Hack The Box and TryHackMe - My Stepping Stone Into Systems, Backend, and DevOps

Well, if you glance at the badge above, I'm currently sitting at a pretty terrible rank of 959. I've definitely seen better days - somewhere around the ~450s. The rank keeps slipping away over time, but that Pro Hacker badge? That stays. And honestly, that's one thing I'm genuinely proud of. A small trophy from a time that shaped everything that came after.

And when I think about that badge, I'm instantly taken back to 2022.

Back then, we didn't have AI or GPTs flooding every corner of the internet like we do today. The only "AI" most of us knew were 2-D CNNs identifying cats versus dogs, and maybe a few LSTM models running sentiment analysis on Twitter threads. That was it. That was the extent of what felt "futuristic."

Achieving Pro Hacker at that point? It actually meant something.

Members were ranked purely based on active challenges. Solutions weren't easily Googleable. Writeups were rare, scattered, often outdated. You either figured it out yourself, or you didn't. And when you did - when you rooted a box entirely on your own - the confidence that came with it was something else entirely.

Rooting meant the whole journey: finding the vulnerability in the first exposed service (a web server, SSH, some obscure daemon on a random port), gaining initial user access, then escalating all the way to root. That final escalation could come from exploiting vulnerable binaries, abusing SUID permissions, running shell commands through vim because it happened to have write access to privileged files, symlinking your way into system binaries, or pulling off a clean reverse shell.

That moment when you finally saw root@box:~# in your terminal?

Chills. The kind you don't get from horror movies.

There was a time when I was genuinely addicted to it. I'd wait for the weekly HTB machine release, preferably Linux, and chase first blood (being the very first person to hack it.) I never got it. Not once. But the chase? The hunt? That was addictive in itself.

TryHackMe - Where the Learning Actually Started

While Hack The Box was the battlefield, TryHackMe was where I actually learned how to fight.

HTB threw you into the deep end. TryHackMe taught you how to swim first.

TryHackMe gave me something HTB never even tried to offer - structure. Guided learning. Context. Explanations that didn't assume you already knew everything.

Through its rooms and labs, I learned:

• Linux basics without blindly guessing commands
• Networking fundamentals - TCP, UDP, DNS, HTTP, how packets actually move
• How services talk to each other
• How authentication and authorization really work under the hood
• Why certain misconfigurations are dangerous before they're exploited
• What vulnerabilities actually look like in the wild

Each room forced me to read, understand, and then do. It wasn't about speed. It wasn't about rank. It was about building a proper mental model of how systems function - and how they break.

TryHackMe laid the foundation:

• What a server actually is
• Why ports exist and what they expose
• How web applications are structured behind the scenes
• How privilege boundaries are supposed to work (and how they fail)

By the time I jumped into Hack The Box seriously, I wasn't just blindly running nmap and hoping for results. I knew what I was looking for. I knew why I was looking for it.

Running Virtual Machines - Learning Systems in Isolation

Alongside TryHackMe and Hack The Box, a huge part of my learning came from running local virtual machines using VMware.

At the time, I didn’t think of it as “virtualization” or “infrastructure.” It was just the easiest way to spin up a Linux system, break it completely, and not worry about consequences. But in hindsight, this taught me some of the most important fundamentals.

Running VMs helped me understand:

• What it actually means to run an operating system on top of another
• The difference between a host and a guest
• How CPU, memory, and disk are allocated and limited
• Why isolation is such a big deal

VMware networking was a massive eye-opener.

I learned the difference between:

• NAT, Bridged, and Host-only networking
• Why some machines were reachable from outside and others weren’t
• How IP addressing and routing change based on VM configuration

Concepts like internal networks, private services, and exposed ports suddenly made sense - and those exact concepts kept showing up again in Hack The Box machines and later in real production systems.

Snapshots were another underrated teacher.

Being able to:

• Break a system completely
• Roll back instantly
• Try again without fear

Made experimentation natural. I stopped being afraid of breaking things, because breaking things was part of the process.

