Seeking advice for structured learning

Hello and happy new year!

I am looking for some advice about how to structure my learning in this field and was hoping some people on here might be able to share some insights.

Some background…

I have pretty basic IT knowledge most of which is self taught and mainly covers networks. I can write simple bash and python scripts and can read code up to a point but have no knowledge of web languages which is proving to be the biggest obstacle to progression so far. My background is in audiovisual technology so I have had a fair amount of experience with what you might call ‘hacking’ AV technology/systems in order to get them to work in unintended ways but I am referring to hacking here as a way of thinking more than anything else.

I am in the fortunate position of having around 9 months in which I can dedicate a lot of time to learning new skills but I have realised that I need to employ a more structured approach instead of just having a go at various boxes and then getting demotivated once I hit a wall or go down a seemingly endless rabbit hole!

What I’ve done so far…

Managed to root 4 of the “easier” boxes on here (Bashed, Shocker, Mirai, Blue).
Completed overthewire.org’s Bandit and Leviathan labs (currently trying Natas & Narnia).
Signed up to some Cybrary courses (including Advanced pentesting with Georgia Weidman).
Signed up to a codecadamy Python course.
Got some books to work through: Hacking the art of exploitation, The hackers playbook 2, Penetration testing a hands-on Introduction to hacking.

Where to go from here??

This is the big question! In what sort of order should I start to tackle all of this, would enrolling on a course i.e Offsec PWK be crazy at my current level? Do I need to be a competent coder or programmer before I even contemplate furthering my journey into infosec?
I should also say I much prefer the hands-on approach to learning in general.

Any ideas or advice would be most greatly appreciated!! :slight_smile:

One last thing…

I see that there is a large Greek contingent on this site and as I am based in a large city in the North of Greece I was wondering if there is an ‘offline’ community where one might meet like minded people and learn/share skills?

Thanks a lot and sorry for the huge wall of text!

Im interested as well!

Take everything your doing and take it one bite at a time. You already have a structure just put it into practice with a schedule. It’s a massive field with no way of learning it all. You should read, practice, learn as much as possible. When your stuck learn why and get unstuck then move on. You don’t need much other then basic Linux command line skills to approach the PWK course because despite what people say about the lab guide and videos not being very helpful I always and I mean alway was able to find an answer in the guide or videos when I was stuck in the PWK labs. So the training they offer should be enough to get through the labs with a lot of practice and dedication. They don’t spoon feed you ANYTHING like other books or courses will. You don’t need to be doing anything else other than what your doing now in my opinion. You will figure out where your blind spots or weak points are as you go. The journey never ends so where to start isn’t extremely important. Just start.

I agree with the above post, this is a massive field and most here didn’t have a structure for learning either. The way most of us learn is by running into a problem and then researching solutions to that problem. In most cases your searching for a solution to the problem SHOULD result in a better understanding of how whatever service/application/OS you are working on works and operates. Something I always do with my notes is add a lessons learned section, this should help with the above issue as well to help retain some knowledge.

Hi Joedev and Lowpriv,

Thanks very much for both of your helpful answers!

Joedev, what you said about not trying to learn it all and not doing anything other than doing what I am doing is really useful. I posted my question because I thought that my current approach lacked structure but your answer made me realise that keeping to a schedule and maintaining focus are the things that are going to help me most of all.
You are definitely right about the never ending journey! It can seem very daunting at times and so splitting things up into smaller ‘trips’ might help.

Lowpriv, that’s a really good idea about notes and a lessons learned section. I have been logging my progress but will make a point of collating all important information. It’s also nice to know that a lot of people are learning as they go along.

May I ask you both whether you think htb is perhaps too challenging for someone just starting out in this field? Did you guys have a lot of previous experience before joining? I read this forum post:

https://forum.hackthebox.eu/discussion/comment/2569/#Comment_2569

about the difference between CTF and pen-testing and s1lence made a great analogy comparing htb to a Sunday crossword for an English teacher. The implication obliviously being that to tackle the majority of these challenges a person would need to have already gained some fairly substantial knowledge.

Would be interested to hear your thoughts if you have a spare moment.

Thanks again :slight_smile:

I disagree with sunday crossword for an english teacher, challenges/CTF are a good thing for pentesting, it forces you to think transversal and out of frame.

I don’t want to speak for @s1lence but I think I understand what s1lience means with the mention of crossword puzzles - these are not ALL going to be applicable in the real world but they are important to the creative thinking and other aspects of what pen-testing involves and therefore still worth your time to do them. I could be wrong about that interpretation? As far as if HTB is right for a beginner I would say you have to start somewhere so might as well start here. I agree with what @ippsec has said about the boxes getting better and more difficult but it doesn’t mean you can’t chip away at them. They are ALL vulnerable after all. I like the boxes getting harder it always pushes the boundary of my knowledge that much further inch by inch. There is enough boxes and lessons to keep you busy for a very long time. HTB like the journey is also never-ending in that new boxes and problems come about continuously. I wouldn’t worry about your approach as much as I would be worried about actually going at the machines. Sharpen your pencil with the books, videos and by asking questions, but use that pencil and get the experience of actually drawing to become better at drawing. So again - doesn’t matter what end you start at eating the elephant (hmm… maybe a bad analogy) just start biting and keep going. You ask what experience I had before HTB. I was working on the OSCP labs and cert. I fell in love with this work and needed more. HTB is the perfect arena to fill that need. As far as the level of difficulty of the boxes it is going to always be different for everyone because of the background they have and not knowing what you don’t know. It is also what makes it a great way to learn. Someone with the OSCE may find a box you did in 4 hours a nightmare to complete in 5 days and vise versa. None of the that matters just learn and fill in the gaps as you go.

I don’t have a ton of previous experience but I have around a year and a half experience with pentesting and also doing CTFs. Pentesting is no longer my full time job just because of the environment I worked in but I enjoy doing CTFs as hobby. A lot of the things I have learned from CTFs (especially HTB) were directly applicable to my job when I was a pentester and also my current job. Plus doing CTFs is waaaaaay more fun than actual pentesting in my opinion, nobody wants to go on a 5 minute test where you telnet into a router with default creds, move from there to domain admin by passing the hash in an hour and then spend the next month and a half writing a report about it. Very rarely will you encounter a test that requires some insane level of knowledge like some of the HTB boxes do, which is it what makes it so much more fun. The challenges presented here on this site are a way for us to constantly expand our knowledge and hone our skills.

Hi, sorry for the delayed response I was away for a while. Thank you all for your replies which have been really insightful as well as helping me to understand on what to focus :slight_smile:

If anybody else is just starting out (and even for those that have more experience) I found this blog: Offensive Security’s PWK & OSCP Review - Jack Hacks which provides some great links to learning resources and is very well written.

Thanks again and happy hacking!