EthicaHack

Appearance

Week 12: CTF Preparation & Certification

MITRE ATT&CK: Tactic — TA0007 (Discovery), Technique — T1190 (Exploit Public-Facing Application)

Real-World CTF: How HTB and THM Machines Mirror Real Breaches

Every machine on HackTheBox and TryHackMe is designed to replicate real-world vulnerabilities:

Example: HTB Machine "Lame" (Easy)

This retired HTB machine mirrors the 2015 vsFTPd backdoor compromise:

  1. Enumeration: Nmap found vsFTPd 2.3.4 on port 21
  2. Vulnerability: CVE-2011-2523 (vsFTPd backdoor)
  3. Exploitation: Connected with username :) (smile face) triggering backdoor
  4. Shell: Received direct access as root

Example: THM Room "Blue" (EternalBlue)

This room recreates the infamous WannaCry/ EternalBlue attack:

  1. Port Scan: Found SMB on ports 445, 139
  2. Vulnerability ID: MS17-010 (EternalBlue)
  3. Exploitation: Metasploit module exploit/windows/smb/ms17_010_eternalblue
  4. PrivEsc: Received SYSTEM shell immediately
  5. Post-Exploitation: Used mimikatz to dump hashes

Why CTF skills transfer to real security work:

  • HTB Medium machines require chained exploits (like real attacks)
  • THM AD rooms replicate enterprise AD attack paths
  • PG machines are nearly identical to OSCP exam difficulty

Objectives

  • Develop CTF problem-solving strategies
  • Master key platforms (HackTheBox, TryHackMe, Proving Grounds)
  • Align skills with certification paths (OSCP, CEH, eJPT)
  • Create a personal methodology and study plan

CTF Fundamentals

Categories

CategorySkills TestedTools
WebXSS, SQLi, SSRF, LFI, RCEBurp, SQLMap, ffuf
PWN/REBinary exploitation, reversingGDB, pwntools, Ghidra, IDA
CryptoEncoding, encryption flawsCyberChef, hashcat, openssl
ForensicsFile analysis, carving, memoryVolatility, binwalk, strings
OSINTInformation gatheringOSINT frameworks, search
MiscSteganography, logic puzzleszsteg, strings, grep
PrivEscLinux/Windows privesclinpeas, winpeas, GTFOBins

Methodology 

1. Read challenge carefully
2. Enumerate all given information (files, IPs, hints)
3. Start with easy wins: check source, run commands
4. Build a hypothesis
5. Try the simplest solution first
6. If stuck: enumerate more thoroughly
7. Document what you've tried
8. Sleep on it / try again fresh

Platform Guide

HackTheBox (HTB) 

Subscription: Free (retired machines) / $10/mo (active machines)
Difficulty: Medium to Insane
OS: Linux, Windows
Best for: OSCP preparation, intermediate-advanced

Starting:
1. Join at https://hackthebox.eu
2. Download VPN pack: User → Starting Point → VPN
3. Connect: openvpn user.ovpn
4. Start with "Starting Point" (guided, easy)
5. Progress to machines

Rating system:
- Easy: 20 points
- Medium: 30 points
- Hard: 40 points
- Insane: 50 points

Academy: hackthebox.academy (paid, structured learning)

TryHackMe (THM) 

Subscription: Free tier / $10/mo (plus)
Difficulty: Beginner to Advanced
OS: Linux, Windows, Android
Best for: Beginners, structured learning, walkthroughs

Rooms:
- Complete on your own OR use PwnedHelper
- Many are "wargames" (guided, learning-focused)
- Some are "ctf" (competition-style)

Essential rooms:
- Pre-Security (networking basics)
- Complete Beginner (Kali, networking, web)
- Jr. Penetration Tester
- Active Directory
- Offensive Pentesting

Offensive Security Proving Grounds (PG) 

Subscription: $15/month
Difficulty: OSCP-like (similar to real exam)
OS: Linux, Windows
Best for: OSCP prep, practice before exam

Advantages:
- Similar difficulty to OSCP
- Three attempts per month
- Writeup submission for other users
- No过多 guess-the-hash
- "Practice" machines (easier) vs "Challenge"

Strategy:
- Do Easy/Medium machines in order
- Focus on Linux first
- Then Windows
- Time yourself: aim for root < 2 hours

VulnHub 

Free, download VMs
Difficulty: Variable
Best for: Local lab practice, specific vulnerabilities

Downside:
- Some VMs are poorly made
- "Easter eggs" that aren't realistic
- Can be frustrating

Recommendation:
- Kioptrix series (classic)
- DC series (Metasploitable-based)
- Brainpan (buffer overflow practice)

