The Big Debate: HackTheBox vs TryHackMe – My Experience
Edward Grovenor
ISO | CompTIA A+ Net+ Sec+ CySA+ certified | THM Top 1% | Passionate about Cyber Security
I get asked a lot about my experiences with the 2 biggest platforms in ethical hacking – HackTheBox and TryHackMe.
Just FYI - this is a slightly less well-produced version of the same article on Cyberdad. Check it out there for a more jazzy version with images and what not!
As you’ll already know (because you’re a faithful and returning reader, right?) I’ve done walkthroughs for boxes on both platforms and have thoroughly enjoyed both. I’ve also learned huge amounts from both!
But, if I were to have my time again, would I do anything differently?
Do I have any advice for people setting out on the same journey as I have?
Is there a best path to take?
Let me begin by telling you a bit about my intro to cybersecurity.
The Setup
Just before the COVID-19 pandemic hit us like a tonne of led-lined bricks in 2020, I was sick of my job.
Well, that’s not entirely true, I quite enjoyed the actual work of my job, but I really disliked the organisation I worked for. Worse than that, I was disgruntled with the path my career had taken.
I had been in education for about a decade and my yearly salary had only gone up about £4K across those 10 years. I had also, more or less, capped how much I could earn and learn in my sector.
I felt bored and, frankly, a bit hopeless.
I didn’t see how I was ever going to be able to earn enough to let my wife stop working and just be mommy.
I didn’t see how I was ever going to do something with real challenge again.
I didn’t see me ever doing anything I already had an interest in.
Suffice to say, I needed a change, so I began looking for new roles on Indeed.
That’s when I saw an advert for a tech training company called The Learning People. The ad was along the lines of “IT security has a huge lack of qualified people. Cybersecurity has a 99% employment rate. There are 4 jobs posted for every 1 qualified person. The average salary in cyber security is £70k.”
I’ve always been into technology and IT, I built my first computer with the help of my best friend and uncle when I was about 11. I figured this seemed pretty interesting!
So, obviously, I pumped my email in and said I would like to be contacted.
Long story short, I got halfway to signing up for qualifications, and then the great plague hit.
Uncertainty about the future went wild, my wife and I decided we wanted to move house, and my qualifications (or search therein) went by the wayside for a while.
Fast forward to June 2021 and I’ve changed my job (sideways move to a similar role in the same industry for the same pay in a similar organisation [but better]).
I had more time, we had moved, we had spare money after the move, and my employment was a 24 month contract so I had a deadline to choose where I would go next.
I got in touch with The Learning People and spoke with my contact, the lovely Jasmine Schneider, and we got me onto the CompTIA A+, Network+, Security+ and CySA+ – I was super excited.
The False Start
Once this was done (and I had blasted a few grand at it) I realised that, whilst quals were great, I actually had 0 practical skills.
I have a friend who is in the cybersecurity sector and he advised me to make sure I was learning the actual skills and not just relying on certs – he suggested I try out CTFs and vulnerable machines.
This was what led me to HackTheBox.
Eventually.
Initially, I actually landed on a ‘wargames’ set of challenges at?overthewire.com?called bandit – these are essentially challenges over SSH where you are presented with a user login for the level, and you have to find the login for next level buried on the system. Some are easier, some are harder, but they’re completely unguided.
In retrospect, this was a dreadful place to start.
Don’t get me wrong, it was very enjoyable and I learned a tonne! But it was a slow process, having to Google absolutely everything about SSH and the command line, then work out how to put it all in practice.
However, I learned fast that I enjoyed using CLI to navigate systems, and this was the biggest and easiest signs, for me personally, that maybe I was really into this.
Maybe I could make a career of this.
The Uphill Slope
Once it dawned on me that this was, perhaps, slightly too complicated to begin with, I looked for something else to get into and learn a wider range of skills through.
This led me to?ctflearn.com?– a place with multiple CTF style challenges set up by contributing members with a helpful and active community.?
