When I started, back in 2016, there weren’t many resources available, little to no CTF (Capture the Flag) platforms and only a few outdated courses that didn’t help much (aside from those crappy websites that didn’t teach anything). Nowadays it’s the exact opposite, there are many places you can go to acquire this famous “illegal” knowledge, and no, it’s nothing like the movies.
If you are serious about becoming a hacker you should know that having prior knowledge in internet/networking will go a long way. Also, knowing anything about web development or any programming language for that matter will definitely help a lot. Although if you don’t have any of that you can still follow along, it’s just going to take more time and effort.
From all these years researching I’ve come across many candidates to be included in this very article, but only a few of them are actually worth your time. Here are some of the best resources available on how and where to start your journey.
Where to Start
Learning can be hard and surely takes time but with the info below you can get from zero to hero in no time. I wish this content existed back when I started, it would’ve been so much easier to learn, but enough complaining, let’s start.
Hacker101 is best place for you to get started with InfoSec. Hacker101 is a somewhat new website made by the HackerOne team that provides a handful of basic courses to common attacks with both written and videos lessons. You don’t need a VM (Virtual Machine) or anything like that in order to complete the courses which is great for beginners.
Hacker101 also hosts their own CTF so you can test your skills, all you need is to signup to the platform. You can view the lessons without an account though.
I recommend starting from this page here.
HackTheBox’s Starting Point
HackTheBox is the top CTF/hacking platform at the moment with more than 300K users and growing, there are lots of things you can do with the free plan and new content constantly which is awesome, like a new box and challenge every week. But more on that later.
Now that you have acquired some basic knowledge you probably want something more exciting, if so, HackTheBox’s Starting Point is the right place for you, it consists of a series of CTF boxes where you have to hunt down both user and root flags in order to own the box. This particular section of their site is designed for newbies and contains a couple of boxes with slightly more advanced attack vectors (when compared to Hacker101) with follow along writeups so you don’t get stuck.
This specific “game” doesn’t award any points on the platform but once you are done with them you can move to the real deal, which we will cover later in this article.
Starting Point does requires a VM, check the next section in order to get more help about choosing the right one for you.
In order to access the platform you must “hack yourself in” in terms, to do that head over to this page and find a way to register.
After getting in you should be able to see the “Starting Point” section in the sidebar menu, click that to start your journey.
Portswigger’s Web Security Academy
Web Security Academy is another cool website that aims to provide web security resources and labs for you to practice, you can read about many different attack vectors and exploit them in a CTF-ish environment, everything is free but do note that they will push Burp down your throat since you are not paying for anything.
And last but not least, Cybrary, a huge library of curated content made specifically for the IT and IS departments, there you can learn by following lots of different courses for free, the only caveat is that the labs are paid.
I’d recommend watching the advanced hacking topics right off the bat.
The Next Step
After doing some research you might find yourself thinking about investing more time into hacking, at this point you should probably consider using a VM, there are a lot of options available but for the sake of the article I’ll include two of the best in my opinion.
But first, why a VM? simple, security and organization. Although doing CTFs usually don’t require you to “hide”, since you are not doing anything illegal, you could potentially be target by maliciously-intended users resulting in unpredictable outcomes, having a VM will make sure the attacker won’t reach your host OS, while also helping separate your hacking environment (which does get bloated at a while) from your host operating system.
You will need a virtualization software in order to open a VM image, I personally recommend using Virtual Box as it’s a respectable open source project with decent performance and usability.
Kali Linux is an open source Debian based distro created by Offensive Security with lots of tools and decent performance. I have used many VMs in the past and this is one of the best, as it includes pretty much everything you are going to need and more, the new interface makes it even easier to use, which is great.
You can download Kali from the official source here. Make sure to download the right image for your architecture, if you have a x64 processor do not download an x86 image.
Arch Linux is not a hacking distro by itself but if you have some basic Linux skills you can turn it into a fully-fledged hacking workstation, by making small additions to the distro, such as adding a hacking repository, user interface and more.
An in-depth guide for creating your very own custom Arch will come out soon, stay tuned.
Great, now that you have some skills it’s time to get into the real deal, CTFs, that’s what everybody is doing right now. The upside about playing this game is that you get a ton of experience from it, for that there a few places you can go, check the list below.
The one you are probably familiar by now, after doing the Starting Point section you should move to the “Active” machines, anything you own there will give you points and rank you into the global and per country chart. Start with the easier machines first though, as the hard ones can be really on point.
Another cool platform I’ve found out about a couple of days ago, lots of rooms, nice concept, but mostly for newbies. You should probably take a look if you just want to learn in a CTF-like environment. Most of the good stuff found on this site requires a “subscription” which is a turndown in my opinion, anyway, feel free to check them out here.
Don’t want to compete with anyone but yourself? Then Vulnhub is for you! You can find lots of VMs to download and use locally, just keep in mind that the quality of the boxes are really down when compared to HackTheBox’s.
Want to use your skills and get some cash while wearing your shiny white hat? no problem, I’ve got you covered!
Bug bounty is one of many ways to get some income using your skills for good, many companies require users to report vulnerabilities of their products in order to improve security, that’s where you come in. There are two main sites that you should look out for, you can find them below.
Bugcrowd is probably the top leading crowdsourced cybersecurity platform at the moment, you can find many major companies using the platform like Unilever, Master Card, Pinterest and many more. To get started you must create an account and join a program, for more info on how everything works check their site.
HackerOne is my second option when it comes to bug bounties, it’s also trusted by many big companies and has a lot of programs for you to work with. Not all the submissions get rewarded with money though.
If you’ve made it this far, congrats, you are a pro now. Wondering what else to do? Take a look at the OSCP exam, you can get a shiny certificate that will most likely open doors for you professionally.
I would like to thank my friend Dark0 for a few additional resources, so, thanks.
Cya next time and thanks for reading!