On The Virtue of Copying
“Try Harder.”
That’s the advice that Offensive Security will give you when you’re attempting their lab environments and certification exams. It sounds condescending and unhelpful, but it’s actually crucial for developing your critical thinking skills and possibly more importantly, your grit. That “productive struggle” challenges you to push past your current limits, and trains you to keep digging deep as you progress in your journey.
But sometimes, you’re just really at a dead end. And that’s OK.
It’s good to have pride in ourselves and our abilities, but that pride can also be a stumbling block for our progress. The desire to feel like we’re the best and brightest can get in the way of actually growing, which should be the primary objective for someone starting out in cybersecurity.
In those moments, it can be incredibly beneficial to admit that you’re just not that good. Seek out a tip from someone who’s done it before, or find one of the many open-source write-ups that might be floating around. Follow the steps, and burn them into the back of your mind. Build up mental models of the types of problems and learn to recognize similar patterns on other boxes. Better to plod along with a handicap than to give up altogether!
I came to this realization after recently revisiting my fine arts background. In classical studio training, it was common for an apprentice to make copies of a “master drawing” in order to train technique as well as taste. What seems to be boring rote copying in today’s era of enlightened educational methods was actually a reliable means of building up physical and mental muscle memory. The point is less to reproduce the work itself and claim it as your own, and more to internalize the experience of the master by tracing their metaphorical footsteps. As time goes on, the student has enough to produce their own work by observing nature or by drawing from memory.
The important takeaway here is that it’s rare to come out of the gate with your own polished technique and style. Modeling our foundations after experienced veterans is definitely less sexy, but ingrains best practices and avoids bad habits that can be tricky to undo.
One could draw the parallels here to replicating a write-up of a HackTheBox lab — for a novice, it is not obvious as to what to pay attention to or which techniques to use. “Trying harder” without enough intellectual capital is like chopping a tree with a dull ax — it might be good for building character, but not necessarily for becoming a better lumberjack. Following the thought process and tactics of those before us can be a more effective method of expanding our intuition and repertoire as opposed to struggling to reinvent the wheel on our own.
Critics of this method argue that students should be encouraged to freely pursue self-expression and inspiration instead, and that forcing structured practice stifles natural progression. I believe that on the contrary, we may be overstating the average practitioner’s ability to reach a high level of achievement simply from following their passions. Due to “survivorship bias” (it’s not fun to talk about passionate folks that peak early and stagnate), we focus on the stories of Michelangelo/Mitnick and assume that we can and must be able to walk similar paths.
In reality, the existence of those prodigies are merely statistical certainties - in a large enough population, 10x-ers are bound to appear, though very rarely. For the rest of us, it’s less important to feel “1337” for figuring things out all on our own than to find good resources and “masters” to help us along when we need it (which is probably often).
It’s not cheating if you follow a guide/solutions, so long as your intentions are right! Do it to understand a more experienced person’s thought process rather than simply collect flags and pat yourself on the back. Use the training wheels to experience something far outside your current abilities, though do not forget to “try harder”, either.
Let your love for the craft overcome your need to feel like a rockstar, and trust the process.
