Danny Bruce Blog

Hacking, Learning, and Exploring: My Cybersecurity Journey So Far

Published by

Its Bruce

on

These are the latest modules and labs I’ve completed on Hack the Box, dedicating around 15 hours to understanding and finishing them. I gained a lot of valuable knowledge from these activities and believe Hack the Box has a great deal to offer for learning more about cybersecurity. Below, I’ll outline the modules and explain how they relate to a cybersecurity student.

An image of the module from Hack the Box, embedded in the picture, serves as a link to my completed module.

Web Application Pentesting (Hack The Box) — Module Overview

This Hack The Box module is a compact, hands on introduction to web application pentesting built for students who already know basic Linux and core security concepts. It walks you from the building blocks of web apps to real world attack techniques, and includes interactive labs where you can reproduce commands and practice exploit chains safely.

What the module covers: Web app fundamentals: what a web application is, common architectures, front-end vs back-end. Front-end essentials: HTML, CSS, JavaScript, and client-side risks (data exposure, HTML injection, XSS, CSRF). Back-end essentials: web servers, application frameworks, APIs, and different database types where each is used and why it matters. Common vulnerabilities: public CVEs, typical web flaws, and an intro to the OWASP Top 10.

Why this matters for a cybersecurity student:

  • Context to Confidence: Knowing how web apps are built (server, framework, DB, APIs) helps you spot realistic attack paths instead of guessing.
  • Hands on learning: Reproducing examples in a Virtual Machine converts theory into muscle memory essential for pentests, blue team detection, or capture the flag events.
  • Prioritization skills: Understanding CVEs, server types, and OWASP risks teaches you which issues are critical vs cosmetic useful for effective vulnerability management.
  • Transferable defenses: Knowing offensive techniques (XSS, SQLi, CSRF, and misconfigurations) makes you a better defender you will design safer apps and write sharper detections.

This module is an ideal first step into web app security: clear theory, focused labs, and real world guidance that turn classroom knowledge into practical pentesting and defensive skills exactly what a cybersecurity student needs to move toward professional roles.

An image of the module from Hack the Box, embedded in the picture, serves as a link to my completed module.

Introduction to Hardware Hacking: Why It Matters

Hardware hacking is about understanding the vulnerabilities that exist beneath the software layer in the chips, circuits, and wireless connections that power our devices.

This module introduces three key areas:

  • Bluetooth attacks like BlueBorne and KNOB, showing how insecure wireless connections can expose data.
  • Cryptanalysis side channel attacks, where attackers extract secrets by analyzing timing, power, or sound.
  • Microprocessor flaws such as Spectre and Meltdown, which exploit performance features like speculative execution to leak data.

Knowing these attacks matters because hardware is the foundation of every system. Even perfect software can’t protect a vulnerable chip. For cybersecurity professionals. Understanding hardware risks is essential to building stronger, more resilient defenses.

Penetration Testing in a Nutshell: Understanding the Full Process

Penetration testing simulates real world attacks to find the weak spots before an adversary does. This module walks you through a realistic pentest workflow from pre engagement and information gathering on Linux/Windows, to vulnerability assessment, gaining initial access, privilege escalation, data discovery/exfiltration, and finally Proof of Concept creation and reporting. Each section includes hands on exercises and example commands so you can practice the exact steps you will perform in the field.

The module breaks down the process into eight key phases:

  • Pre-Engagement – Define scope, permissions, and objectives.
  • Information Gathering – Collect intelligence on systems and networks.
  • Vulnerability Assessment – Identify weak points from collected data.
  • Exploitation – Attempt to gain unauthorized access.
  • Post-Exploitation – Escalate privileges and analyze deeper access.
  • Lateral Movement – Expand control across the network.
  • Proof-of-Concept – Document how vulnerabilities were exploited.
  • Post-Engagement – Present findings and remediation steps to the client.

An image of the module from Hack the Box, embedded in the picture, serves as a link to my completed module.

At its core, penetration testing is an authorized simulation of a cyberattack designed to uncover vulnerabilities before real attackers can exploit them. For cybersecurity students, learning this process is essential. It builds a deep understanding of how attacks unfold, how defenses fail, and how to communicate technical findings clearly and professionally. Beyond technical skill, it develops critical thinking helping you diagnose problems, adapt when you’re stuck, and follow a structured methodology. It’s not just about hacking it’s about learning how to think, analyze, and defend like a true cybersecurity professional.

The photo from the lab on Hack the Box includes a link to my completed lab.

Tracking Sandworm: Using MITRE ATT&CK to Study Real Threats

As a cybersecurity student I have been curious about industrial control systems (ICS), in this lab I researched the advanced threat group Sandworm also known as BlackEnergy Group or APT44. This Russian state-sponsored team is behind major attacks like NotPetya and Ukraine’s power grid disruptions.

Using the MITRE ATT&CK framework, I mapped Sandworm’s tactics and techniques from spearphishing and PowerShell execution to data destruction and Industrial Control Systems disruption. The framework clearly shows how real attackers operate across every stage of an attack.

A key lesson was learning to connect MITRE data with CVEs, such as CVE-2017-0144 (EternalBlue), which Sandworm used in NotPetya. Tracking and understanding CVEs helps professionals predict how vulnerabilities can be exploited before they’re weaponized. This lab will be extremely useful for myself in the future as MITRE ATT&CK turns threat intelligence into actionable defense.

These modules are so fun and interesting. I’ve been doing a lot more than just these. I recently finished 50 hours of labs and lectures for the CompTIA Security+ exam, and now I’m studying. I just started lectures for the ITIL Foundation 4 exam and am still working on a hands on phishing course by Tyler Ramsby on top of that. The journey never ends, but you need to find time to relax and get outside. Here’s a picture of me at Arches National Park in Moab, Utah.

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week


“Education is the most powerful weapon which you can use to change the world.”

~ Nelson Mandela.

Danny Bruce Blog

About

From ski lift mechanic to cybersecurity student, I’m making the journey back into tech to pursue what truly drives me solving complex problems and protecting digital systems. With a hands on background in mechanical systems and a growing expertise in cybersecurity, I’m blending practical experience with technical knowledge to build a career in a field I’m passionate about.

Contact Me

Email: brucedanny45@gmail.com

Follow Me

Blog at WordPress.com.