My Hacking Journey Part 3: NPC to Security Researcher with a simple 3 Stage Process
Hello! and Welcome to this last part of the blog!
In this blog post, I will be sharing my approach towards learning VAPT, Bug Bounty hunting, & playing CTF “The 3-Stage Process” and I hope it will be useful to you guys as well to start your hacking journey. So, Without further ado, let’s swiftly plunge into this 3-stage process and have some fun!
Before we jump into this 3 stage process, I must emphasize that ethical hacking is a delightfully individual journey. No cookie-cutter solutions here, folks! What works wonders for someone may not tickle your fancy in the same way. Nevertheless, fear not, for I’ve concocted a beginner-friendly process that has tickled my funny bone and still proving fruitful. So grab yourself a steaming cup of coffee, get comfy as a cat on a fluffy pillow, and let’s embark on this wild adventure of Web/API Hacking (i.e. Application Hacking) together!
Stage 1: Mundane but Vitalicious! — (Zero Level)
Welcome, my dear comrades, to the wondrous realm of Stage 1! Here, our paramount mission is to fortify the very foundations of our epic journey. Together, we shall delve into the captivating world of networking, unravel the mysterious inner workings of the web, and grasp the basic principles of security. Picture client-server communication, the enchanting realms of CIA (Confidentiality, Integrity, Availability), the lively dance of TCP and UDP, and the mesmerizing art of encryption and decryption. Fear not, for our quest for knowledge knows no bounds! Whether through the realms of free online courses or the treasures of paid options, from the profound tomes of enlightening books to the mind-bending exercises that shall tickle your brain cells, we shall conquer this stage.
To ease your path, I present to you a delightful compendium of 9 steps, expertly crafted to simplify your journey.
So ready yourselves, brave souls, for an adventure that combines seriousness with a dash of playful mischief, and embark on an experience like no other!
Step1:
1. Learn all about Computer fundamentals & their working
2. Understand how Operating Systems (like Linux, Windows, & Mac) operate & also learn how to operate Kali Linux / Ubuntu / Parrot.
Resource:
1. https://www.youtube.com/watch?v=q7tlgZg4Q1o&list=PLWKjhJtqVAbmfoj2Th9fvxhHIeqFO7wOy (All about Computer Science)
2. https://youtu.be/8mAITcNt710 (Harvard CS50 — Full Computer Science University Course)
3. https://www.youtube.com/@freecodecamp/playlists (freecodecamp)
4. https://www.youtube.com/@noobsanetworkchuckpodcast3009/videos
5. https://www.youtube.com/@davidbombal/playlists
6. https://www.youtube.com/watch?v=AnwgxRtWXLI&list=PLhfrWIlLOoKMe1Ue0IdeULQvEgCgQ3a1B
Books:
1. Operating Systems, 9e Paperback — by William Stallings
2. https://nostarch.com/linuxbasicsforhackers
Tools:
1. Kali Linux — https://www.kali.org/downloads/
2. Ubuntu — https://ubuntu.com/download/desktop
3. Parrot — https://www.parrotsec.org/download/
Step2:
Learn all about Network Fundamentals and hypervisors
Resource:
1. https://www.youtube.com/watch?v=4Kho3Eeyx1U&list=PLLKT__MCUeiyUKmYaakznsZeU4lZYwt_j
2. https://youtu.be/qiQR5rTSshw
3. https://www.youtube.com/@PracticalNetworking
Blogs:
1. https://www.vmware.com/topics/glossary/content/hypervisor.html
Books:
1. AICTE Recommended| Computer Networks| By Pearson Paperback — by Tanenbaum
Tools:
1.https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_workstation_player/17_0 (VMware)
2. https://www.virtualbox.org/wiki/Downloads (VirtualBox)
Step3:
Learn Cryptography basics like encryption, decryption, encoding, decoding, hashing, etc.
Books:
1. Cryptography and Network Security | 4th Edition Paperback — by Atul Kahate
2. https://nostarch.com/seriouscrypto
Tools:
1. https://gchq.github.io/CyberChef/ (Cyberchef best tool to practice and use in real life)
Step4: (Very Important Must Do)
1. First Complete The Complete 2023 Web Development Bootcamp by Dr. Angela Yu on Udemy
Resource:
1. https://www.udemy.com/course/the-complete-web-development-bootcamp/
2. Then Do Intro to Bug Bounty Hunting and Web Application Hacking by NahamSec (Behrouz Sadeghipour) on Udemy
Resource:
2. https://www.udemy.com/course/intro-to-bug-bounty-by-nahamsec/
Step5:
Learn about HTTP Basics, REST, and DNS
Resource:
1. https://www.freecodecamp.org/news/http-and-everything-you-need-to-know-about-it/ (Freecodecamp)
2. https://portswigger.net/burp/documentation/desktop/http2/http2-basics-for-burp-users (portswigger)
3. http://www.steves-internet-guide.com/dns-guide-beginners/
4. https://rapidapi.com/learn/rest
Step6:
Learn all about Recon
Resource:
1. Pesterstrlab (free exercies): https://www.pentesterlab.com/badges/recon
2. NahamSec’s Twitch (All about Recon): https://www.twitch.tv/nahamsec
3. What Should You Do After Recon?! https://youtu.be/A6zQV9e2S1M
Step7:
1. Learn about JavaScript and Bash Scripting
Resource: codeacademy
2. Learn any one Programing Language(Choose anyone that you are comfortable with… for me I chose python)
Languages: C, C#, C++, Java, Python, Rust, Go (all are not needed as a beginner… you just need to start with anyone to make your hacking journey easy …. but this is also optional for complete beginners as hacking is just about viewing things differently.