I began with exceptionally basic stuff (I basically looked for everything that was listed as easy), but I learned some cool core skills – I learned basic encoding like base64 and SHA256, I learned how information can be hidden in metadata, I discovered great little tools like Notepad++ and GIMP, I even learned how to use the developer tools in browsers to search for directories and cookies (and much more)!
However, as fun as this was and as much as I was learning, I still felt like I was looking at stuff that was… ancillary to the main goal.?
I felt like I wasn’t looking at the proper equipment and tools for penetration testing!
I decided to look further into this and see what else was out there; perhaps I could find something a bit more in-depth.
This led me to find a site where users put up deliberately vulnerable boxes for people to hack, which was mega cool, but I had no idea how to get started!?
That’s when I discovered HackTheBox…
The HTB Toe-Dip
I heard about this site called ‘HackTheBox’ – apparently, in order to get in and use it, you actually had to find a way to subscribe via some sort of hacking challenge! What better way to test my budding skills, I thought?
Well, it turns out that’s a relic of the past, you no longer need to do anything to sign up, you just… sign up. It can’t be that easy, surely?
Okay, a bit disappointing, but once I had completed the registration and got my first look at the content I knew the game had changed.
Here I found easy to access vulnerable boxes, structured progressive challenges, a dedicated network with access guidance, a HUGE guide on how to set up and configure your own attack box, an entire introductory module that detailed the cybersecurity industry… all for free!
Needless to say, I jumped in feet first.
The knowledge I picked up in the first few hours of reading through the introductory stuff, making furious notes, is ridiculous – HTB know what they’re doing when it comes to getting you started and ensuring you have a very broad and basic understanding of what you need to know upfront.
Just to make it clear how helpful that was – I STILL refer back to those notes from time to time!
This was the point I decided to really get to know some of these tools I was hearing about (nmap? John? Gobuster? What the chuff?) and I created a USB boot stick for Kali Linux.
I have since moved to using a VM for Kali Linux, but learning how to dual boot was pretty cool.
However, now I was being confronted with something new to learn AGAIN…
The “Kar-Lee Lye-Nux?”
Once I had downloaded Kali Linux, which I was mistakenly mispronouncing for the first couple of hours (as karlee Lyenux), I decided I had better learn how to use it!
Note: in my defence, the reason I was mispronouncing it because someone I knew had downloaded it once, so he instantly became the short term oracle, and he pronounces it weirdly.
I had never really used an OS other than Windows, besides a very brief stint of using a Mac, so booting into Linux was a real trip.?
The major thing I wanted to learn was the command line as a) this seemed to be a real key skill most hacking pros had, b) it made navigating an unknown OS, weirdly, easier and c) it made me feel like a H4cK3r.
Thankfully, the work I had been doing in SSH in the wargames had really helped prepare me for this! Lots of the commands were similar or straight up the same, much of the interface commands were the same, and a lot of the grammar required was the same!?
I probably spent the first… 10 or so hours of my time on Kali just watching videos of people doing basic things like mkdir, cd, nano and ifconfig and just following along. Here’s a couple videos I found super helpful:
Now at this point I’m on for DOZENS of hours of learning and I haven’t actually learned anything much about using the tools I need for my career!
I looked into which tools/functions/protocols I would most likely start with (nmap, ssh, telnet, smbclient, Gobuster, etc – the basics) and began learning how to download and install stuff via GitHub.
This was, quite frankly, a nightmare. At this point I was so far off the point where I had a single clue what I was doing even this seemed like hard work – but I got there!
Once I had it all up and running (which should have taken all of about 30 seconds) I realised I had nothing to aim these things at!
领英推荐
I needed a vulnerable target…
Enter Metasploitable.
The Gandalf Conundrum
So, I did a bit of a search online for vulnerable VMs/boxes to practice attacking, and the first and most prevalent one was something called ‘metasploitable’ – a VM you can run on the same network as your Kali VM to use as a target that is easy to run exploits on/against.
