This time I felt incredibly confident. I was no longer tripped up on what an MD5hashsum is or SQL syntax. I was ready. 

And I was ready! I completed every 'easy' and 'medium' task and half of the 'hard' and 'difficult' tasks. 

Unfortunately I didn't take any notes on this one and only remember discovering that linux saves your bash commands. I knew about the 'history' command but didn't realize there was a whole .bash_history file saved to the user profiles. 

I was glad that this time, I knew how to use URL encoding to bypass path traversal filters in BurpSuite and how to exploit an XSS vulnerability to hijack the admin session.

TryHackMe is a wonderful gamified platform. A very popular gamified platform. So popular, that there are write ups for each room almost as soon as they're published. If it's not a video walk through on youtube giving you all the answers, it's a write up on GitHub or on Medium. 

I liked it as a game platform, it explained many topics and I gravitated mostly towards the pen testing rooms. 

See? Proof! 

But the popularity is it's downfall as a test. These CTFs are an open book test in the first place, if for some reason you don't know how to use burpsuite for instance, but to have all of the writeups just readily available at your fingertips? Tragic. Hilariously, there was only one room that wasn't explicitly written out, step by step in how to solve it and that was the OSINT room. 

We had to track usernames and conversations and decrypt base64 comments from site to site to track down the flag, and honestly it was the challenge I enjoyed the most. Who doesn't love a little cyber stalking and following the bread crumbs?

Unfortunately this entire CTF was a wash, because all of the answers (sans the one room above) were easily found on the web. 

The time: September 10 through Sunday, September 14, 2026
The place: cooped up in my office with the cats, desperately hunched over my laptop

My first CTF was less about solving challenges and more about understanding what I was even looking at.
At the time, I didn’t fully understand what a “flag” was in the context of a CTF. I assumed it was something abstract or hidden behind layers of complexity. In reality, it’s just a string, typically formatted like:

flag{example_flag}

The goal is simple: get the program to reveal it. Which was simple when I finally realized what I was looking for, or at least, I could recognize that these challenges were meant to be beginner/mid level challenges and should be solvable if I could hack just a little bit. 

The best tools I was introduced to in this CTF were Burpsuite and exiftool. What do you mean you can just change what you send to the website and interrupt the traffic to force a different page to show up? That's fantastic! This was such a novel concept that this was even possible to do, I spent half my time just playing around trying to force my way into the different parts of the test site. 
As for exiftool, I was very familiar with using the CLI through my linux usage, but had never realized that you could look at the metadata on the file in the command line. It was great to learn about magic numbers and how to alter that to reveal anything and everything about the original image, or to corrupt the image to conceal the data. 

The SANS BootUp CTF was the perfect start to my cyber career and to the concept of red teaming, even if I still hold that whoever thought up CTFs was a sadist because it was difficult. I pity anyone who didn't initially have coding experience.