My Hacking Journey Part 3: NPC to Security Researcher with a simple 3 Stage Process

Hello! and Welcome to this last part of the blog!

In this blog post, I will be sharing my approach towards learning VAPT, Bug Bounty hunting, & playing CTF “The 3-Stage Process” and I hope it will be useful to you guys as well to start your hacking journey. So, Without further ado, let’s swiftly plunge into this 3-stage process and have some fun!

Before we jump into this 3 stage process, I must emphasize that ethical hacking is a delightfully individual journey. No cookie-cutter solutions here, folks! What works wonders for someone may not tickle your fancy in the same way. Nevertheless, fear not, for I’ve concocted a beginner-friendly process that has tickled my funny bone and still proving fruitful. So grab yourself a steaming cup of coffee, get comfy as a cat on a fluffy pillow, and let’s embark on this wild adventure of Web/API Hacking (i.e. Application Hacking) together!

Stage 1: Mundane but Vitalicious! — (Zero Level)

Welcome, my dear comrades, to the wondrous realm of Stage 1! Here, our paramount mission is to fortify the very foundations of our epic journey. Together, we shall delve into the captivating world of networking, unravel the mysterious inner workings of the web, and grasp the basic principles of security. Picture client-server communication, the enchanting realms of CIA (Confidentiality, Integrity, Availability), the lively dance of TCP and UDP, and the mesmerizing art of encryption and decryption. Fear not, for our quest for knowledge knows no bounds! Whether through the realms of free online courses or the treasures of paid options, from the profound tomes of enlightening books to the mind-bending exercises that shall tickle your brain cells, we shall conquer this stage.

To ease your path, I present to you a delightful compendium of 9 steps, expertly crafted to simplify your journey.

So ready yourselves, brave souls, for an adventure that combines seriousness with a dash of playful mischief, and embark on an experience like no other!

Step1:

1. Learn all about Computer fundamentals & their working

2. Understand how Operating Systems (like Linux, Windows, & Mac) operate & also learn how to operate Kali Linux / Ubuntu / Parrot.

Resource:
1. https://www.youtube.com/watch?v=q7tlgZg4Q1o&list=PLWKjhJtqVAbmfoj2Th9fvxhHIeqFO7wOy (All about Computer Science)
2. https://youtu.be/8mAITcNt710 (Harvard CS50 — Full Computer Science University Course)
3. https://www.youtube.com/@freecodecamp/playlists (freecodecamp)
4. https://www.youtube.com/@noobsanetworkchuckpodcast3009/videos
5. https://www.youtube.com/@davidbombal/playlists
6. https://www.youtube.com/watch?v=AnwgxRtWXLI&list=PLhfrWIlLOoKMe1Ue0IdeULQvEgCgQ3a1B

Books:
1. Operating Systems, 9e Paperback — by William Stallings
2. https://nostarch.com/linuxbasicsforhackers

Tools:
1. Kali Linux — https://www.kali.org/downloads/
2. Ubuntu — https://ubuntu.com/download/desktop
3. Parrot — https://www.parrotsec.org/download/

Step2:

Learn all about Network Fundamentals and hypervisors

Resource:
1. https://www.youtube.com/watch?v=4Kho3Eeyx1U&list=PLLKT__MCUeiyUKmYaakznsZeU4lZYwt_j
2. https://youtu.be/qiQR5rTSshw
3. https://www.youtube.com/@PracticalNetworking

Blogs:
1. https://www.vmware.com/topics/glossary/content/hypervisor.html

Books:
1. AICTE Recommended| Computer Networks| By Pearson Paperback — by Tanenbaum

Tools:
1.https://customerconnect.vmware.com/en/downloads/info/slug/desktop_end_user_computing/vmware_workstation_player/17_0 (VMware)
2. https://www.virtualbox.org/wiki/Downloads (VirtualBox)

Step3:

Learn Cryptography basics like encryption, decryption, encoding, decoding, hashing, etc.

Books:
1. Cryptography and Network Security | 4th Edition Paperback — by Atul Kahate
2. https://nostarch.com/seriouscrypto

Tools:
1. https://gchq.github.io/CyberChef/ (Cyberchef best tool to practice and use in real life)

Step4: (Very Important Must Do)

1. First Complete The Complete 2023 Web Development Bootcamp by Dr. Angela Yu on Udemy

Resource:
1. https://www.udemy.com/course/the-complete-web-development-bootcamp/

2. Then Do Intro to Bug Bounty Hunting and Web Application Hacking by NahamSec (Behrouz Sadeghipour) on Udemy

Resource:
2. https://www.udemy.com/course/intro-to-bug-bounty-by-nahamsec/

Step5:

