my time spent on that machine I learned so much just due to the sheer design of it. FriendZone offers a great recon stage, dns zone transfers, OWASP top 10 vulnerabilities, and more; there was quite a bit to do and lots of pivoting from service to service.
Two of the most valuable takeaways I had from that machine was the importance of mind mapping the environment and how virtual host routing really worked. I had set up apache and nginx web servers before, but never thought about it from an attacker's perspective. Thinking about how to exploit something I would have set up shined an entire new light on what I thought to be somewhat familiar with. This is something I love talking about with clients, especially with developers and DevSecOps because this is what I find so incredibly valuable within the platform. It’s what makes it so useful for people outside of penetration testing and red teaming. Understanding virtual host routing, led to enumerating DNS more and performing a zone transfer, dumping out a few more subdomains to look into. Much more enumeration is required before finding a foothold on the machine, pivoting around multiple services, jumping through different layers and subdomains, it’s just such a good box with so much to learn. This machine is still available and I highly recommend checking out if you haven’t already.
You don’t join this profession to escape the difficulties of life, you join this industry to tackle them head on and wrestle them to the ground, wake up and do it all over again. So a resounding yes from me, there were plenty of challenges I faced during the early days both in life and in my career. Making the transition from the restaurant industry to IT, and then to cybersecurity, sure came with more than a fair share of challenges. The barrier to entry on most cybersecurity jobs is still very high and was even higher back in 2016-2017. "The feeling like you are swimming aimlessly in this gigantic cybersecurity space was a feeling I felt frequently and became intimately familiar with it." The internal compass that kept me going the right direction for me was focusing on doing what I loved, and at that time it was system administration and cybersecurity, and if something didn’t align with those goals, I didn’t do it.
During 2016-2017 I was employed as a Hardware Technician through GeekSquad and also very invested with growing my hardware repair business. At that point I had brought on a few employees, and towards the beginning of 2018 I opened up a second location in Florida. My initial taste of cybersecurity through HTB is what really shaped my future plans to move into the cybersecurity sector, with my newbie hacker hat firmly on, I dove into the rabbit hole of hacking with Hack The Box and around 2018 branched out into web development, networking, and Linux system administration. I knew getting more familiar with coding would help me greatly in cybersecurity and my lack of understanding regarding networking was painfully obvious. Opportunities were slim as entry level positions were not so entry. So a few certifications later, I restructured my company to tackle small business network installations and added additional services such as providing cloud storage to my clients, offering hardware repair services and acting as a small MSP.
As the years flew by, my cybersecurity skills rapidly increased thanks to spending countless hours on Hack The Box. At this point I had achieved the Elite Hacker rank and also had gone through a third and final restructure of my business model, adding in cybersecurity consultation as an additional service. I had performed penetration tests with multiple client infrastructures, was teaching cybersecurity and programming at Colorado State University, and running my business full time. I was still using HTB daily for personal growth as well as using it to provide students the hands-on training needed to be successful in the industry. During this time, HTB had come out with a really cool feature which allowed me to see different job postings that were available to HTB users based on their ranking. I had gone on this quite a bit and loved how companies were seeing the practical use case for having this type of environment and providing opportunities for employment. I frequently would encourage students to go and visit this job board. In May of 2021 I saw a job listing for Hack The Box as a Sales Engineer. Like my first time seeing that Hack The Box URL back in 2017, I curiously clicked on it, and started reading through the requirements and expectations. To work for the company that helped kick-start my entire cybersecurity career was something I knew I needed to go for. To work with the team that had shaped my life in so many unique and humbling ways was an opportunity I couldn’t pass up.
My day to day life at work is filled with unique challenges and rewarding experiences. Firstly, I know everyone says this, but I truly do get to work with an amazing team. Supporting the Account Executives as the technical point of contact for clients is the core responsibility of this role. In order to do that successfully, I have to spend much of my time going through the HTB content and becoming intimately familiar with all the services we offer; this is critical as it allows me to speak with Red Teamers, Pen-Testers, SOCs and Incident Responders about how to best utilize the content on Hack The Box for their specific training needs. Being able to take deep dives into the content with different pen-testing teams is such a fun and rewarding experience, we usually all learn something new on these calls as they are so collaborative – the value of hands-on realistic training just becomes evermore increasingly clear when we dive into a Pro Lab with a penetration testing team, or a forensic challenge with a SOC. I would have to say the best part of my job is beta testing new content. It allows me to stay fresh with all the most recent vulnerabilities that hit our industry and allows me to continue what I really love, and that is the technical side of things.
I think I would tell myself to stay true to what I know in my heart is the right way to go, or something along those lines. People love to provide opinions on what you should do, what you should focus on, what you should do to get to where you want to be, etc. And some of it can be great, and very helpful, but most of it isn’t. Some of the wisest advice I was given when living abroad in Western Samoa was from a local named Ben Lolani. He told me, “Marshall, you are the hero of your own adventure story; don’t let someone else write your story.” That has been etched in my heart ever since and definitely put me on the path I am on today. In short, what I would tell myself would be, “Stay the course.”
This is a tough question… as it really depends on the type of penetration test you are performing, there are so many things that come to mind! I’ve been conducting penetration tests for a few years now and none of them have been the same. The generic tips I try to remind myself of are:
1. Always have a plan — it is never a good idea to just go into a job with your arsenal of hacking tools, it's just unprepared practice — have a plan.
2. Risk Mitigation mentality — It is one skill to identify and exploit, it is another to discuss findings with the appropriate audiences during an after action debrief – assess the scope.
3. Be vigilant — stay up to date with the latest CVEs and findings, a great way to stay sharp is to have top notch training — invest in good training.
So, did you find Marshall’s story inspiring? If yes, we have good news for you. Hack The Box is constantly growing and looking for talent worldwide. You can always check out our job openings here: https://www.hackthebox.com/join-us
But that’s not all! As Marshall mentioned, our platform is not only a way to continuously practice and level up your hacking skills, but also a way to actually get hired and land your dream job in cybersecurity. Some of the best companies worldwide like Synack, Context, Daimler, Deloitte, NTT, AWS are hiring via Hack The Box.
If you are interested in cybersecurity job opportunities, all you have to do is:
Go to the platform and simply opt in by making your profile “Available for Hire”:
Next? Check out our information security job board, you never know which opportunity gets uploaded next!
Not a member yet? Check this out: https://www.hackthebox.com/hacker/infosec-careers
Already a member? Opt-in here: https://app.hackthebox.com/careers/jobs/board
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024