Hello There! 👋
Welcome to my personal cybersecurity blog! This is my first post marking the beginning of a journey where I’ll share insights about penetration testing, offensive security, and ethical hacking.
Why I Created This Blog?
I’m currently a 3rd-year Information Security student at FPT University Hanoi. Throughout my learning journey and hands-on lab work, I’ve realized that:
1. Writing Deepens Understanding
When you write about what you’ve learned, you’re forced to truly understand it. Many times I thought I understood something, but when I sat down to write about it, I discovered gaps in my knowledge.
2. Teaching is the Best Way to Learn
“If you can’t explain it simply, you don’t understand it well enough.” - Albert Einstein
Each blog post is an opportunity for me to consolidate knowledge while helping others on the same path.
3. Building a Real-World Portfolio
In cybersecurity, having a portfolio demonstrating practical skills matters more than certifications alone. This blog is where I document my projects, findings, and lessons learned.
Who Am I?
I’m Duc, a student passionate about penetration testing and offensive security. Rather than just learning theory, I believe in:
“Learn by Doing” - Hands-on practice over passive reading
What I’m Currently Doing:
🎯 Building Home Labs
- Vulnerable web application environments (DVWA, bWAPP, OWASP Juice Shop)
- Active Directory pentesting lab with multiple domains
- Network penetration testing environment with Kali Linux
🔴 Continuous Practice
- TryHackMe: Focusing on penetration testing paths and offensive security rooms
- Hack The Box: Pwning machines and solving challenges for real-world scenarios
- PortSwigger Web Security Academy: Mastering web application vulnerabilities
- Bug Bounty Platforms: Starting with HackerOne and Bugcrowd
📚 Learning & Certifications
- Completed: Google Cybersecurity Professional Certificate
- In Progress: Web Penetration Testing 101 (CyberJutsu Academy)
- Planning: eJPT (eLearnSecurity Junior Penetration Tester)
- Future Goal: OSCP (Offensive Security Certified Professional)
What Will This Blog Cover?
I’ll focus on the following topics:
🔴 Penetration Testing Fundamentals
- Reconnaissance and information gathering techniques
- Vulnerability assessment and exploitation
- Web application pentesting (OWASP Top 10)
- Network penetration testing methodologies
- Privilege escalation techniques (Windows & Linux)
🌐 Web Application Security
- SQL Injection (SQLi) attacks and bypasses
- Cross-Site Scripting (XSS) exploitation
- Authentication and session management flaws
- Business logic vulnerabilities
- API security testing
🖥️ System & Network Hacking
- Active Directory exploitation
- Post-exploitation techniques
- Lateral movement and persistence
- Password cracking and hash attacks
- Wireless network penetration testing
🛠️ Tools & Methodology
- Burp Suite mastery and extensions
- Metasploit Framework usage
- Custom Python scripts for automation
- Nmap advanced techniques
- Tool development for specific scenarios
💡 Learning Journey
- CTF writeups and walkthroughs
- Bug bounty reports and findings (when permitted)
- Lessons learned from failed attempts
- Tips for aspiring pentesters
- Book reviews and resource recommendations
My Writing Style
I’ll aim to write in a style that’s:
✅ Practical and Detailed - Every post includes screenshots, commands, and step-by-step reproduction
✅ Easy to Understand - Complex concepts explained in simple terms with real-world examples
✅ Actionable - Focus on skills you can immediately apply in your pentesting workflow
✅ Honest - Not afraid to share mistakes and lessons learned from failures
2025 Content Roadmap
Here’s what I plan to cover in the coming months:
Q1 2025 (Jan - Mar)
- Building a Complete Pentesting Lab from Scratch
- OWASP Top 10 Deep Dive Series (10 posts)
- My First Bug Bounty: From Recon to Report
- SQL Injection: From Basic to Advanced Bypasses
- Active Directory Pentesting for Beginners
Q2 2025 (Apr - Jun)
- Privilege Escalation Techniques: Windows Edition
- Privilege Escalation Techniques: Linux Edition
- Web Application Fuzzing with Custom Wordlists
- Metasploit Framework: Beyond Basic Usage
- Writing Python Tools for Penetration Testing
Q3 2025 (Jul - Sep)
- Buffer Overflow Exploitation Basics
- API Security Testing Methodology
- Post-Exploitation: Maintaining Access
- Bypass WAF and Security Controls
- eJPT Certification: My Study Guide
Q4 2025 (Oct - Dec)
- Red Team vs Blue Team: Attack-Defense Scenarios
- OSCP Preparation: What I Wish I Knew Earlier
- Advanced Active Directory Attacks
- Mobile Application Penetration Testing
- Year in Review: Lessons from 100+ Labs
My Goals
Short-term (2025)
- 🎓 Obtain eJPT and PNPT certifications
- 📝 Write 24+ technical blog posts (2 per month)
- 🏆 Reach Top 10% on TryHackMe and HTB
- 💰 Submit 5 valid bug bounty reports
- 🔬 Complete 100+ pentesting lab challenges
Medium-term (1-2 years)
- 🎯 Obtain OSCP certification
- 💼 Land my first role as Junior Penetration Tester
- 🏅 Earn $1,000+ from bug bounties
- 📚 Contribute to open-source pentesting tools
- 🎤 Speak at local cybersecurity meetups
Long-term (3-5 years)
- 🚀 Become a Senior Penetration Tester or Red Team Operator
- 🌏 Work with international security teams
- 🤝 Mentor aspiring pentesters
- 💡 Develop my own security tools and frameworks
- 📖 Maybe write a technical book on offensive security
My Learning Philosophy
I follow these principles in my pentesting journey:
🎯 Focus on Fundamentals
Before jumping into advanced techniques, I make sure I understand the basics deeply. Why does SQL injection work? How does TCP/IP actually function? Understanding the “why” helps you adapt when things don’t work as expected.
