Alright, now that I expressed my frustration over the lack of awareness in the @offsec community Discord, I will provide a fair, unbiased review of the platform after trying my first box.

Coming from Hack the Box, it definitely feels a little less gamified and more like real-world application (so far), although HTB is still a little similar. On HTB, I have noticed that a lot of boxes have default admin accounts whereas OffSec appears to have stripped that out (at least so far). Default credentials do still happen in the wild, but it is nice to have that more realistic feel to it.

The user.txt not being the actual user flag tripped me up at first but then I quickly noticed another txt file next to it. I definitely had some HTB tunnel vision there at first. Having the little message encoded in the user.txt file was cool. I definitely liked that.

I am assuming there is probably a sound when you pop a box but I just realize I hadn't configured my conf file for dmic_detect on this fresh install yet, so my sound wasn't working.

Overall, I would give the feel of the platform a solid 8.5/10. You just need to tell your community mods not to blindly defend random users with federal employee look-alike usernames when someone "jokingly" calls it larp so people are on guard. I don't think your community mod understands what "harassment" is. Raising valid concern regarding threat indicators is not "harassment."

#offsec #ctf #review #cybersecurity #pentesting #EthicalHacking

I wouldn't recommend trusting the @offsec community discord, and at this point, I can’t recommend their certs either.

Last night, I called out an account using a fake federal subdomain for their username as "larp:" "<first_name>.<last_name>.dni.gov." Threat actors frequently use fake government handles to cultivate unearned trust. Instead of validating a basic threat indicator, a mod reignited it this morning, defending the account with "you don't know if they are posing or not."

Exactly. I don't. That’s why I called it a larp instead of phishing. But a red team platform should understand zero-trust models, proactive threat identification, and defensive alignment. Instead, they operate on a purely reactive basis.

It's a terrible look to run off a cybersecurity major in a CAE-CD program for practicing human perimeter tactics. I don't need OffSec to get where I'm going. SANS/GIAC offers highly respected pentesting certs anyway, alongside industry-gold-standard DFIR (Digital Forensics & Incident Response) and specialized Cyber Defense pathways. I'll save my $1,600+ for an ecosystem that actually understands threat modeling.

Purple team is still the undisputed champion. I am not going to bow down to someone just because they are a community mod and operate in a complete silo.

#cybersecurity #purpleteam #offsec #opsec #APTs #impersonation #proactivedefense

My private discord server is coming along great. I have CTF announcement feeds from most of the major CTF platforms, bug bounty feeds, a Def Con feed, CVE RSS feeds for Debian and Ubuntu (even though Ubuntu is a Debian-flavored distro), and an Arch RSS feed. I just wish I had a way to stream BSides feeds into it but they are all run locally rather than a single national convention like Def Con.

Once I get my home lab running, I am going to run Suricata using log2ram, a Python script to sanitize the output, and then send it to a private feed on my private discord server using web hooks.

I have to say, this journey has been amazing and its still just the beginning. Going from an average gamer/nerd to a cybersecurity major that has a very solid foundation in InfoSec, and now exploring a journey in ethical hacking training, has been an absolutely amazing journey!

I've wrestled with imposter syndrome but I've also had some very enlightening light bulb moments.

#cybersecurity #opsec #infosec #ethicalhacking #offsec

[DEMO] Sn1per Professional 2026 Released: A New Era for Attack Surface Management

https://sn1persecurity.com/wordpress/sn1per-professional-2026-release/?utm_source=mastodon&utm_medium=social&utm_campaign=pro2026-launch

#offsec #offensivesecurity #netsec #infosec #bugbounty #pentesting #ai

⚠️ Disclaimer: For educational use only. All activities shown were performed legally on an authorized CTF platform. Unauthorized access to systems is illegal and carries severe criminal penalties.

This video demonstrates a Time-of-Check to Time-of-Use (TOCTOU) race condition exploit (CVE-2026-3888), which was a key component of the "Snapped" machine on Hack The Box.

"Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS" (Common Vulnerabilities and Exposures, 2026).

https://www.cve.org/CVERecord?id=CVE-2026-3888

#EthicalHacking #offsec #penetrationtesting #Linux #cybersecurity

Current Cybersecurity and OffSec Personal Library:

• Linux Bible

• The Hacker Playbook 3

• Linux Basics for Hackers

• Operator Handbook: Red Team + OSINT + Blue Team

• RTFM v2

#cybersecurity #OffSec #OSINT #Linux #EthicalHacking