TryHackMe — Become a Hacker: Writeup/Walkthrough
Comprehensive Writeup and Walkthrough of the ‘Become a Hacker’ room on TryHackMe, including answers, solutions, and comments. Access the room here.
The Contents of the Room:
- Task 1: Let’s Hack — Part 1 of 2
- Task 2: Let’s Hack — Part 2 of 2
- Task 3: Is Hacking Thrilling Enough?
- Task 4: Is It Worth It?
- Task 5: How to Get There?
Task 1: Let’s Hack — Part 1 of 2
The initial task involves reconnaissance, achieved by discovering concealed directories on the website http://www.onlineshop.thm/.
First run the command ‘gobuster dir — url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt’ for a list of directories associated with the website.
Upon executing the command, we observe a list of discovered directories hosted on the http://www.onlineshop.thm/ website. The most notable one in this case is the ‘login’ directory.
What is the name of the hidden web page you discovered?
Answer: login
Task 2: Let’s Hack — Part 2 of 2
“Admin” is a common username for administrative access to hosted services. We’ll use the Hydra brute-forcing tool with the ‘passlist.txt’ file to guess the admin account password via HTTP POST requests.
Run the following command:
hydra -l admin -P passlist.txt www.onlineshop.thm http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -VAfter executing the command, failed login attempts are visible above, while a successful login attempt is found at the bottom, revealing the used password. Using ‘admin’ as the username and ‘qwerty’ as the password, we gain access and discover a secret message.
What is the secret message that you have discovered?
Answer: born_to_be_a_hacker
Task 3: Is Hacking Thrilling Enough?
TryHackMe offers a diverse range of cybersecurity domains organized into learning paths. These paths are curated to guide users in exploring specific cybersecurity areas, including penetration testing, cyber defense, web fundamentals, and more. Each learning path comprises modules dedicated to specific topics covered through interactive rooms.
What is a Learning Path at TryHackMe made up of?
Answer: Modules
TryHackMe features two types of rooms: walkthrough rooms and challenge rooms. Walkthrough rooms guide you through the content, while challenge rooms assess and reinforce your skills by testing your knowledge.
Task 4: Is It Worth It?
In the expansive field of cybersecurity, selecting a specialization can be challenging due to its diverse domains. Some of the most renowned and thrilling careers in cybersecurity include roles such as Red Team Engineer/Operator, Penetration Tester, and Vulnerability Assessor.
Red Team Engineers / Operators use a variety of tactics, techniques, and procedures to infiltrate IT systems. Doing so allows them to test the organization’s detection and response times.
A Penetration Tester is similar to a Red Team Engineer / Operator but differs on its objective. A Penetration Tester’s objective is to identify as many vulnerabilities as possible to expose weaknesses in an attempt to prevent security breaches.
Vulnerability Assessors identify vulnerabilities through vulnerability scanning tools. After identifying vulnerabilities, they work with IT teams to implement security patches, updates, firewall configurations, or security tools to mitigate threats.
Though being a niche cybersecurity domain, I would recommend pursuing penetration testing if ethical hacking is your interest. Penetration testing exposes you to real world hacking using the latest tools available. There will always be a demand for penetration testers, as attack vectors continue to expand with new technology. With technology trends like AI becoming increasingly more powerful, Penetration Testers can help identify and allow us to understand these attack vectors to prevent security breaches.
Task 5: How to Get There?
Stepping into cybersecurity and becoming an ethical hacker is no easy task. Cybersecurity is not an entry-level career and requires a firm understanding of IT fundamentals.
I recommend starting off in an IT help desk position for a year or two or until an opportunity presents itself. There’s a lot to gain from a help desk position, such as communication skills and some technical skills. Both of which are essential skills to have in any cyber security domain. To enter the world of cybersecurity, a firm understanding of computer networking, programming, Windows, and Linux is essential.
While working, I recommend studying for an entry level IT certificate like the CCNA. The CCNA is a highly respected IT certificate that gives you the fundamental networking knowledge to thrive in the IT and IT security industry.
After obtaining a firm understanding of Linux, Windows, and networking, pick a scripting and programming language to learn. Suggested scripting languages to learn include Bash and PowerShell while recommended programming languages include Python or Go. Additional languages may be required in the future depending on your cybersecurity domain.
Now that IT fundamentals are out of the way we can finally step into cybersecurity. The next goal is either the CompTIA Security+ or CCNA Security certification. From here, the next certification depends on the cybersecurity domain you wish to specialize in.
When starting in cybersecurity, I suggest beginning in defensive security. On defensive security, you will gain knowledge on latest defensive tools, security operations, documentation skills, and technical knowledge.
The key to a successful career in cybersecurity is persistence and a solid understanding of IT fundamentals. Technology is evolving with every passing day. Therefore, it’s crucial to keep up to date with trends as a cybersecurity professional. Cybersecurity tools and technologies change every day, but fundamentals will always remain the same. It’s important to note cybersecurity covers many domains such as, data analysis, law enforcement, research, etc. While technical skills can help in these domains, they are not required.
