The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished ethical hacker.
This month, we feature Philippe Vogler’s journey that began in the intriguing world of Linux, his early hacking endeavors, and his evolution of skills and expertise in cybersecurity.
Tell us a bit about yourself and how you started pentesting?
A long time ago when I was around twelve years old, a friend of mine installed the first version of Ubuntu and introduced me to the world of Linux. From there my hacking journey started.
We discovered French hacking websites, sadly they no longer exist, and then we started convincing people on Windows MSN Messenger to run some funny EXEs on their machines.
Those websites were quite technical and difficult to grasp considering the little amount of knowledge we had at that time, but after a few years, we eventually reached the point where we understood what Windows authentication was, and how to retrieve credentials on machines.
So we went ahead and hacked our high school (for fun) with a couple of friends. After obtaining the local administrator password, which was obviously reused across all the machines, we started shutting down people's computers while they were working, just to bother them and observe their reaction.
For example, teachers' computers, or unfriendly schoolmates'. But that was it, we didn't wreak havoc and nobody ever figured out our little game. It was just for the sake of our curiosity, the fun and thrill of it.
What educational background and certifications prepared you for pentesting?
I went to a French engineering school to study computer science and deepen my expertise in cybersecurity, thinking a diploma would help me secure a job.
Since certifications seemed important as well, I completed OSCP and OSCE while working as a pentester.
Certifications demonstrate that you successfully followed a course and passed an exam, but they don't always show the range of knowledge, analytical skills, and innovation. They serve as proof of knowledge, however, a combination of a certain mindset, curiosity, and persistence is what prepares someone for a career in pentesting.
What are your go-to tools and techniques when pentesting?
For web applications and APIs, like many testers, I rely on BurpSuite and several extensions. However, if I had to name one of my favorite tools it would be ffuf, although using the right wordlists is essential, whether built over time or custom generated by tailoring them to a specific application or network.
Over the years I developed custom scripts and tools to automate the discovery of inconsistencies or patterns to focus on manual testing and exploitation afterwards.
Understanding what tools do is mandatory in order not to simply shoot blindly. Reading the documentation, and the source code to learn their ins and outs, and having full visibility over what they do by running them through a proxy, or monitoring them with Logger++ is what makes them even more efficient.
More than once an issue has gone unnoticed by tools but was visible in the proxy's history.
What trends do you see emerging in Cyber Security, and how are they shaping how you approach your work?
Lately, there has been a trend of access control issues, even though injection vulnerabilities such as SQL injections or XSS are still very present. They might just be less visible than in the past since WAFs are more common and block some of the payloads, while frameworks also started incorporating defensive measures against these kinds of attacks.
On a personal level, trends do not shape my approach to work but instead, techniques do. Knowing more techniques, improving them over time, and figuring out how to chain them implies a higher likelihood of breaching a target.
Can you share your experiences and preferences in terms of teamwork, communication, and coordination when engaging in pentests?
As a team, it is fundamental for each of us to individually review and assess the entire scope provided by the client, e.g. all the functionalities of an application. A constant challenge exists between us to uncover vulnerabilities of high and critical severity, meaning that we do not collaborate all the time.
Every tester has a different mindset and set of skills, and collaboration can be useful on complex problems or when feeling stuck. An internal Slack group is an excellent way of exchanging information, whether it be about an issue, sharing knowledge, or working together.
Looking ahead, how do you envision the future of cybersecurity evolving in 2024, and what do you believe will be the key challenges and opportunities?
In 2024, I see pentesting evolving toward ever more present technologies such as AI, while API testing is expected to remain as prevalent as in the past. AI has already begun to be integrated into our workflows, and this trend will keep growing in the upcoming years both in the offensive and defensive spaces.
Since the emergence of the Internet and connected devices, the key challenges lie in staying up-to-date on rapidly evolving attack vectors and emerging technologies by understanding how they work, their weaknesses and strengths, and how to ultimately use them to our advantage.
Due to their increasing complexity, collaboration among security professionals will become vital to produce better results. And that's exactly where Cobalt's strength resides through its diverse community of testers and their respective skill sets.
As businesses and organizations navigate dynamic threats, the call to action is clear: Strengthen your defenses with proactive engagements. Cobalt’s skilled community of professionals offers expertise to identify and mitigate vulnerabilities quickly.
Secure your digital assets and empower your organization with the knowledge needed to keep defenses strong. Request a demo today to see how.