Later, when I started working with Docker, cloud VMs, and production servers, none of it felt foreign. I already understood isolation, boundaries, and how easy it is to expose things accidentally.

The Tools That Became Second Nature
If TryHackMe taught me what to look for, and Hack The Box forced me to find it, then the tools I learned became the language I spoke.

Back then, every HTB machine started the same way. Boot up the VPN. Fire up the terminal. And run the tools.

Nmap - The First Question You Always Ask

Every single machine started with nmap. Not just running it - understanding it.

I learned the difference between:

• A quick scan (-sV -sC) versus a full port scan
• Why stealth scans matter (and when they don't)
• How version detection actually works
• What those cryptic NSE scripts were doing behind the scenes

Nmap wasn't just a port scanner. It was teaching me what services look like from the outside. How they announce themselves. What they accidentally reveal.

Today, when I'm debugging network issues or checking what's actually exposed on a server, I'm still using nmap. Not because it's nostalgic - because it's still the best way to see what the world sees.

Burp Suite - Where Web Exploitation Started

Most HTB machines had a web component. And most of those couldn't be exploited by just clicking around in a browser.

That's where Burp Suite came in.

I learned:

• How to intercept and modify HTTP requests in real-time
• What happens when you change parameters the frontend "validates"
• How authentication tokens actually flow through requests
• Why the Repeater tab became my best friend for testing payloads
• How to spot SQL injection, XSS, and IDOR vulnerabilities before the scanner did

Burp taught me that nothing client-side can be trusted. Every validation. Every restriction. Every "hidden" field. All of it can be bypassed if the backend doesn't verify.

That lesson stuck. Hard.

When I build APIs now, I validate everything on the server. Because I've spent too many hours exploiting developers who didn't.

Linpeas - The Privilege Escalation Cheat Code

Getting initial access was one thing. Getting root was another.

That's where linpeas (Linux Privilege Escalation Awesome Script) became invaluable.

Linpeas automated what I used to do manually:

• Enumerate SUID binaries
• Check for misconfigured cron jobs
• Find writable paths in system directories
• Spot sudo misconfigurations
• Hunt for passwords left in config files or bash history

At first, I'd just run it and blindly follow highlighted findings. But over time, I learned what it was actually checking for - and why each check mattered.

Linpeas taught me what to look for when something's misconfigured. And that knowledge translates directly into hardening systems today.

Gobuster / Dirb - Finding What Shouldn't Be Found

Web directories. Hidden endpoints. Backup files. Old admin panels.

These were goldmines on HTB machines, and gobuster (or dirb back in the day) was how you found them.

Directory brute-forcing taught me:

• Why leaving /backup, /admin, or .git exposed is a terrible idea
• How predictable naming conventions are exploited
• Why proper access controls matter more than obscurity
• What files developers forget exist (.env.bak, database.sql, config.php.save)

Now, when I deploy applications, I think about what's accidentally accessible. What got committed to version control. What's sitting in a public S3 bucket because someone assumed it was "hidden."

Metasploit - The Double-Edged Sword

Metasploit was powerful. Almost too powerful.

It could automate entire exploits with a single command. But it also became a crutch if you relied on it too much.

I learned:

• How exploits actually work under the hood (not just running exploit)
• What payloads are doing when they establish a reverse shell
• Why some exploits need specific versions and configurations
• How to customize and adapt exploits when the automated ones failed

The most important lesson? Understand the exploit before running it. Otherwise, you're just copy-pasting without learning.

SQLMap - When Databases Leaked Everything

SQL injection was everywhere on older HTB machines. And sqlmap made it almost trivial to exploit.

But the real value wasn't automating the injection - it was understanding:

• How SQL queries are constructed and manipulated
• Why parameterized queries prevent this entirely
• What union-based, boolean-based, and time-based injection actually mean
• How database enumeration leads to full system compromise

SQLMap taught me what not to do when writing backend code. Every raw query I avoided writing in production was because I'd exploited someone else's.

Hydra - Brute Force When Configuration Failed

Weak passwords. Default credentials. Exposed SSH or FTP.

