Tell me a bit more about yourself? Current occupation? Aspirations?
I’ve been playing with computers for a while now, until I discovered how fun it was to break them. I’ve working as a penetration tester / security engineer for about 6 years now, and I started learning security as most of people in our field before the boom of the cybersecurity world, by self-learning.
I remember that before platforms like PentesterLab appeared, people had to look for a vulnerable target outside on the internet and try whatever they wanted to try on it. Also, most of the times, you would learn that whatever you tried worked, but some of the concepts around the vulnerability being exploited weren’t learned properly. PentesterLab addresses this perfectly, it allows you to exploit, understand and learn about the technologies and vulnerabilities that may be affecting them.
How did you come across PentesterLab PRO?
I tried PentesterLab personally, and I found it was a great way of properly understanding why the vulnerabilities are introduced in the code and or the systems. This is why I’ve been recommending everyone I know to give it a try, and if your company has technical people that can take advantage of this, why not getting it?
What have been your favourite exercises so far?
The Cipher block chaining one. My weakest point has always been cryptography, and this exercise, the explanation and the exploitation allowed me to understand what CBC misuse may imply in a real system.
Do you do bug bounty? and if yes, did PentesterLab help you
Yeah, I’ve been spending quite some time in bug bounties, with a little bit of luck in programmes like Uber or Github. I plan to get ideas from PentesterLab that will allow me to try some more creative ways of exploiting systems and applications that I saw in the past and haven’t been able to exploit.
What exercises/areas do you think PentesterLab should cover in the future?
There are other services that give you OSCP-like environments, so I would say that some other material such as good coding practices, hardening of well-known frameworks, etc. Something more focused on developers or people not completely dedicated to security.
Where can people follow your progress?
I have a Twitter account at @BBerastegui and maybe on LinkedIn too: https://www.linkedin.com/in/bberastegui/