How much knowledge is necessary to be a PRO Hacker?

Which programming languages and what knowledge can make me a Pro Hacker?

I’ve got need here of Cryptography, Networking, PHP, Steg, JAVA, off course PYTHON, JavaScript, Web Hosting, Query Language, Linux administration and more things.

My mind blown. I didn’t understand how much I need to study to be a average hacker here.

If there was a position below the Noob here then that was me.

I haven’t solve a challenge here without any help.

If you mean “paid pentester” then I dont think there is a real answer. I know very well paid pentesters who know a fraction of what you’ve listed.

Pentesting covers a range of disciplines - some are web app testers, some infrastructure, some physical etc. Some can do it all and do it all well.

I also know lots of very well paid pentesters who cant solve CTFs / Challenges without help. It’s not necessarily the same thing as being a pentester.

The main things for a “good” tester are an ability to be methodological and document their findings. You dont need to find everything but you do need to tell people exactly what you did and didn’t do and what worked and what didn’t (ideally why).

If you mean to hack people for money, then its a bit more of a steep learning curve with a lot of trial and error…

I was meant for them who are here. I’ve seen different person have different walkthroughs for the same box and all walkthroughs are awesome. Some walkthroughs are common also.
I was thinking of them how they’re doing it.

Yaa off course I can read every walkthroughs and get experience but I want to read those what is not here.

I’ve read some walkthroughs but I’m not yet being able to hack any new box yet.

I’ve seen mixture of things what I’ve listed above.

It’s okay If I may overthinking and overthinking is my old habit.

I think if can catch flags here then I can be a good paid pentester

Hello! I am hacker level here at HTB. I ranked hacker in 10 days… Doing only Linux boxes, so in the following order: OpenAdmin,Postman,Traverxec,Obscurity,Mango… (Stuck on Book ). As you can see I rooted only Linux boxes,this because of the lack of knowledge in Windows hacking. I followed this path till now.
In 2017 I fallen in love with coding ?. In one year I learned basic and medium concepts of coding in C/C++,Python,JS,PHP and SQL… My primary goal was to be a web developer, but as you can see I am here. In 2018, again, I fallen in love with cyber security, and for the first time I heard about terms like “Red Team”," ethical hacking",“penetration testing”, I start studying Linux with “Linux basics for hacker” a book that I strongly to suggest you. But I focus a lot on methology, pentesting cycle,and popular tool. Of course my medium level coding knowledge help me a lot (Obscurity was all about scripting). You need for first to develop the right mindset, try harder is not only an ethos, is a life style! If you really want something! Then do it, earn it! . At the moment my main goals are KLCP, OSCP!
Always try harder!!!

It will easily take more than a year to get to Pro hacker if you are absolutely new to hacking.

Took me about 6 weeks to reach elite hacker rank here by doing only easy, medium and the easiest of hard linux boxes. Did some challenges here and there whenever i was missing 1-4% to reach the next rank.
Several times i had to ask for pointers and in some rare cases where i was unaware of a technique or exploit i had to straight up ask for the name of the technique so i could read on it.

Start with the basics.
-Linux Command Line by William E. Shotts. Follow through with the examples and familiriaze your self with the OS.
-How linux works, what every superuser should know.
Read casually to get an idea of how things work
-Comptia Networking+ is also a great read
-Possibly Mastering Ubuntu Server by Packt publishing
Then
-Watch ippsec youtube channel. Start with the easy boxes. Great practices and procedures for htb.
-If you need to see how to enumerate something google “ippsec search” and enter your keyword there.
-g0tmi1k is a great blog. Read from oldest to newest.
-Vulnhub boxes are way easier than htb
-John Hammond has also a great youtube channel doing challenges in other platforms that are probably easier for you.
-You dont need to be a master programmer but very basic knowledge of python, curl, php, js,sql and bash will help you a lot. Send requests with curl and python and read the responces, identify vulnerable php code, understand how and why sql injections work through php, simple bruteforcers in python etc.

