Has a 200 Day Streak on tryhackme.com turned me into a master hacker?
No,
Though I am proud of the progress I have made.
I admit that I have been bitten by the security bug. Given the amount of time I have spent over the last few months reading CVE’s, waiting for gobuster to find something at 2am, finding my thoughts drifting to possible exploits instead of falling asleep… I would still say that I have barely scratched the surface of the field. I should acknowledge that I am still on a free account and have been splitting my time between looking for a job, studying for more traditional IT certifications, and spending time with my family. I know of people who in this amount of time have turned themselves into security professionals, but from what they have written they were putting in far more time into learning pentesting - certainly more than my ‘not quite a room a day’. I did not approach cyber-security as a vocation or possible career, it just seemed like an important field to know a bit about as I started in network administration. While I have noticed a certain obsessiveness creeping into my approach to ‘rooting’ challenge boxes, and my reading of ‘Data Structures and Algorithmic Thinking with Python’ has slowed in favor of working through ‘Black Hat Python’. I still tell myself that it is a leisure time activity.
Background
I started with tryhackme for their Advent of Cyber event at the end of last year. I had just completed the CCNA and was starting my (still ongoing) job search. While I have the same basic knowledge of security that most people who have some experience with IT develop I felt it was an area that I should put a bit more time into. The event was a lot of fun, I learned a few things, got the nice overview of terms and topics I was looking for and then went back to studying networking, Python, and server administration. Little did I know that this first taste was going to pull me back in and turn into an entire second set of topics to study.
My next step down the path to CTFs and boring my wife with trying to explain stack canaries came in the form of deciding to test my Linux skills through Over The Wire After completing Bandit I wanted to keep going. While trying to learn a bit about web security to take on the Natas game I ended up back on TryHackMe, and fairly quickly I found that trying to hack became my ‘just a few more minutes and I will try and get some sleep’ activity. By the time March rolled around I decided to try my hand at the Cyber Apocalypse event hosted by a different cyber-security learning platform Hack The Box and discovered that I enjoyed trying to reverse engineer and exploit binaries. At some point I crossed into being ranked in the top 1% of users of tryhackme and decided that I have spent enough time on the free portion of the site to write this review.
Despite all of this I am still not chasing after a specialized ‘hacking’ or ‘cyber’ career. For one thing I want to start getting experience in IT (and a paycheck) as soon as possible. With a CCNA, basic coding and Linux skills, plus what I have picked up from books and platforms like TryHackMe it would take time to get to the point where I could pass a certification like the OSCP or Pentest+. Hopefully the path to a helpdesk analyst or Network admin is going to be shorter. Once I have some experience though I could see myself choosing to get a CCNP Security, or even trying to find out if NetDevSecOps is a good career path.
Gamified learning
So what actually is TryHackMe? It is a cyber-security gamified learning platform where you get points for answering questions about the material you have just studied that also includes ‘challenge rooms’ where you try to find a way to get into an intentionally vulnerable computer and escalate to administrative privileges. There are also other activities, leaderboards for the competitive, and learning paths that include a series of lessons and activities that fit together as preparation for certifications or that focus on similar skills. Some of the activities and rooms require a (quite reasonably priced) monthly subscription, though I will need to wait on those until I am back in the workforce. Compared to Hack The Box (the only other platform I have tried) Try Hack Me seems to be more ‘beginner friendly’ and certainly has less focus on competition.
I should also mention that for most subjects I prefer learning skills from books over more ‘gamified’ platforms. As an example - for learning the basics of web development (HTML, CSS, JS) I got more out of the readings and projects approach of The Odin Project than I did from the basic curriculum on Free Code Camp As with most skill-building online exercises the material on Try Hack Me, on its own, is not enough to learn the topic. Luckily most of the walkthrough rooms include links to more information on the topic, and often include questions that require you to do some research off-site to answer. The learning-paths include introductory modules that stress the importance of developing research ability and the initiative to chase down information.
Who would I recommend the platform to
If you are looking for an easy one stop shop to learn to be a ‘hacker’, red-team, pentester, whatever…. There is no such thing I also don’t get the feeling that completing learning paths on try hack me is a substitute for studying for and getting an industry recognized certification. I will also say that while I have not encountered many ‘bad’ rooms, the amount I of knowledge I have managed to pick up just from the room has varied a lot. What the platform is great for is getting a survey of the field with the free activities, and if you do catch a case of the security bug, it provides a low cost way of of developing the interest while holding your hand and keeping you motivated until you are hooked.
Certainly if you are considering cyber-security as a career, and you want some exposure to the jargon and the technologies involved this may be a more interesting way to get that exposure than an intro to cyber-security book. Signing up for an account might also be a good way to get some hands on practice if you are in a more theoretical program. I also think that it is a fun way for an IT professional to get some exposure to some of the topics related to cyber-security. Though if you are trying to advance your career by adding coursework in information-security or want to learn server-hardening and best practices in regards to keeping your users secure, there are probably better ways to learn those skills.
I would also recommend not taking advantage of the write-ups until after you have rooted a box. There are several challenge rooms that I have made progress on, even managed to get a user flag, that I realized were above my skill-level. While it would be a relief to not have then show up in my list of joined rooms, I also know that having them there as a reminder of areas where I need to study more (like Windows/AD privilege escalation) benefits me more than reading a walkthrough that I can follow, but not understand.
Payed vs Free
If you just want to play around and see what the site offers the free option is great. I would not recommend trying to seriously develop skills in cyber-security using just free options, and honestly the price of a subscription to Try Hack Me is very reasonable for the content you get. I fully intend to get a subscription as soon as I start working again. I also plan on getting to the point where I can put together a room or two on my own to give back to the community. Another benefit to having a subscription for anyone seriously studying a topic is that it encourages you to ‘get your money’s worth’
Going forward
I plan to continue doing challenge boxes, and am starting to take on Hack The Box easy machines. The 2 areas on Try Hack Me where I want to focus are probably going to require that I put in time studying outside sources. The fact of the matter is that I have less experience with Windows servers and Active Directory than I do with Linux, and before I learn how to exploit an AD network I want to spend some time getting better at building one. I also intend to put more time into C and assembly language before trying to get serious about binary exploitation.