Starting to Learn Cybersecurity
Learning cybersecurity is one of my top goals. To achieve it, I wanted to get ahead of my formation by starting learning and practicing pentesting knowledge in a safe and legal environment. There are a lot of ressources on the Internet but here, I will go through every website and tool that I tried and wanted to share as a good start in cybersecurity.
TryHackMe
TryHackMe was my very first foot to the world of cybersecurity : https://tryhackme.com/.
In this website, I learned necessary knowledge to properly start with the Complete Beginner path. It includes knowledge such as Computer Networks, Web Hacking Fundamentals and Linux Privilage Escalation.
Tools learned
- Burp Suite Community Edition
An excellent tool to find flaws on websites and modifying requests.
- Wireshark:
Useful to analyse exchanges on your network and seeing in live how TCP and other protocols work.
- Metasploit:
To provide payloads and performe solid pentesting access.
- Pentesting tools:
Enumerating ports with nmap, Brute-forcing with Hydra, password cracking with John The Ripper and more.
I also completed some CTFs rooms that gave me some experience of conducting a pentesting attack.
To find more about what I did, you can check my profile on TryHackMe here.
PortSwigger
As I crawled to download Burp Suite, I found these incredible ressources from its creators : https://portswigger.net/web-security/all-topics.
There are a lot of labs and learning material in all that concern web attacks, such as SQL Injection, Cross-site scripting (XSS) or file upload vulnerabilities.
I only took a part of SQL injection and XSS but I will definitely check this website out for learning more about web security.
OWASP Top 10 and OWASP Juice Shop
While I was learning about web attacks on TryHackMe, there was a specific section about OWASP Top 10 attacks.
To practice them, OWASP made a web application full of flaws so you can install locally on your computer and test your knowledge on these web-based attacks. You can find it on their GitHub : https://github.com/juice-shop/juice-shop.
I installed it and started to practice around these attacks on small flaws of the application.
There is also a leaderboard hidden that list every flaw of the application, sorted by level of difficulty. I made all the challenges of level 1 and 2, and thought about some level 3 challenges but I found myself still lacking some knowledge.
I would highly recommand this OWASP Juice Shop to anyone who wants to practice web security and already has some medium knowledge, for example from PortSwigger website.
What’s next ?
As I started to gather knowledge about some kind of attacks, I would need some more experience in the field. So, I’m looking forward to doing more CTFs on TryHackMe and trying to complete every difficulty.
To continue my learning path, I am considering three majors roads:
- Starting free modules on HackTheBox Academy.
- Increase my web exploitation skill by doing labs on PortSwigger.
- Aim for the eJPT certification.
For now, I’m mostly interested on becoming an ethical pentester but the sector is broad and I might be interested in another cybersecurity-related job in the future.