🔄 Consistent Practice
I dedicate at least 2-3 hours daily to hands-on practice. Whether it’s a HTB machine, a CTF challenge, or building a new lab, consistency beats intensity.
📝 Document Everything
Every successful exploit, every failed attempt, every interesting finding gets documented. This creates a personal knowledge base I can reference later.
🤝 Engage with Community
Learning in isolation is hard. I actively participate in Discord servers, forums, and local meetups. Teaching others reinforces my own understanding.
⚖️ Ethical Mindset
Penetration testing skills come with responsibility. I always:
- Get proper authorization before testing
- Respect scope and rules of engagement
- Report vulnerabilities responsibly
- Never use skills for malicious purposes
What Makes Me Different?
There are thousands of pentesting blogs out there. Here’s what I hope makes mine unique:
🎓 Student Perspective
I’m learning in real-time. My posts reflect the struggles, questions, and “aha!” moments that students face. No pretending to be an expert – just authentic learning.
🔬 Lab-Focused Approach
Every technique I write about, I’ve tested in my own lab. I include full lab setup instructions so readers can reproduce everything.
🌏 Southeast Asian Context
Most pentesting content comes from Western perspectives. I’ll share insights relevant to SEA region, including local vulnerabilities, regional bug bounty tips, and cultural considerations.
💰 Budget-Conscious
I’m a student with limited budget. All my labs use free or student-licensed tools. I’ll show how to learn pentesting without spending thousands of dollars.
Closing Thoughts
Thank you for taking the time to read my first post! I know the path to becoming a professional Penetration Tester isn’t easy, but I believe that with persistence, passion, and the right methodology, anything is possible.
This blog isn’t just about sharing knowledge – it’s a journal documenting my own learning journey. If you’re on a similar path, let’s connect and learn together!
Coming Up Next
In my next post, I’ll provide a comprehensive guide on Building Your First Penetration Testing Lab, covering:
- Hardware requirements and virtualization setup
- Installing Kali Linux and essential tools
- Setting up vulnerable targets (DVWA, Metasploitable, VulnHub VMs)
- Network configuration for isolated testing
- Best practices for safe pentesting practice
Stay tuned! 🚀
Have questions or want to suggest topics for future posts? Drop a comment below! I’d love to hear from you.
Follow my journey: #PenetrationTesting #EthicalHacking #Cybersecurity #LearningInPublic #RedTeam #BugBounty
Quick FAQ
Q: Are you available for penetration testing services?
A: I’m still a student learning the craft. This blog is about my educational journey, not professional services.
Q: Can you help me hack something?
A: No. I only practice ethical hacking with proper authorization. Please don’t ask me to do anything illegal or unethical.
Q: What’s your favorite pentesting tool?
A: Burp Suite for web apps, Metasploit for exploitation, but honestly, my favorite “tool” is thorough manual testing and creative thinking.
Q: How much time does it take to become a pentester?
A: There’s no fixed timeline. With dedicated daily practice, you can get job-ready in 1-2 years. But learning never stops in this field.
Q: Should I learn programming before pentesting?
A: Basic scripting (Python, Bash) is essential. You don’t need to be a software engineer, but you should be comfortable reading and writing code.
Last updated: October 13, 2025