Introduction⌗

In this blog post, I will take you on my cybersecurity journey, which I have covered in the last two years, and then tell you what I am looking forward to in the future. I will share how and what I have learned so that you can use this as a road map. That said, at the end of the day, this is just what I did, and by no means is this the absolute path for everyone. I will also share what I would do differently if I started again.

My Background⌗

In 2014, at the age of 13, I found out about computer programming for the first time. In the beginning, I started learning HTML and CSS on CodeAcademy (I think). After that, I learned Python, an actual programming language. After completing some of my cousin’s old Python assignments from university, I bought a Udemy course on C++. Since I was planning to do my bachelor’s in Computer Science after my A Levels, I knew that learning C++ would give me an edge over others in the university. After learning C++, in 2018, I enrolled in a month-long Game Development course. Finally, in 2019 I got into a university as a CS major, and just when COVID hit in March 2020, I started learning MERN Stack Web development.

My Cybersec Journey⌗

I always wanted to learn to hack; it seemed very cool. The only problem was I didn’t know how to start learning; I didn’t even know what was involved in hacking. However, sometime just before COVID, I came across a brilliant episode of the podcast Darknet Diaries; it was about CTF competitions and how people learn how to hack practically by participating in them. After listening to the podcast, I further searched on YouTube and found several helpful videos by various content creators. In August 2020, I gave up learning web development, took a leap of faith, and finally started my cybersec journey.

My journey started with me creating an account on Tryhackme, which was praised by many people as a starting point for anyone who wants to learn to hack. The first room I tried was CTF collection Vol.1, which introduced me to some of the different types of CTF challenges. After completing 86% of the room, I decided to subscribe to Tryhackme’s monthly subscription and start the “Complete Beginner” pathway.

By December 2020, I was pretty familiar with the basics of cybersec, such as port scanning with Nmap, looking at HTTP requests with Burp, etc. When December started, I came across Tryhackme’s Advent of Cyber 2 event in which a challenge was released daily for the first 25 days of December, and I completed every one of them.

In January 2021, I was hooked to cybersec and wanted to make a career in it. So I started looking for a course on Ethical Hacking that taught everything: from the basics to Linux and Windows privilege escalation. After a lot of research, I decided to buy TheCyberMentor’s Hacker Bundle, which had three of his courses:

Practical Ethical Hacking
Windows Privilege Escalation for Beginners
Linux Privilege Escalation for Beginners

I enjoyed doing TCM’s courses since they heavily focused on practical application by including Hack The Box and Tryhackme boxes for each topic. I completed all three courses by September 2021. After completing the courses, I religiously started attacking retired Hack The Box machines. After completing a machine or whenever I got stuck, I watched The Great Ippsec’s video on the box.

Although I tried completing a box per week, this was not the case since, at the time, I was in my third year of university, known as the most challenging year. I had to juggle HTB boxes, my studies, and extra-curricular activities (I was part of a student-run society). On top of all these, I also had to deal with internet connectivity issues in my hostel. The ports used by OpenVPN were closed in my university’s network, which prevented me from connecting to HTB’s network. To solve the VPN problem, I had to use my mobile data. However, due to my university’s location, my mobile network had slow speeds, which caused a lot of lag in HTB machines. Despite all these difficulties, I still managed to pwn several boxes on HTB.

In December 2021, I bought three more courses from TCM Security Academy:

Practical Phising Assessments by Graham Helton (Completeted)
Mobile Application Penetration Testing by Aaron Wilson (Completed)
Practical Malware Analysis & Triage by Matt Kiely (Uncompleted)

As usual, I enjoyed doing the first two courses. However, I did not get a chance to finish the last one; after setting up the entire virtual lab for the course, I ended up postponing it. In March 2022, something else came on my plate after I attended a university career fair. There were around a hundred companies with their stalls set up in my university, but there was one stall that I really wanted to visit; that was the stall of one of the most prominent cybersecurity companies in Pakistan. I visited the stall, chatted with the representatives, and shared my CV with them; the representatives were impressed and told me to apply for a position via email. A couple of days after the career fair, I received an email from them that they wanted to offer me a position at the company.

Long story short, after setting up an interview, they offered me an internship position as a Trainee Security Engineer. I started in April 2022, and since the work was remote and my semester was still going on, I worked 23 hours per week till June. During this period, my lead asked me to work on my capacity-building, completing the following courses and labs and taking extensive notes:

About halfway through PortSwigger’s learning path, at the end of June 2022, my semester finally ended, and I moved from working part-time to working full-time; still online, though. As I shifted to full-time, the second half of my internship began. During this half, I conducted web application pentests for three different clients of the company. The internship ended in July 2022, and I was more than happy with my experience working in a real-world cybersec environment for the first time. I learned so much technically, but I also realised that this field is quite difficult and requires a lot of perseverance.

After the internship ended, I still had a month before my next semester. So I decided to give bug bounty a try. It took me a month to get started after watching countless videos. After changing my target three times, I finally decided on a VDP on HackerOne. I hacked on the target for about two weeks, found a CSRF on a website’s cart functionality and reported it. But to my disappointment, the program considered it out of scope. After that, I decided to put a hold on bug bounty. I realised that I was only repeating techniques I knew and wasn’t learning anything new; my semester was also about to start. But by the time I could come up with a new plan, my second last semester had started, and now, here I am, about two weeks into the semester.

What would I do starting all over again?⌗

Over the past two years, I have learned a lot! I was a beginner in cybersec; I did not even know what network ports were. But, now, it is safe to say that I can at least comprehend the basics of cybersec. Yet, after two years of continuous learning, it feels like I have only scratched the surface, which is true. I have tons more to learn and need to continue learning. But here’s what I would tell myself from two years ago:

Install Kali Linux VM straight away, don’t try to do CTF challenges on Windows or macOS. It is impossible as you’ll need a Linux distro sooner or later to run a specific tool.
Don’t try to cut corners, do everything one step at a time. Get the basics down. Buy Tryhackme’s subscription (if possible) and complete the “Complete Beginner” pathway.
Buy TCM’s Hacker Bundle (If possible) and complete it. If you can’t afford to buy the courses, keep an eye on TCM’s YouTube channel, as he regularly uploads material from his courses for free.
Buy HackTheBox’s VIP subscription, and start pwning retired machines. Watch Ippsec’s video for each machine you attempt.
Explore the cybersec field as much as possible since it is vast. Everyone has different preferences. I might like the offensive side, but you might have the soul of a defender; there is no right or wrong side here as long as you are making the world a better place.
Participate in CTF competitions; this is something I have only done at most four times, and I regret not doing it often. You can learn a lot from CTFs.
Finally, practice makes perfect! Keep practising, keep hustling.
The previous point is important, but there is something more important: taking care of yourself. Burnout is very real in this field and can happen much faster than in other fields, in my opinion. Taking a break for a couple of weeks or even months is essential if you don’t feel like hacking; no one will judge you.

Where am I going now?⌗

Ever since my semester started, I have kept pondering this question myself. Since this is my final year in undergrad, I need to decide what I want to do next in my life. Whatever plan I make, at the macro level, there are two main paths: either I go abroad for a Master’s degree in Cybersec, or I find myself a job. For the time being, I have decided not to go for a master’s just yet; instead, I will try to get the eJPT certification by December and apply for a job in March 2023. Of course, while studying for eJPT, I shall continue pwning machines on HackTheBox :)

Until Next Time…⌗

Thank you for reading this long post about my journey; I hope you enjoyed it. If you would like to connect with me or give me feedback, reach out to me on Twitter!