Resource:
1. https://www.youtube.com/@freecodecamp/playlists (Freecodecamp)
2. https://vickieli.dev/bash%20scripting/bash-intro/
3. Practice on Hackerrank and leetcode
Step8:
Learn all about Database (MySQL and NoSQL)
MySQL and NoSQL are query languages that help to interact with databases (i.e. interact by data storage)
Resource:
Lots of YouTube videos for theory and Hackerrank problems for practice
Step9:
Join a few infosec communities to get the best guidance and follow Cybersec content creators on Instagram, Twitter & YouTube
Infosec Content Creators/Community:
1. Twitter: CybersecurityMeg, nahamsec, rana__khalil, InsiderPhD, _JohnHammond, PhillipWylie, huskyhacks, jhaddix, STOKfredrik, alh4zr3d3, Tib3rius, FarahHawa, snyff, corgi, hAPI_hacker, thecybermentor, vickieli7
2. Youtube: @TCMSecurityAcademy, @NahamSec, @RanaKhalil101, @InsiderPhD, @_JohnHammond, @PhillipWylie, @huskyhacks, @jhaddix, @STOKfredrik, @alh4zr3d3, @Tib3rius, @FarahHawa, @CybersecurityMeg, @VickieLiDev, @davidbombal
3. Discord: HTB, Hackerone, Tryhackme, TCMsecurity, redteamvillage, CSI Linux, Nahamsecs discord channel, John Hammond’s discord channel.
Bonus Step
(But very very important compared to any of the above steps)
Take care of yourself and your mental Health
This step, my dear friends, may not steal the spotlight or win any popularity contests compared to its fellow steps. However, let me assure you that it possesses a very high level of importance that surpasses them all! It’s like the unsung hero, quietly working behind the scenes, diligently laying the foundation for our grand adventure. So everyone please take care of your mental health while embarking on this journey.
Stage 2: Embrace the Hacktastic! (Complete Beginners Level)
Welcome, my dear comrades, to the realm of hands-on experience! In this glorious stage, we shall embark on a thrilling journey, starting with the sacred art of honing our skills on intentionally vulnerable virtual machines, like those bestowed upon us by the gracious VulnHub. Once we’ve feasted upon these virtual delights, we shall progress to real-world scenarios, where Bug Bounty programs such as HackerOne and Bugcrowd shall be our battlefields. This stage is all about embracing the trials, errors, and triumphs, for in them lie the seeds of practical wisdom. And lo and behold, I have graciously divided this Hacktastic Stage 2 into 9 simple steps, allowing us to venture forth with confidence and a mischievous grin!
Step1 (Optional but must for those who love to code):
Practice the language you learned earlier on Hackerrank or leetcode or any coding platform
Resource: Practice on Hackerrank and leetcode
Step2 (Only for those who want to build their logical understanding strong):
Start Learning DSA and practice it on Leetcode daily
Resource: Learn from youtube and Practice on Hackerrank and leetcode
Step3:
Learn How to use Burp-Suite and Nmap
Resource:
1. Burp setup — https://youtu.be/wNqaLalaNE0 (12:23 min)
2. burp basics — https://youtu.be/G3hpAeoZ4ek
3. https://youtu.be/Ezs19sj04DU
4. Nmap basics 1— https://youtu.be/x4AE5yOF9pE
5. Nmap basics 2 — https://youtu.be/80vIin4xGp8
6. Nmap basics 3—https://youtu.be/4t4kBkMsDbQ
7. https://youtu.be/qsA8zREbt6g (Bonus video source)
Step4:
Learn How to use Postman API
Resource:
1. https://learning.postman.com/docs/introduction/overview/
Step5:
Enroll in Portswigger Academy to learn and test your Web Application Security skills.
Resource:
1. https://portswigger.net/web-security
2. https://www.youtube.com/@RanaKhalil101
Books:
1. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws 2nd Edition by Dafydd Stuttard (Author), Marcus Pinto (Author)
Step6:
Enroll APIsec University to learn all about API Security.