You can find it here if you’d like to have a bash:
Now, the issue we have, you may have noticed, is this box is called metasploitable… As in, you are able to metasploit this.
But what the heck is metasploit?
So, I did a bit of a search and managed to find what it was and how it was used. So far so good.
I then looked into some basic skills you can use metasploit for and was immediately lost – at this point, I knew NOTHING about networking, so setting up the options for the payload with correct IPs, reverse listeners, all that noise, was an absolute arse ache.
I struggled for hours to try and work it out before I looked into some guides.
Once I checked the guides, I realised I had taken 3 or 4 more steps than I should have done – I needed to backtrack and learn what goes into the network side of things before trying to metasploit.
I realised that Gandalf was right – this foe was beyond any of us.
This was where I landed back at HTB…
The Return
After all this, I realised I had the setup, I’d been exposed to a few different things, and it was time to get some guidance on where to point things.
So, I landed back at HackTheBox, ready to start testing out some tools!
HTB has some excellent progression built in, particularly the Starting Point boxes!?
If you’re going to get your head into HTB then, prior to jumping into Starting Point, make sure you’ve got your head into the basics of the site and how it works. You can do this by getting engaged with the ‘Getting Started’ path, as this explains how you connect to the different boxes, the way you can engage with the multiple options of progression, and everything there is you can do!?
I’ve posted a walkthrough of the final challenge here:
Once you’ve completed this, I suggest you then begin on the Starting Point path.
However, be forewarned, unless you subscribe and pay the sub fee, the jumps in difficulty and complexity between the boxes/stages will really bite you.
For example, box 1 of the starting point series (Meow) is literally an nmap scan and telnet. That’s it. I even admitted in my?walkthrough?that some might wonder why it’s even worth a walkthrough.
However, only 6 or 7 boxes later on the box Oopsie, I actually had to turn it off due to frustration. In my?walkthrough?I even used the term “dick about royal”.
It’s a really steep learning curve that is definitely flattened by paying for the sub, as this allows access to multiple extra rooms in each tier of the path, meaning each box is only an incremental jump from the last.?
Additionally, get used to trying not to feel shame about googling answers on HTB. It’s purposefully made to be more learner-led and explorative in nature. This means what might take a short period of time to complete if you had a run up of information and perhaps some basic quiz questions prior to beginning can turn into several hours of sweating in front of the dim glow of your monitor in the late hours of the night as you rattle through your 8 hundredth Wikipedia article about some obscure Linux tool you’re not even sure is the right one…
Take a breath if you read that out loud.
Of course, if you are to go down this path (pun intended) then I obviously suggest you check out my?walkthroughs.
Once you’re done with the Starting Point path you’ll have learned some very cool skills (and shortened your life expectancy) such as nmap, smbclient, whatweb, gobuster, curl, metasploit and more!
You can then take these skills and go to the more competitive-focussed ‘machines’.
These are vulnerable boxes that are more CTF-like in nature and are only available (to non-paying users) for a short while before they’re retired.?
If you’re interested in an example, I did a walkthrough of a Dundee Mifflin-themed machine?here.
It was, to be totally honest, one of the most fun experiences I’d had in this sphere to date. It was just epic.
I think also knowing that not a huge amount of people had cleared it was exciting, almost like a sense of frontierism that really gets the blood pumping!
Unfortunately, eventually I found that I ran out of basic things to do on HTB but felt I wasn’t quite ready for the more intermediate stuff, which meant I had to once again find something to plug my knowledge gap.
This is when I spoke to someone at work, who had just found this cool new site with boxes and rooms and learning paths about cybersecurity…
The Coup-de-gras
I was sat with a participant in my old role, discussing my qualifications I was doing (having enrolled on the CompTIA quadruple threat at this point) and I mentioned HTB. He asked what it was and, after explaining as best I could, he said “that sounds like TryHackMe!”
To which I was a bit confused, I didn’t know there was anything else like HTB out there.?
So, that evening I went home and decided to explore this other platform.
