Guessing vs Not Knowing
Guessing sucks.
I recently watched a video by @liveoverflow on YouTube, aptly labelled ‘Guessing vs. Not Knowing in Hacking and CTFs’ at ‘https://www.youtube.com/watch?v=L1RvK1443Yw'.
Guessing, is pretty boring in CTFs. He calls out steganography challenges outright, which always comes down to some crappy tool you never knew about. The tl;dr is that bruting directories is generally a waste of time, and it ultimately comes down to guessing a bunch.
You wouldn’t want to do it for a product assessment, because you’re going to spend all your time bruting things instead of triaging actual issues, and in a CTF it’s a lot of wasted time waiting for gobuster to do its thing.
Food for thought.