How I Got Here
Hey there! My name is Mo. I'm currently an intern here at Rapid7 working in the Austin office as part of the Metasploit team. If you came here expecting a deep understanding of Metasploit, this blog post isn't the right place. If you ARE interested in knowing what it's like to being a small town college student working at a leading firm in security engineering, then keep reading!
Everyone used to tell me that every mistake and failure was a push in the right direction, but that was pretty hard to believe when you're two weeks away from graduating college and you still don't have the faintest clue as to the next step.
I had been applying to positions since January of this year. One interviewer had told me that my passion was overwhelming and that I'd quickly bore in the position, another said my experience was impressive but not what they were looking for, and the one place where I did have a chance closed the position before I was able to assume the role. It was almost as every unsuccessful application and interview was another step on the journey down the road of misadventure.
I was at the end of my rope when I had heard from various places about an opening at a place called Rapid7. They were looking for someone with a knack for security and some Ruby experience, so I figured why not. I had a love for security and a growing interest in ruby among other programming languages, so I figured I'd reach out via Reddit (yes, you read that correctly). At first, the recruiter had told me that same thing I had heard countless times — I was "too green" and inexperienced for the opening, however there was an internship opportunity available at the company. Although I was a little scared knowing all internships end, I realized I needed some experience and figured I could learn a few things. So I tightened up my resume and submitted some code on GitHub hoping for the best but expecting the worst. A few days later, I found out I had landed an interview. Excited and nervous, I realized I couldn't interview with a company I knew nothing about. As I typed "Rapid7" in on google, I immediately saw "metasploit" come up on auto complete and suddenly realized where I had just gotten an interview — the Metasploit team (insert fanboy freakout here).
I'm going to fast forward a bit since it's obvious as to the outcome of the interviews.
One Month Later
I've been working as a functional member of the Metasploit team since the week I arrived. I say functional because I'm not simply gawking as the people next to me work or watching over their shoulders taking notes (which I do occassionally do) — I've been making commits and reviewing code similar to the full-timers on the project. Although I'm not at their level of productivity, I am making steady progress. Every morning at 10AM, we all get the chance to talk about what we are working on while getting some feedback from our peers. It's a great feeling, getting together in a group and talking about the cool stuff you're working on. It's even better when everyone is genuinely interested in seeing you succeed. That happens every day here at Rapid7.
My first assignment had me doing some YARD documentation for a few of the modules in Metasploit. To all the non-believers who skip on documentation, you better get to it. As an open-source project, Metasploit is composed of thousands of modules developed by hundreds of contributors. Additionally not all people who contribute to the project stay with the project, so it's important to leave behind something comprehensive that other people understand. While it doesn't sound exciting, writing the documentation was a more involving task than meets the eye. In order to see how certain parts of the module worked, I had to test them individually. This gave me a great opportunity to see how everything in Metasploit interacted with each each other. It also served as a great way to get my mind thinking in Ruby again. Here's a link to the pull requests for the YARD docs if you're into that kind of thing:
This month I've been able to get my feet wet and hands dirty doing some bug fixes and adding some features to Metasploit. My second week had me looking at problems in different languages like Python and PHP — I even got to land my first pull request. That basically means I got to add something to the Metasploit framework which is being used by the world's leading security experts. Here's the link:
Pretty sweet. I've also had the chance to dedicate some time and learn some new stuff. Wei "_sinn3r" Chen, one of the exploit developers on the Metasploit team, gave me a crash course on assembly, debuggers, and exploit development. Essentially, we used a known vulnerability in an old, FTP client for Windows XP and used a debugger to follow the program in execution. this allowed monitor the vulnerable process and create an attack tailored to its weakness. I should also note that neither of these weeks would be possible without Git. Half of my first week was solely devoted to setting up and fine-tuning my Metasploit development environment while my second week was more about using Git and GitHub properly.
Where I Am Now
Well I'm still alive and kicking. Despite what I've been told on the Metasploit IRC channel, no one has tried bugging my computer( to my knowledge). The guys here have been pretty welcoming to me here at Rapid7 and have given me the opportunity to learn outside of the work environment. I was able to give a lightning talk at an AHA! meeting about research I had previously done in school and have been going to other group meetups where members of our team give their own talks. It's encouraging to see that so many members of the team are still very involved with giving back to the local community as well as the open source community. Although I am a bit shy when it comes to participating in the IRC channels, I've been opening up more and will be doing more to help out and exude more presence in the community.
I've also been assigned my own independent project to work on during my time here as well. This is probably most exciting since I won't just be able to say I got to work at Rapid7, but I'll have something with my name on it to prove that my time here was not only valuable to me, but the the company as well.
These descriptions don't even begin to tap the surface on many of the individual side lessons I've gotten from other colleagues in the office, including the importance of locking your workstation before walking away from it. I'll try and list a few of them now just to give you an idea of my experiences so far. I've been able to:
- Learn the basics behind encryption and key signing
- Discover new Metasploit utilities I didn't know existed (and some that don't...yet)
- Meet highly regarded professionals in the InfoSec community
- Ask EVERYONE questions about ANYTHING ( i.e is egyp7 really egyptian )
- Be mindblown by all the snacks in the kitchen
- Experience donutting secondhand**
**Donutting is a ritual where a silly victim leaves their unlocked computer unattended, which is then used by someone in the vicinity to send a mass email to the office promising donuts. Promises are taken very seriously at Rapid7, as are donuts.
So If you're one of those people who saw the beginning of this post and was like "No, why do interns talk so much", this is for you. It took me 67 failures to get the one success that made the entire journey worth it. I get to learn about and work on a product that is making waves in the security community with some of the most intelligent and talented people I know (and don't know). Best part is that all these people care about what they do and push each other to their own limits. Sure, I've had to dodge a nerf dart or two and I may have to lock my computer in fear of being a victim of the donut, but overall I'm having a great time on this team and at this company.