Taiab's Blog

My TryHackMe Journey: From Beginner to Top 3% Global

Md. Taiab

Md. Taiab

2024-10-12 ยท 3 mins read


I started TryHackMe with a QA engineering background. I knew how to break software from a testing perspective, but I had no idea what a reverse shell was or why anyone would care about OSINT. Fourteen months later, I'm sitting at top 3% globally.

Here's what that path actually looked like.

Why I Started

My CTF results in 2021โ€“2022 (10th in National Cyber Drill, 7th in RIOT FlagHunt) were mostly luck. I was solving challenges by Googling the specific error message and hoping someone had written a writeup. I wasn't learning the underlying concepts โ€” I was pattern-matching.

TryHackMe forced me to learn the why.

The Learning Path I Followed

Phase 1: Pre-Security (Weeks 1โ€“3)

  • How the web works (HTTP, DNS, HTTPS)
  • Linux fundamentals (the ones I didn't already know from QA work)
  • Network basics (TCP/IP, Wireshark intro)
  • This was the foundation I was missing.

    Phase 2: Jr Penetration Tester Path (Months 1โ€“4)

    Key rooms that changed my thinking:

    OWASP Top 10 โ€” Not just the names, but actually exploiting each one. The SQL injection room was eye-opening because I'd been writing SQL injection test cases without understanding what actually happens server-side.

    Burp Suite Basics โ€” I'd been using Postman for API testing. Burp Suite is on another level. Intercepting requests, modifying parameters, repeating with modifications โ€” this is where my QA intercepting mindset translated directly.

    SSRF โ€” This one hit close to home. I realized I'd missed potential SSRF vectors in several applications I'd tested.

    Phase 3: Offensive Pentesting Path (Months 4โ€“9)

    • Metasploit for beginners โ†’ intermediate
    • Web application hacking (XSS, IDOR, broken auth)
    • Privilege escalation (Linux and Windows)
    • Active Directory basics

    The privilege escalation content was the hardest. Linux privesc alone has 20+ distinct techniques.

    Phase 4: Specialization

    I focused on web application hacking because it overlapped with my QA skills. Bug bounty methodology, IDOR hunting, auth bypass โ€” this is where my existing knowledge gave me an edge.

    What QA Skills Transfer to Security

    More than I expected:

    |----------|-------------------|
    QA SkillSecurity Equivalent
    Boundary value testingFuzzing / parameter tampering
    Negative testingBroken auth / input validation testing
    API testingAPI security testing
    Defect documentationBug bounty report writing
    Exploratory testingRecon and manual app mapping
    Regression testingVerifying patch effectiveness

    The Grind

    Top 3% isn't about being smart โ€” it's about consistency. I did at minimum one room per day for 6 months straight, even if it was just 30 minutes. The streak motivation is real.

    If you're a developer or tester looking to get into security: start with TryHackMe's Jr Penetration Tester path. Your existing skills will help more than you think.

    Md. Taiab

    Written by Md. Taiab

    Follow

    Md. Taiab is a Software QA Engineer and security enthusiast based in Dhaka, Bangladesh. He interned as a QA Engineer at Battery Low Interactive Ltd. and competes in CTFs and programming contests โ€” ranked Top 3% globally on TryHackMe and Champion of GUB Junior IDPC 2023.

    Comments disabled โ€” add your CommentBox.io project ID to .env.local as NEXT_PUBLIC_COMMENTBOX_ID