Learn about HTTP Basics, REST, and DNS

Resource:
1. https://www.freecodecamp.org/news/http-and-everything-you-need-to-know-about-it/ (Freecodecamp)
2. https://portswigger.net/burp/documentation/desktop/http2/http2-basics-for-burp-users (portswigger)
3. http://www.steves-internet-guide.com/dns-guide-beginners/
4. https://rapidapi.com/learn/rest

Step6:

Learn all about Recon

Resource:
1. Pesterstrlab (free exercies): https://www.pentesterlab.com/badges/recon
2. NahamSec’s Twitch (All about Recon): https://www.twitch.tv/nahamsec
3. What Should You Do After Recon?! https://youtu.be/A6zQV9e2S1M

Step7:

1. Learn about JavaScript and Bash Scripting

Resource: codeacademy

2. Learn any one Programing Language(Choose anyone that you are comfortable with… for me I chose python)

Languages: C, C#, C++, Java, Python, Rust, Go (all are not needed as a beginner… you just need to start with anyone to make your hacking journey easy …. but this is also optional for complete beginners as hacking is just about viewing things differently.

Resource:
1. https://www.youtube.com/@freecodecamp/playlists (Freecodecamp)
2. https://vickieli.dev/bash%20scripting/bash-intro/
3. Practice on Hackerrank and leetcode

Step8:

Learn all about Database (MySQL and NoSQL)

MySQL and NoSQL are query languages that help to interact with databases (i.e. interact by data storage)

Resource:
Lots of YouTube videos for theory and Hackerrank problems for practice

Step9:

Join a few infosec communities to get the best guidance and follow Cybersec content creators on Instagram, Twitter & YouTube

Infosec Content Creators/Community:
1. Twitter: CybersecurityMeg, nahamsec, rana__khalil, InsiderPhD, _JohnHammond, PhillipWylie, huskyhacks, jhaddix, STOKfredrik, alh4zr3d3, Tib3rius, FarahHawa, snyff, corgi, hAPI_hacker, thecybermentor, vickieli7
2. Youtube: @TCMSecurityAcademy, @NahamSec, @RanaKhalil101, @InsiderPhD, @_JohnHammond, @PhillipWylie, @huskyhacks, @jhaddix, @STOKfredrik, @alh4zr3d3, @Tib3rius, @FarahHawa, @CybersecurityMeg, @VickieLiDev, @davidbombal
3. Discord: HTB, Hackerone, Tryhackme, TCMsecurity, redteamvillage, CSI Linux, Nahamsecs discord channel, John Hammond’s discord channel.

Bonus Step

(But very very important compared to any of the above steps)

Take care of yourself and your mental Health

This step, my dear friends, may not steal the spotlight or win any popularity contests compared to its fellow steps. However, let me assure you that it possesses a very high level of importance that surpasses them all! It’s like the unsung hero, quietly working behind the scenes, diligently laying the foundation for our grand adventure. So everyone please take care of your mental health while embarking on this journey.

Stage 2: Embrace the Hacktastic! (Complete Beginners Level)

Welcome, my dear comrades, to the realm of hands-on experience! In this glorious stage, we shall embark on a thrilling journey, starting with the sacred art of honing our skills on intentionally vulnerable virtual machines, like those bestowed upon us by the gracious VulnHub. Once we’ve feasted upon these virtual delights, we shall progress to real-world scenarios, where Bug Bounty programs such as HackerOne and Bugcrowd shall be our battlefields. This stage is all about embracing the trials, errors, and triumphs, for in them lie the seeds of practical wisdom. And lo and behold, I have graciously divided this Hacktastic Stage 2 into 9 simple steps, allowing us to venture forth with confidence and a mischievous grin!

Step1 (Optional but must for those who love to code):

Practice the language you learned earlier on Hackerrank or leetcode or any coding platform

Resource: Practice on Hackerrank and leetcode

Step2 (Only for those who want to build their logical understanding strong):

Start Learning DSA and practice it on Leetcode daily

Resource: Learn from youtube and Practice on Hackerrank and leetcode

Step3:

Learn How to use Burp-Suite and Nmap

Resource:
1. Burp setup — https://youtu.be/wNqaLalaNE0 (12:23 min)
2. burp basics — https://youtu.be/G3hpAeoZ4ek
3. https://youtu.be/Ezs19sj04DU
4. Nmap basics 1— https://youtu.be/x4AE5yOF9pE
5. Nmap basics 2 — https://youtu.be/80vIin4xGp8
6. Nmap basics 3—https://youtu.be/4t4kBkMsDbQ
7. https://youtu.be/qsA8zREbt6g (Bonus video source)

Step4:

Learn How to use Postman API

Resource:
1. https://learning.postman.com/docs/introduction/overview/

Step5:

Enroll in Portswigger Academy to learn and test your Web Application Security skills.