I was stunned – from the little bits I was able to do in the time I had and without being a paid-up member I could see this was a far more guided and lesson-based environment. It felt like exactly what I needed to push myself beyond the basics I had painstakingly learned.
I immediately signed up to see more and have never looked back.
You see, where HTB felt distant and a bit ‘on your own’y, THM is most definitely the opposite – seemingly every room begins with almost a class in the tool you’re about to use. It has specific and clear examples of what you’re looking at, and it has steps with challenges to test what you’ve learned at regular intervals. This is what we called a knowledge check or stretch exercise when I was on education – you have to check you have understood each bit before moving onto the next, that way your knowledge builds like a snowball (rather than crawling through glass, like HTB felt at times).
This does, however, come at the price of it sometimes feeling a bit superficial – there have been many times I’ve come to the end of a room and thought “there was no challenge there. I dunno whether I’ve learned anything there or just followed some instructions”.
The biggest, most enticing part of the whole experience is that it has been ‘gamified’.
Every room you encounter, every challenge you complete, feels like a mini game. Even more than that, the more you do, the more experience you earn, and the more you level up! Even more than THAT you get badges and rewards for certain milestones!
You feel like you’re learning in a cyber RPG at times, it’s so clever. The sense of achievement and satisfaction is incredibly high with both, but there’s something more tangible about your progress in THM.
There’s also a certain cache to progression on THM – I rarely, if ever, see people on LinkedIn discussing their achievements and ranking on HTB, but virtually everyone has ‘top X% THM’ in their sub title (including me).
There are also very particular and directed learning paths on THM that pertain to very specific elements of a cybersecurity journey. There is a cyber defense path, an offensive security path, there’s even a CompTIA backed Pentest+ path (which comes with a discount code at the end).
These really make you feel like you’re progressing toward the field you’re aiming at, which is nice.
The Toss-Up
So, all in all, two great experiences!?
However, each come with their pros and cons.
HTB Pros
HTB Cons
THM Pros
THM Cons
So, there you have it – my little pros and cons list of each platform!
I think if I were to give a TL;DR, I’d say:
If you’re new, have no experience and really want guidance but still have some challenge – do THM.
If you’ve got some skills already, and/or prefer to have less leading and be allowed more time to do own research (and you have spare time) – do HTB.
Best case scenario – learn on THM and then graduate to HTB, but continue across both.
Thanks for reading this far if you have, it’s been an interesting puzzle to try to crystallise and write down my own thoughts on my journey this far!
I hope my little adventure thus far is helpful to someone.
Now, I’m off to drink coffee before I take my daughter to ride a pony.
Cyberdad out.
Senior Business Analyst | SAP SD Consultant | Odoo Business Analyst | ERP Consultant
8 个月A very nice perspective! I've got several Cybersec certs too, but sometimes I feel like I haven't touched the technical part, actually most of the time. After reading this, I feel inclined to check on both providers. Thank you so much!
Junior Security Engineer @netgenetiqs ??
1 年Wow! Thank you for this detailed post! It was a blast to read. I‘m just about to get into cybersecurity and this post helped a lot. Thanks!
Army veteran migrating legacy 911 centers to Next Generation 911 (NENA i3) technology. Specializing in Cybersecurity (PNPT, CEH), VoIP/SIP (SSCA, SSVVP), NG911 (ESInet, NGCS), AWS (11x certified), and Field Operations.
2 年Great writing! Keep hacking! ??
Senior Cybersecurity & Technology Internal Audit - Senior Cybersecurity Leadership - IT Director - MBA, CISA, CISM, CCISO, CEH, CHFI, ECIH, CC, Security+, ECI
2 年Edward, you are now studying your CompTIA Sec+ and Net+, aren't you? Well, no platform I'm aware of will train you about load balancers or MDMs. Some things you will need to watch them in live action. Your work ethic will do the rest.
Budding #EthicalHacker | Top 1% on #TryHackMe | #ZeroTrust | Knows #python | Aiming to get #CREST #CPSA and #OSCP
2 年Love this!