Starting to Learn Cybersecurity

Learning cybersecurity is one of my top goals. To achieve it, I wanted to get ahead of my formation by starting learning and practicing pentesting knowledge in a safe and legal environment. There are a lot of ressources on the Internet but here, I will go through every website and tool that I tried and wanted to share as a good start in cybersecurity.

TryHackMe

TryHackMe was my very first foot to the world of cybersecurity : https://tryhackme.com/.

In this website, I learned necessary knowledge to properly start with the Complete Beginner path. It includes knowledge such as Computer Networks, Web Hacking Fundamentals and Linux Privilage Escalation.

Tools learned

1. Burp Suite Community Edition

An excellent tool to find flaws on websites and modifying requests.

2. Wireshark:

Useful to analyse exchanges on your network and seeing in live how TCP and other protocols work.

3. Metasploit:

To provide payloads and performe solid pentesting access.

4. Pentesting tools:

Enumerating ports with nmap, Brute-forcing with Hydra, password cracking with John The Ripper and more.

I also completed some CTFs rooms that gave me some experience of conducting a pentesting attack.

To find more about what I did, you can check my profile on TryHackMe here.

PortSwigger

As I crawled to download Burp Suite, I found these incredible ressources from its creators : https://portswigger.net/web-security/all-topics.

There are a lot of labs and learning material in all that concern web attacks, such as SQL Injection, Cross-site scripting (XSS) or file upload vulnerabilities.
I only took a part of SQL injection and XSS but I will definitely check this website out for learning more about web security.

OWASP Top 10 and OWASP Juice Shop

While I was learning about web attacks on TryHackMe, there was a specific section about OWASP Top 10 attacks.

To practice them, OWASP made a web application full of flaws so you can install locally on your computer and test your knowledge on these web-based attacks. You can find it on their GitHub : https://github.com/juice-shop/juice-shop.

I installed it and started to practice around these attacks on small flaws of the application.

There is also a leaderboard hidden that list every flaw of the application, sorted by level of difficulty. I made all the challenges of level 1 and 2, and thought about some level 3 challenges but I found myself still lacking some knowledge.

I would highly recommand this OWASP Juice Shop to anyone who wants to practice web security and already has some medium knowledge, for example from PortSwigger website.

What’s next ?

As I started to gather knowledge about some kind of attacks, I would need some more experience in the field. So, I’m looking forward to doing more CTFs on TryHackMe and trying to complete every difficulty.

To continue my learning path, I am considering three majors roads:

• Starting free modules on HackTheBox Academy.
• Increase my web exploitation skill by doing labs on PortSwigger.
• Aim for the eJPT certification.

For now, I’m mostly interested on becoming an ethical pentester but the sector is broad and I might be interested in another cybersecurity-related job in the future.