Resource:
1. https://www.apisecuniversity.com/
Books:
1. Hacking APIs | Breaking Web Application Programming Interfaces by Corey Ball (https://nostarch.com/hacking-apis)
Step7:
Learn OWASP Top 10 Vulnerabilities in depth
Resource:
1. https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
2. https://owasp.org/www-project-top-ten/
Step8:
Read These Top 2 Books to understand real-life scenarios
Resource:
1. https://nostarch.com/bug-bounty-bootcamp
2. https://nostarch.com/bughunting
Step9 Choose your path:
VAPT | Bug-Bounty | CTF | Pentesting
Resource:
1. https://medium.com/swlh/how-to-get-into-bug-bounties-383266799832
2. https://codingo.com/posts/2021-04-04-bug-classes-starting-out/
3. https://codingo.com/posts/2021-07-18-bounties-for-a-living/
4. https://vickieli.dev/hacking/intro-ctf/
5. https://www.youtube.com/watch?v=anfA2WSihHA
6. https://youtu.be/Zfz3ZN2dTDM
7. https://owasp.org/www-pdf-archive/Getting_Started_with_Bug_Bounty..pdf
Step10 (Optional):
Get ISC2 CC certification (Free) or CEH theory/practical certification (paid).
In my humble opinion, it might be wise to consider conserving your funds for obtaining other essential certifications like eJPT & OSCP. Now, I don’t mean to be a penny-pinching pundit, but allocating those resources strategically could open doors to even greater achievements. Think of it as an investment in your certification portfolio, like a financial wizard navigating the realm of knowledge. However, let’s not forget to keep a smile on our faces as we weigh our options, for a little humor can lighten the weightiest of decisions!
Stage 3: The Grand Finale! (Intermediate Level)
Behold, my esteemed comrades, the grand finale awaits us in Stage 3! Here, we shall ascend to new heights of specialization and forge meaningful connections in the realm of security. With our solid foundation and seasoned hands-on experience, the time has come to embark on the path of expertise, honing our skills in web application security, network security, or other captivating realms. This voyage of specialization calls for further training and certifications like the legendary OSCP or OSCE, where we shall unlock the secrets of our chosen domain. But let us not forget the power of networking! By intertwining our destinies with fellow professionals, we shall share knowledge, wisdom, and tales of triumph. And fear not, for I have thoughtfully carved out this Stage 3 into eleven simple steps, guiding us with grace and a sprinkle of humor through this climactic adventure!
Step1:
Enroll in Pentesterlab and THM to brush up your hacking skills
after completing Pentesterlab and THM Enrolling in TCMSecurity and Taggartinstitute is completely optional and up to your choice to learn more but this is not recommended if you are confident enough to start your hacking journey
Resource:
1. https://www.pentesterlab.com/
2. https://tryhackme.com/
3. https://academy.tcm-sec.com/courses
4. https://taggartinstitute.org/courses
5. https://www.youtube.com/watch?v=etP1hgJXijw
Step3:
Enroll in Rootme to practice CTF
Resource:
1. https://www.root-me.org/fr/Challenges/
Step4:
Enroll in HTB to practice CTF and prepare for OSCP
Resource:
1. https://www.hackthebox.com/
Step5 (Optional):
Get yourself PNPT certified
Resource:
1. https://certifications.tcm-sec.com/
Step6:
Learn all about Network and Network Security from INE
Resource:
1. https://ine.com/
Step7 (Optional):
Get yourself eJPT certified
Resource:
1. https://ine.com/learning/certifications/internal/elearnsecurity-certified-professional-penetration-tester
Step8:
Get yourself OSCP certified
Resource:
1. https://www.offsec.com/courses/pen-200/
Step9:
Contribute back to the cybersecurity community Via Social Media Platforms and training platforms.
Resource:
1. https://twitter.com/hacker_content
2. Twitter
3. YouTube
4. Make labs for others to practice on THM, etc.
Bonus Step:
Complete other certifications as needed and Keep your insatiable thirst for knowledge alive, for the realm of cybersecurity is ever-evolving.
Bonus Resource — Blogs and Articles:
- Hacking Articles: https://www.hackingarticles.in/
- Vickie Li Blogs: https://vickieli.dev/
- Bugcrowd Blogs: https://www.bugcrowd.com/blog/
- Intigriti Blogs: https://blog.intigriti.com/
- Portswigger Blogs: https://portswigger.net/blog
Bonus Resource — Writeups:
- Infosec Writeups: https://infosecwriteups.com/
- Hackerone Hacktivity: https://hackerone.com/hacktivity
Bonus Tip:
Once you are confident enough then create your Own Style
In summary, venturing into the realm of Pentesting, VAPT, and Bug Bounty hunting demands unwavering commitment, boundless patience, persistence, and an insatiable appetite for constant learning. By embarking on this delightful 3-stage odyssey, you shall fortify your foundations, revel in thrilling hands-on experiences, and ultimately find your niche in the vast expanse of security expertise. So, my good friend, why tarry any longer? Let the hacking festivities commence without delay! Embrace the adventure that awaits and let the hacking games begin!