Certification Paths

OSCP (Offensive Security Certified Professional) 

Prerequisites: Basic Linux, networking, scripting
Cost: ~$1,500 (course + exam)
Duration: 90 days lab + 24-hour exam
Format: Hands-on, no multiple choice

Exam structure:
- 5 machines (4 solo + 1 skeleton)
- Need 70/100 points to pass
- 24 hours to root all machines
- 24 hours to write report

Recommended preparation:
1. HTB Medium machines (10+)
2. PG Practice (15+ machines)
3. Tjnull's OSCP guide machines
4. Buffer overflow practice (VulnHub brainpan)

CEH (Certified Ethical Hacker) 

Cost: ~$1,000 (exam + course)
Format: Multiple choice, 125 questions, 4 hours
Prerequisites: 2 years security experience (or training)

Pros:
- Recognized in enterprise
- Covers broad topics
- Easier than OSCP

Cons:
- Multiple choice (not hands-on)
- Expensive
- Some say less practical

Use for:
- Getting past HR filters
- Government/DoD positions
- Broader security knowledge base

eJPT (eLearnSecurity Junior Penetration Tester) 

Cost: ~$200 (exam only) or ~$400 (with training)
Format: Hands-on, 20 questions, 48 hours
Prerequisites: None
Best for: First certification, entry-level

Advantages:
- Very practical
- Affordable
- No expirations on certificate
- Good first step before OSCP

Learning path:
1. eJPT course (free with exam purchase)
2. HTB for Linux
3. PG Practice for Windows
4. Take exam

PNPT (TCM Security) 

Cost: $300 (exam)
Format: Practical, 5 days, PDF report
Prerequisites: None (beginner friendly)
Best for: Entry-level, practical focus

Advantage:
- Extremely practical
- No multiple choice
- TCM's Practical Ethical Hacking course is excellent
- Affordable

Focus areas:
- AD attacks
- Python scripting
- Report writing

Practice Strategy

Daily Routine

bash
# Before work/school (1-2 hours):
- 1 HTB machine or 1 THM room
- Focus on completing, not just watching walkthroughs

# Weekly:
- 2-3 full CTF challenges
- Read 2-3 writeups from others
- Review tool documentation for a tool you use

# Monthly:
- Attempt a certification exam
- Review and update notes
- Contribute to a CTF team

Machine Difficulty Progression 

Stage 1 (Weeks 1-4):
- THM: Complete Beginner, Web Fundamentals
- HTB: Starting Point (all)
- PG: Easy Linux

Stage 2 (Weeks 5-8):
- THM: Jr. Penetration Tester path
- HTB: Easy machines
- PG: Medium Linux, Easy Windows

Stage 3 (Weeks 9-12):
- HTB: Medium machines
- PG: Medium Windows
- HTB: Hard machines (some)
- Practice buffer overflow

CTF Toolkit

bash
# Essential tools - know these deeply:
nmap, Burp Suite, SQLMap, ffuf, Gobuster
linpeas/winpeas, pspy, GTFOBins
Mimikatz, Responder, impacket
gdb, pwntools, Ghidra
CyberChef, Hashcat

Writeup Guide

Writeup Structure 

# Challenge Name
## Category
## Difficulty
## Description

## Enumeration
- IP/Port findings
- Initial observations

## Exploitation
- Step-by-step process
- What worked

## Privilege Escalation (if applicable)
- How to get root/admin

## Lessons Learned
- What to remember
- Alternative approaches

Where to Share 

- Null Byte (WHT)
- Medium
- GitHub (source + writeup)
- Blog
- LinkedIn

Key Takeaways

  1. Consistency — 1-2 hours daily beats 10 hours on weekends
  2. Methodology — have a repeatable process
  3. Platforms — THM for learning, HTB/PG for practice
  4. Certifications — eJPT first, then OSCP if enterprise
  5. Writeups — writing teaches; read others' solutions
  6. Don't watch walkthroughs immediately — struggle first, learn more

Beyond 3 Months - Continuing Growth 

Advanced topics to explore:
- Binary exploitation (ROP, format strings, heap)
- Firmware security
- Mobile app testing
- Cloud security (AWS, Azure, GCP)
- Purple team / threat hunting
- Malware analysis
- Hardware hacking

Communities:
- r/netsec, r/hacking, r/cybersecurity
- HTB forums
- Discord servers
- Twitter/X infosec community
- Local security meetups

Congratulations

You've completed the 3-month ethical hacking guide. Continue practicing, stay curious, and always hack ethically.

Educational Use Only | Made with ❤️

© 2026 ETHICAHACK — Happy Hacking | Follow @darkrise.mindset on Instagram