Alright, now that I expressed my frustration over the lack of awareness in the @offsec community Discord, I will provide a fair, unbiased review of the platform after trying my first box.

Coming from Hack the Box, it definitely feels a little less gamified and more like real-world application (so far), although HTB is still a little similar. On HTB, I have noticed that a lot of boxes have default admin accounts whereas OffSec appears to have stripped that out (at least so far). Default credentials do still happen in the wild, but it is nice to have that more realistic feel to it.

The user.txt not being the actual user flag tripped me up at first but then I quickly noticed another txt file next to it. I definitely had some HTB tunnel vision there at first. Having the little message encoded in the user.txt file was cool. I definitely liked that.

I am assuming there is probably a sound when you pop a box but I just realize I hadn't configured my conf file for dmic_detect on this fresh install yet, so my sound wasn't working.

Overall, I would give the feel of the platform a solid 8.5/10. You just need to tell your community mods not to blindly defend random users with federal employee look-alike usernames when someone "jokingly" calls it larp so people are on guard. I don't think your community mod understands what "harassment" is. Raising valid concern regarding threat indicators is not "harassment."

#offsec #ctf #review #cybersecurity #pentesting #EthicalHacking

I wouldn't recommend trusting the @offsec community discord, and at this point, I can’t recommend their certs either.

Last night, I called out an account using a fake federal subdomain for their username as "larp:" "<first_name>.<last_name>.dni.gov." Threat actors frequently use fake government handles to cultivate unearned trust. Instead of validating a basic threat indicator, a mod reignited it this morning, defending the account with "you don't know if they are posing or not."

Exactly. I don't. That’s why I called it a larp instead of phishing. But a red team platform should understand zero-trust models, proactive threat identification, and defensive alignment. Instead, they operate on a purely reactive basis.

It's a terrible look to run off a cybersecurity major in a CAE-CD program for practicing human perimeter tactics. I don't need OffSec to get where I'm going. SANS/GIAC offers highly respected pentesting certs anyway, alongside industry-gold-standard DFIR (Digital Forensics & Incident Response) and specialized Cyber Defense pathways. I'll save my $1,600+ for an ecosystem that actually understands threat modeling.

Purple team is still the undisputed champion. I am not going to bow down to someone just because they are a community mod and operate in a complete silo.

#cybersecurity #purpleteam #offsec #opsec #APTs #impersonation #proactivedefense

My private discord server is coming along great. I have CTF announcement feeds from most of the major CTF platforms, bug bounty feeds, a Def Con feed, CVE RSS feeds for Debian and Ubuntu (even though Ubuntu is a Debian-flavored distro), and an Arch RSS feed. I just wish I had a way to stream BSides feeds into it but they are all run locally rather than a single national convention like Def Con.

Once I get my home lab running, I am going to run Suricata using log2ram, a Python script to sanitize the output, and then send it to a private feed on my private discord server using web hooks.

I have to say, this journey has been amazing and its still just the beginning. Going from an average gamer/nerd to a cybersecurity major that has a very solid foundation in InfoSec, and now exploring a journey in ethical hacking training, has been an absolutely amazing journey!

I've wrestled with imposter syndrome but I've also had some very enlightening light bulb moments.

#cybersecurity #opsec #infosec #ethicalhacking #offsec

⚠️ How SMS 2FA Destroys Authentication Logic

A recent experience while changing my account info reminded me why relying on telecom routing for security is an absolute nightmare, and why the infosec community needs to kill off SMS authentication for good.

🚩 Battle.net SMS 2FA Failure and Security Theater:

I attempted to log into Battle.net using a phone number I had legitimately owned for months, assuming I had added to my alt profile when I switched to that number. Instead of asking for a secondary 2FA, the platform sent an SMS code, accepted it, and provided me access to a complete stranger's account.

🚩 The Architectural Flaw:

The platform's backend treated a single SMS verification token not as a supplementary second factor, but as a primary identity credential. Because a stranger had left my number on their account months prior, the system assumed current possession of the SIM trumped all other security metrics.

🏳 The Legal Reality of Intent:

From a legal standpoint (like the CFAA), navigating into an account this way lacks the malicious intent required for criminal unauthorized access (Mens Rea); it's an accidental entry caused entirely by broken corporate infrastructure. But the fact that a user can simply input their own phone number and inadvertently hijack a stranger's digital life without a single exploit is a staggering failure of AppSec logic.

✅ The Solution:

SMS is not identity proof. It is a highly volatile, easily routed carrier token. If a platform allows SMS to override or bypass a standard password barrier without out-of-band verification (like a mandatory email confirmation), it isn't secure.

Stop letting telcos act as your root of trust. Switch to cryptographic hardware standards like NFC Yubikeys or standard TOTP apps.

#CyberSecurity #Infosec #MFA #SecurityTheater #AppSec #Yubikey #CFAA #Hacking