Hydra was the go-to for brute-forcing services when nothing else worked.

It taught me:

• Why default credentials are still the #1 way systems get compromised
• How rate limiting and account lockouts actually protect services
• Why password policies exist (and why "Password123!" doesn't count)

Now, when I configure authentication, I think about what an attacker with Hydra would try first.

The Lesson All These Tools Taught Me

These weren't just pentesting tools. They were teaching me how systems actually work - and how they fail.

Every tool revealed a different layer:

• Nmap showed me network exposure
• Burp showed me application logic flaws
• Linpeas showed me system misconfigurations
• Gobuster showed me information disclosure
• Metasploit showed me exploit mechanics
• SQLMap showed me database vulnerabilities
• Hydra showed me authentication weaknesses

And every single lesson from these tools directly translates into how I build, secure, and debug systems today.

I don't run linpeas on production servers (usually). But I know what it would find if I did.

And that keeps me honest.

Hack The Box - Where Theory Gets Reality-Checked

If TryHackMe was learning with guardrails, Hack The Box was learning without mercy.

HTB didn't teach. It tested.

Everything I thought I understood from TryHackMe got validated, shattered, or reinforced here. Enumeration wasn't optional - it was survival. Mistakes were punished immediately. Assumptions failed fast and loud.

No hand-holding. No hints unless you earned them with points. Just you, a terminal, and a machine that didn't care if you succeeded or gave up.

This is where things actually clicked.

Linux: Learning the Hard Way (and the Right Way)

At the time, I didn't realize it, but Hack The Box was teaching me Linux fundamentals in the most brutal - and most effective - way possible.

File permissions. Users and groups. SUID binaries. Sudo rules. PATH hijacking.

These weren't abstract textbook concepts. They were gatekeepers. If I didn't understand them deeply, I didn't get root. Simple as that.

Privilege escalation forced me to understand:

• Why a binary running as root is dangerous (and how to abuse it)
• How misconfigured file permissions can tear down an entire security model
• What actually lives inside /etc, /var, /proc, and why it matters
• How to read logs, configs, and cron jobs like they're telling a story

This is the exact same knowledge I rely on today when securing production servers or debugging bizarre runtime issues at 2 AM.

Servers, Ports, and Services - The First Lesson

Every machine started the same way: enumeration.

Port scanning wasn't just a step in a checklist. It taught me how servers actually expose themselves to the world - and how easy it is to expose too much.

Seeing an open port immediately triggered questions:

• What service is this?
• Why is it exposed publicly?
• Who configured it this way, and did they mean to?
• What's the attack surface here?

That habit - that instinct - carried directly into my backend and DevOps work.

Accidentally Learning NGINX, Apache, and Web Stacks

Most HTB machines had a web layer. To exploit it, I had to understand it first.

Without even realizing it, I was learning:

• How NGINX and Apache serve content and route requests
• How configuration files are structured (and where the dangerous lines hide)
• What breaks when permissions are wrong or directories are misconfigured
• Why a single misconfiguration can be worse than an unpatched CVE

Software Isn’t Magic - It’s Just Running Somewhere

HTB machines were goldmines of badly configured software:

• Services running as root
• Cron jobs doing questionable things
• Custom binaries no one ever audited
• Old versions left untouched

That taught me a lesson I carry into every system I build today:

Software works because someone configured it to. And it breaks for the exact same reason.

The Backend & DevOps Impact - Knowing the Loopholes Before They Become Problems

Because of HTB, TryHackMe, and running my own VMs, I learned what not to do early:

• Don’t run services as root
• Don’t expose ports unnecessarily
• Don’t trust internal networks blindly
• Don’t leave defaults untouched
• Don’t assume configs are safe just because “it works”

The Stepping Stone I Didn’t Know I Needed

Back then, I thought I was just hacking boxes for fun.

In reality:

• TryHackMe taught me the fundamentals
• VMware gave me a safe playground to experiment
• Hack The Box validated everything under pressure

The rank drifts lower every week.

But the foundation it built still holds.

And that? That never really goes away.