Hi homies, I hope you all are safe and doing your stuff constantly. Summer is up and we are increasing our speed:) I have so many plans to execute as well and let’s see what future has held. If we talk about this read, this is NOT going to be a write-up on findings or anything like that.
So, what’s this article about? Well, as the heading clearly says, it is a blog on learning. Learning what? Well, in recent weeks, I have got so many messages on LinkedIn and twitterregarding the learning process i.e. what are the things I follow/use to learn new stuff and how do I keep myself updated. No more messages on this one! I am right here, demonstrating my learning paths and all the stuff I use to learn new things:) Kindly keep in mind that when I have mentioned “hacking”, it means web/mobile/Network for me & this is not a HOW TO GET STARTED IN BOUNTIES either, since there are already many blogs on this topic. This is going to be a long read and I hope you stick till end. Let’s get started.
Well, I can divide this in two parts, theories and practical work. I will try to make this as simple as possible so no one gets confused here. Reading about something and gaining sound knowledge & doing the same thing practically are two totally different things. So, we will discuss about the theory part first and this is my personal view on learning things. You might have different approach and I totally respect that!
In my initial days, what I did is I made a list of websites and books and everything which helps to keep you updated. Let me tell you I was not that active on twitter those days and I didn’t know about many awesome people who share tips/knowledge over there. So these are some of my picks and I still follow the same things:
Portswigger research papers and articles: If you want to learn some complexed things and you are really having hard time on finding a resource for that, you must read the contents available here. There are so many amazing things to learn and I would say this will stay forever in my list.
Google hacking database: If you are interested in exploit development, papers and dorks, this might be the best place for you to explore things and learn them. You can see almost every exploit and papers on them. There are sections where you can find Google dorks, exploits of CVEs and demonstrated papers. Very well documented and curated list.
Infosec writeups on medium: Most of us know this, but in case you don’t, they are the best infosec publication on Medium imo and you should definitely check this out. You will get writeups and blogs on almost every topic and this is the knowledge-sea for everyone. Blogs get published here on regular basis and we can gain a lot of knowledge from here.
List of writeups(Pentester.land): You must include this thing in your daily learning stuff. They have almost every writeup published on internet and just search for any vuln, you get a lot of results. There are so many, so many writeups here starting from 2014 and you can’ t get over it!
Hacktricks: HackTricks has so many tips and tricks on different topics. It includes network pentesting, web app, linux and almost everything related to hacking. I have learnt many things from here and still learning. Such an awesome site:)
YesWeHack blogs: I have recently found it and this is super handy to learn some new stuff. They publish some really interesting articles and there is always so much to learn.
Intigriti Bug bytes: This is an awesome series from Intigriti and you can find almost everything happened in a week. Whether it is a writeup, video or talk, they cover everything in this series. I would suggest this everyone who wants to keep them updated.
These were some of the sites which I use to keep myself updated. You can follow the same and check if it helps you. There can be surely other resources which you know and I don’t. I will highly appreciate if you mention them either in this blog or on twitter DM.
Well, let’s discuss about practicals. Let me tell you I am not talking about the bug bounty platforms, you can always do that. I will discuss some sites/labs which provide you a vulnerable environment and you can check your skills there. There are videos/writeups/solutions to solve them as well and there is nothing wrong if you solve a challenge after watching the video or reading the writeup, atleast you are learning and we all are learners by dawn. Let’s move ahead and see some resources:)
Pentesterlab: I am sure almost every reader of this post will be knowing this one. They are the BEST content providers for learning attack scenarios on Web/android/source code review and many other things. Updated labs, real world bugs and what not! Just own a subscription and enjoy your learning. I still have a subscription and there is still so much to learn out there. I personally prefer to visit pentesterlab if I get stuck somewhere while exploiting a particular bug. A must have subscription.
Portswigger Labs: In case you can’t own a pentesterlab subscription, you can go for it. This one also has around 200 labs and you can learn so many things from here. I used to solve this in my initial days and they have added a lots of labs recently. There are many vulnerabilities included and a very awesome resource for everyone. This is specially for web as Portswigger is a web security academy.
Bugbountyhunter.com: I think Sean (zseano) should come with this idea earlier because I have never seen anything like this. So many real world scenarios and you have more than 100 vulnerabilities to find. What else do you need if you have a mentor like Zseano? An amazing guy with an amazing platform and if you have a subscription, you can get a ton of benifits from it:)
Hackthebox: I enjoy network pentesting and this is one of the best resource out there. So many things to learn and favorite place of OSCP participants. Nowdays, they have track-based boxes and you can solve the track you enjoy the most. There is everything, literally everything included in this package. From binary exploitations to buffer overflows, you can always learn so many things.
CTFtime.org: If you enjoy CTFs, this is the best place I know for them. A ton of CTFs keep coming and you can particapte in those for skill check. I am not that much active in CTFs but I wish I had a team and I could do it on weekends. If you are interested, ping me on twitter and we can build a team.
OWASP Juice Shop: The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. It is really fun to exploit them as you can set the difficulty level and check if you solve them. You will learn a lot of things from here for sure:)
OVAA (Oversecured Vulnerable Android App):OVAA is a vulnerable environment where you can try to find android vulnerabilties. This is really cool and you learn a lot of attack scenarios for android. Since there is a little bit less competition in mobile hacking, you can apply the things in real world and who knows you own a lucky day!
These were the practical places which I follow to learn new things and I am sure there would be many more and I don’t know about them. As mentioned earlier, you can let me know and I will add them here so that people could get the idea of those.
There are few more things to mention here, some slack channels and reddit pages. Twitter is super handy and I would say the best place if you want to learn hacking related stuff. Here are some of the resources:
Collabwithdawgyg on slack: This channel is created by Dawgyg and if you don’t know him, he is one of the best in business and a hacker since 90’s. There are many sub-channels related to different hacking methods and people discuss over so many hacking related stuff. With many amazing hackers, your knowledge just gets a boost every day! I have attached the link of the channel and it will be valid for 10 days from publishing date of this blog. Let me know if you get it late and I will send it to you again.
Reddit hacking community: This reddit community have a lot of people to discuss over hacking and I really enjoy threads. You can give it a go and see if you get something from it:)
Infosec on twitter: Nothing to say about this. A community full of hackers who help with their tips and tricks to grow you up. I personally like twitter a lot because you can interact with different ideas and tips everyday. A must follow thing for a security person(imo).
I believe these are pretty much of what I use to learn hacking and there are many more things, you just need to discover them. I tried to cover the best things I have found till now and most of people will be agree with it. However, you are free to explore the hacking world. Till then, this article should help you to get some resources and If you learn something from it, that was my motto always:)
I hope you like this blog & contents and if you did, share it with others. I have tried to explain everything I have mentioned and I hope you get the most of it. Just make a list of resources and visit atleast once in a day to any of them and you will see you are upgrading.
I am planning to write on new things now and you won’t see my web hacking blogs/writeups for a few months. There are so many things going on and I will try to cover some other things in upcoming reads. Till then, enjoy this one and I see you next time, sooner :-)