My First Step Into Ethical Hacking

I used to think hacking was just typing fast and breaking into systems.

GhostInRoot

~4 min read · April 18, 2026 (Updated: April 18, 2026) · Free: Yes

But it's actually more about thinking than typing.

It starts with simple questions:

What is exposed?
What can I access?
What assumptions is the system making?

💻 What Is Offensive Security?

Offensive Security = thinking like an attacker (but ethically).

Instead of waiting for real hackers, we test systems ourselves to find weaknesses.

It's legal
It's structured
It's done with permission

Simple idea:

Break things → to make them stronger

🧠 Mindset Shift

This is the real change.

Not just using systems… but questioning them.

Why is this open?
Should this be accessible?
What happens if I try something weird?

Everything becomes a clue.

🔍 Finding Weaknesses

Target: a simple website

At first → everything looked normal

Which usually means:

something is hidden

🧪 Manual Testing

Tried common hidden paths:

/sitemap  
/mail  
/register  
/login  
/admin

Some failed… but one worked.

That was the first real finding.

⚡ Using Automation (Gobuster)

Manual testing is slow.

Used Gobuster:

gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt

What it does:

Scans many paths automatically
Finds hidden directories

Result:

Found a hidden page faster

This process = enumeration

🚪 Exploiting Weaknesses

Finding a page is just step one.

Real idea:

small weaknesses can connect

Like dominoes.

🧠 Think Like a Hacker

This is where things start to change.

It's not just about using a system anymore… it's about questioning it.

A hacker doesn't just see what works — they look for what can be misused.

Some thoughts I kept in mind:

Don't assume things are secure
What happens if I try something unexpected?
Can this be used in a different way than intended?

Even small things matter.

A tiny issue alone might look harmless… but combined with something else, it can turn into a real problem.

Kind of like dominoes.

So the mindset is simple:

Don't just use the system — challenge it.

Here are some key points to keep in mind as you continue your ethical hacking journey.

Ask questions: Don't assume a feature works as intended. Instead, ask "What if it doesn't?" Test the unexpected: Try actions and inputs that the developers didn't consider Chain small weaknesses: A tiny flaw may be harmless alone, but could be connected to create a bigger impact Think like an adversary: Think "How would a malicious actor approach this target?"

🔑 Breaking In

Now goal = login access

Tried:

Username:

admin

Passwords:

abc123  
123456  
password  
qwerty  
654321

One worked.

Got access

🤖 Using Hydra (Automation)

Instead of guessing manually:

hydra -l admin -P passlist.txt www.onlineshop.thm http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

What it does:

Tries passwords automatically
Finds correct one fast

This is called:

Dictionary Attack

🎯 A Valuable Target

One thing I noticed quickly:

Attackers don't always go for complicated stuff first.

They go for access.

Because once you have login credentials, everything changes.

With valid credentials, an attacker might get:

Access to private user data
Features that normal users shouldn't control
Admin-level permissions
More opportunities to dig deeper

That's why login systems are such a big deal.

In my case, finding the login page didn't seem like much at first…

But it became important when combined with weak passwords.

Small weakness → bigger impact

That's how real attacks happen.

Explore what becomes accessible to an attacker once they gain entry to the private areas of an application.

Sensitive functionality:

Features that perform essential actions, such as modifying data, viewing restricted content, or triggering processes that should only be available to authorized users

User data:

Personal or private information belonging to users, such as names, email addresses, or account details, which attackers may steal, abuse, or sell

Administrative features:

High-privilege functionality that allows attackers to manage users, change settings, or gain full control of the application if accessed

Further attack opportunities:

Authenticated access can expose other vulnerabilities, allowing attackers to expand their access or move deeper into the application

🧠 What I Learned

Thinking matters more than tools
Small things are important
Automation saves time
Always question everything

🚀 What Next?

Cybersecurity has many paths:

Penetration Tester
Red Teamer
Security Analyst

No need to rush.

Learn step by step. Practice daily.

🎯 Final Note

This was my first step into ethical hacking.

Simple start… but really interesting.

Definitely continuing this journey.

Want to try it yourself?

https://tryhackme.com/room/becomeahacker

#hacking #first-hacking #2026-hacking #claude-hacking #cybersecurity