I also dont generally like the challenges.
I prefer the boxes marked as “Real Life” since the mistakes and techniques used there are closer to real world scenarios

You dont need to know everything by heart in the beggining. Just knowing that something is possible and going back to read on it whenever you think you might need it is enough.
Also, keep notes. A LOT of notes!

https://ippsec.rocks/

If you mean this particular website - follow walkthroughs, ask for root flags or something.

If you mean real life, i.e being an expert, you’re on wrong way. Don’t do anything in order to get something, you need to do it just because you love doing it. The problem is that there’s a long way between you and pro skills (I guess, at the moment). And obviously it’ll take long to become a pro. Not just time but patience and stuff. So this fact kills any motivation and makes you tired. Instead, love what you’re doing and you’ll fail to notice how quick your skills become better.

I can see someone above said

“-You dont need to be a master programmer but very basic knowledge of python, curl, php, js,sql and bash will help you a lot. Send requests with curl and python and read the responces, identify vulnerable php code, understand how and why sql injections work through php, simple bruteforcers in python etc.”

That’s not true. That’s a good set of steps developed to become a skid. But I’m going to suppose that it’s not what you need. Your programming skills in at least one programming language should be brilliant, not to mention if you want to get into something like exploit tools development or vulnerability research. Learn already-existing programming languages but especially focus on the ones that are going to be needed further. Don’t forget about new programming languages. Always improve yourself.

So I should be brilliant in one programming language. But how to choose a language that is good for me?

I have little knowledge of many languages like JAVA,C,C++,Python. Well in fact, I’m always getting confused to choose between JAVA and Python. Which one will help me more. Which one be better for me.

Thanks @ion21 for replying.

Thanks @angar for giving your precious answer.

@thepunisher7 said:

I think if can catch flags here then I can be a good paid pentester

I am not sure I agree that the cause and effect is exact here.

You can be an awesome pentester and rubbish at CTFs. I know a few people like this.

You can get to Omni on HTB and not be a good pentester (me).

I think the practices on CTFs go towards being a good pentester but there is a lot more to it than that.

@TazWake You mean that real world is far from here.
When I was came here first time I got surprised to see this world.

I think there is a huge, and I mean huge, amount of value to pentester here.

It’s just that it is a broad career and a good pentester isn’t always the same thing as a good CTF player.

Some examples - almost every professional pentester will need to know how to bypass enterprise controls in a Windows environment. That is fairly uncommon here where 60% of the boxes tend to be *nix anyway. Obviously, there are exceptions with some very good AD boxes but thats about 10% of the total boxes.

Pentests rarely involve any CTF aspects. There isn’t a pre-determined path and its not common to find loot as easily as you will in a CTF - where the goal is, after all, for people to succeed. Yes people do make mistakes and accidents happen but it is rare (for example) for someone to upload a single email with clues to a production web server.

Fundamentally pentesting is not about single box exploitation (except in those horrific environments where a server in the DMZ has DA creds in memory…). Pentesters nearly always have to move laterally within an organisation and again, this is rare in a CTF. Reddish was a good example of trying to do that if you want to look at it.

Last point - pentesting is all about the report. Without producing a report the customer can use, the pentest is pointless.

Now - putting that rant aside, a pentest is made up of lots of little steps which are perfectly practiced in a CTF. If you want to get better at restricted shell escapes, a CTF is 100% a great way to do it. If you want to practice Bloodhound - again, go for it. CTFs are awesome.

CTFs really do have a place in every security person’s educational plans. I suspect I’d even go as far as saying security people who’ve never done a CTF are probably missing some key skills.

I just dont think being good at CTFs, or rank on HTB etc is the same as being a good security person.

Hey @TazWake @ion21 @angar @sparkla @CyberGeek01 Can you write your journey and life’s story at https://publicapp.in.
I want to really know how you guys came at your position.

Or if you can tell me your story then I will post. Your stories can really make me on a right path.

Type your comment> @thepunisher7 said:

I think if can catch flags here then I can be a good paid pentester

Pen testing is much more than getting flags on HTB. Yes you need to be technically competent but also excellent at written and verbal communication. The report is your main output as a pen tester so it has to be a detailed, precise and honest. You will often have to explain your findings when challenged, and work under constant pressure of tests (at a busy company).

Trust me if you interview for a pen tester job, your score on here won’t matter much to any decent firm.