TryHackMe’s Complete Beginner and PenTest+ Paths
For all the crap the world suffered in 2020 I believe one sliver of sunshine to look back on was the breakout year TryHackMe.com had. Combining their own tireless efforts to improve the platform and the securing of partnerships with powerhouse creators like Heath Adams, Joe Helle, and Tib3rius, the team at TryHackMe has seen a massive spike in subscribers. Along with individually releasing rooms and creating specials like the Advent of Cyber, they have developed five signature ‘Learning Paths’ that subscribers can take advantage of pursuing. Currently the five available are: Complete Beginner, CompTIA PenTest+, Web Fundamentals, Offensive Pentesting, and Cyber Defense. Of which Cyber Defense is the latest to be released.
Today I finally had the time to complete the CompTIA PenTest+ path after completing Complete Beginner several weeks ago, and wanted to write up a quick review.
One real quick thing to note, the reason I am reviewing these two paths in the same post is because, like 80% of the CompTIA PenTest+ path is completed by the end of the Complete Beginner Path so the amount of overlap makes them easy to talk about back-to-back.
First, The Platform As A Whole
TryHackMe.com seems to be the missing link between the established offensive security CTF world and the aspiring player. Where other platforms might be focused on flag grabbing, point earning, bang-your-head-against-the-wall CTFs, TryHackMe comes across as a more learner-friendly site with a community that backs it up. Don’t get me wrong is has extremely difficult CTF rooms that are great, but the main purpose (at least from my point of view) is to give subscribers a place to develop their skills with plenty of assistance if they need it. There are many different types of rooms ranging from ‘crash-courses’ on specific tools, to walkthroughs on different techniques, to traditional CTFs. Almost all of these come with tons of provided material and information that, for the most part, equips you to complete the room without outside assistance — ignoring OSINT rooms and links to GitHub tools and the like. I’ve been a member for 327 days which includes a six month break due to work. But now, with said break over, I have been thoroughly enjoying my subscription yet again. 10/10 would recommend. Anyways...
Complete Beginner
The Complete Beginner path was great! Within the 26 rooms you move through eight different focuses: Linux Fundamentals, Networking Fundamentals, Web Application fundamentals, Cryptography, Windows Fundamentals, Privilege Escalation, and Basic Exploitation.
Linux Fundamentals was a blast. Building students from the ground up on basic Bash command line, file/folder management, and general administrator topics. It was a really good introduction to Linux for anyone who had/has never touched it before! You’ll obviously learn basic commands like ls/cat/mv/cp/cd/…, but you’ll also learn how to chain commands together, use more complex commands like grep/awk/sed, and manage files/folders further than just user-level understanding.
Networking Fundamentals was actually very interesting. It was much more in-depth than I was expecting and covered many, many different areas. Combing basic ‘OSI Layers’ level information with more granular network service analysis was really great. You’ll get to play around with things like Nmap, FTP, SMB, and SSH, but further than that you’ll get to touch things like SMTP, MySQL and NFS. All around a really good foundation of networking knowledge.
The Web Apps easily took me the longest, I am just terrible with Web Apps. But the rooms here were really great. Again starting at basically nothing discussing the fundamentals of HTTP and Burp you’ll move through the OWASP Top 10 practicing each technique against some different websites. Which all leads to kind of a fun ‘capstone’ type deal with it’s last room. I sincerely got the most out of this area.
The Cryptography rooms were fantastic. Pretty high overview of encryption and hashing but super fun and engaging. At first I wasn’t sure why those rooms were in the ‘Complete Beginner’ path but after completing them I understood how knowing that information is really important before moving on.
Windows Fundamentals was a great intro into the world of Windows. It does assume you at least know what Windows is and how it works from a high-level, but I think pretty much everyone does in today’s age. Instead of walking you through commands like in the Linux section you learn about Metasploit and how to leverage it against a Windows machine. This section also ends in a sort of ‘capstone’ feel with it’s last room.
Privilege Escalation and Shells is where the heat turns up a little bit. Not too much, obviously, but enough that you get to play around with what happens after the hack. Again, super fun learning about reverse shells, enumeration, and privesc. This section covers both Linux and Windows.
Ending the whole path is the ‘Basic Computer Exploitation’ section which truly was almost a ‘capstone’ as it was made of CTF rooms (they still include walkthroughs if you want to read along). This was a nice spot to practice what you’ve learned.
CompTIA PenTest+
Like I said before, a huge portion of this path is in the Complete Beginner path as well. This includes all of the networking rooms, web application rooms, and most of the Windows. Along with those, however, this path adds vulnerability scanners, password crackers, and a little bit more web app.
But where this path really detours is in its last section on ‘Local-host vulnerabilities.’ This opens the flood gates to the world of Kerberos, and a lot more local enumeration and privesc. Coming from someone who literally didn’t know a single thing about Kerberoasting that section was a blast. I was super excited to mess around with Bloodhound, Mimikatz, and Powerview. The post-exploitation enumeration techniques were really cool starting points on developing those skills as well.
Summary
Both of theses Paths were a blast and I 100% recommend both. Honestly, doing one without the other would just be silly with how much they overlap. Those looking to just now enter the world of offensive security / CTFs could stand to gain tons of knowledge to further build upon. Those with considerable amount of experience might still gain something from the Active Directory, Kerberos, or Post-Exploitation areas but should probably skip over these two paths and focus on the Offensive Security and/or Web Fundamentals paths. (OR even the new Defensive path!)
Word to the wise though, if you wish to complete these two paths take notes from the start. I didn’t take notes until almost 3/4 of the way done and wish I would of started at the beginning. You might not need to write down commands like ls/cat but certain tool syntax will come back to bite you if you don’t remember it correctly. I am looking at you Hashcat. And at the end of the day having something is better than having nothing.
All-in-all I think TryHackMe knocked it out of the park on setting up brand new subscribers for success. At the time of writing this a one-month subscription to TryHackMe.com is still only $10 USD and in my opinion well worth it. I’ll continue to keep my subscription up as I look to complete the remaining three pathways and any others that come out down the road!