Resource:
1. https://portswigger.net/web-security
2. https://www.youtube.com/@RanaKhalil101

Books:
1. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws 2nd Edition by Dafydd Stuttard (Author), Marcus Pinto (Author)

Step6:

Enroll APIsec University to learn all about API Security.

Resource:
1. https://www.apisecuniversity.com/

Books:
1. Hacking APIs | Breaking Web Application Programming Interfaces by Corey Ball (https://nostarch.com/hacking-apis)

Step7:

Learn OWASP Top 10 Vulnerabilities in depth

Resource:
1. https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf
2. https://owasp.org/www-project-top-ten/

Step8:

Read These Top 2 Books to understand real-life scenarios

Resource:
1. https://nostarch.com/bug-bounty-bootcamp
2. https://nostarch.com/bughunting

Step9 Choose your path:

VAPT | Bug-Bounty | CTF | Pentesting

Resource:
1. https://medium.com/swlh/how-to-get-into-bug-bounties-383266799832
2. https://codingo.com/posts/2021-04-04-bug-classes-starting-out/
3. https://codingo.com/posts/2021-07-18-bounties-for-a-living/
4. https://vickieli.dev/hacking/intro-ctf/
5. https://www.youtube.com/watch?v=anfA2WSihHA
6. https://youtu.be/Zfz3ZN2dTDM
7. https://owasp.org/www-pdf-archive/Getting_Started_with_Bug_Bounty..pdf

Step10 (Optional):

Get ISC2 CC certification (Free) or CEH theory/practical certification (paid).

In my humble opinion, it might be wise to consider conserving your funds for obtaining other essential certifications like eJPT & OSCP. Now, I don’t mean to be a penny-pinching pundit, but allocating those resources strategically could open doors to even greater achievements. Think of it as an investment in your certification portfolio, like a financial wizard navigating the realm of knowledge. However, let’s not forget to keep a smile on our faces as we weigh our options, for a little humor can lighten the weightiest of decisions!

Stage 3: The Grand Finale! (Intermediate Level)

Behold, my esteemed comrades, the grand finale awaits us in Stage 3! Here, we shall ascend to new heights of specialization and forge meaningful connections in the realm of security. With our solid foundation and seasoned hands-on experience, the time has come to embark on the path of expertise, honing our skills in web application security, network security, or other captivating realms. This voyage of specialization calls for further training and certifications like the legendary OSCP or OSCE, where we shall unlock the secrets of our chosen domain. But let us not forget the power of networking! By intertwining our destinies with fellow professionals, we shall share knowledge, wisdom, and tales of triumph. And fear not, for I have thoughtfully carved out this Stage 3 into eleven simple steps, guiding us with grace and a sprinkle of humor through this climactic adventure!

Step1:

Enroll in Pentesterlab and THM to brush up your hacking skills

after completing Pentesterlab and THM Enrolling in TCMSecurity and Taggartinstitute is completely optional and up to your choice to learn more but this is not recommended if you are confident enough to start your hacking journey

Resource:
1. https://www.pentesterlab.com/
2. https://tryhackme.com/
3. https://academy.tcm-sec.com/courses
4. https://taggartinstitute.org/courses
5. https://www.youtube.com/watch?v=etP1hgJXijw

Step3:

Enroll in Rootme to practice CTF

Resource:
1. https://www.root-me.org/fr/Challenges/

Step4:

Enroll in HTB to practice CTF and prepare for OSCP

Resource:
1. https://www.hackthebox.com/

Step5 (Optional):

Get yourself PNPT certified

Resource:
1. https://certifications.tcm-sec.com/

Step6:

Learn all about Network and Network Security from INE

Resource:
1. https://ine.com/

Step7 (Optional):

Get yourself eJPT certified

Resource:
1. https://ine.com/learning/certifications/internal/elearnsecurity-certified-professional-penetration-tester

Step8:

Get yourself OSCP certified

Resource:
1. https://www.offsec.com/courses/pen-200/

Step9:

Contribute back to the cybersecurity community Via Social Media Platforms and training platforms.

Resource:
1. https://twitter.com/hacker_content
2. Twitter
3. YouTube
4. Make labs for others to practice on THM, etc.

Bonus Step:

Complete other certifications as needed and Keep your insatiable thirst for knowledge alive, for the realm of cybersecurity is ever-evolving.

Bonus Resource — Blogs and Articles:

Bonus Resource — Writeups:

Bonus Tip:

Once you are confident enough then create your Own Style

In summary, venturing into the realm of Pentesting, VAPT, and Bug Bounty hunting demands unwavering commitment, boundless patience, persistence, and an insatiable appetite for constant learning. By embarking on this delightful 3-stage odyssey, you shall fortify your foundations, revel in thrilling hands-on experiences, and ultimately find your niche in the vast expanse of security expertise. So, my good friend, why tarry any longer? Let the hacking festivities commence without delay! Embrace the adventure that awaits and let the hacking games begin!