husayn gokal
Geneva

← Writeups

Pentesting Learning Process

Methodology
Date
2026-05-17

My pentesting mindset:

  • Music Type: Brain.fm/Countryside

  • Fulfilled Needs: Eat, Water, Sleep, Love

  • Long-Term Focus: Finish HTB CPTS

  • Immediate Goal: Finish Enumeration

  • Work Location: Library

  • Sleep: Consistent

  • Block: 4 Hours

  • Ideal Time: Morning

  • Pre-Task Activities

  • 2 Hour Breaks (after every block)

  • Breaks After 4 Hours of Constant Attention

  • Working Hours: 7:45 to 7:00/7:30 PM (Almost 12 Hours)

  • Calm/Happy/Excited

  • Challenge-Level

  • Perceived Necessity/Importance

Occam’s Razor states that the simplest solution is likely the most probable one.

The best approach for pentesting is working with the information at our disposal. Specifics differ from problem to problem.

Success comes from redefining problems into a situation by distancing emotions from it.

It is essential to know the goal being worked towards; otherwise, moving from one topic/point to another serves no purpose.

To deal with learning efficiently amongst the sheer size of what’s available, we need to know:

  • our goal
  • what we know
  • what we don’t know

Failing is an unavoidable, essential part of learning.

Reading, watching demos, group discussion and self-practice enhances the pentesting learning experience by 75%.

There's a difference between just asking questions and asking questions sincerely to get answers, to increase your knowledge…

The aim of documentation in pentesting is to present information in a comprehensible and easy-to-understand way for the reproduction of the activity.

For Documentation of a Pentest, we must first decide who the report audience is.

Characteristics of pentesting documentation:

  • Overview
  • Structure
  • Clarity

A text writing software (like CherryTree) and a screenshotting software are all that you need.

Focus and attention are NOT the same, where attention is influenced by focus.

Focusing is the purposeful and deliberate alignment to a specific goal.”

“Focused people are not only enormously persistent and tenacious, but they are also hardly distracted or discouraged. If we know our goal, it is easier to align our focus accordingly. This, in turn, makes us much more efficient, and we get closer to our goal much faster and do not let ourselves be distracted by external influences.”

“We have already approached the pentesting learning process with a confident attitude, expectation, orientation, and goal. Attention is an independent mental process that takes place subconsciously.”

“People with a low frustration tolerance tend to give up or break off quickly when unexpected resistance arises, or the expected success does not occur within a specific time. The result of this behavior is an increased tendency to stress and avoidance and partly aggressive forms of reaction.”

Here’s how you can express frustration tolerance the right way:

image.png

“Do not forget that this feeling of frustration is temporary. This means that when we feel frustrated, it will pass. Most people get scared and panicky at such a feeling, which leads to the fact that such people sometimes even react aggressively. They are not aware that it is a temporary feeling. Therefore, we do not need to be afraid to venture into such situations. Frustration passes, the experience we have gained through it remains.”

  • Fear is a state and the product of our imagination of the future and its consequences where the present is suppressed.

Fear is essential and healthy in life-threatening and health-threatening situations. However, sitting in a chair in front of a computer, afraid of not being up to the tasks we find here, is irrational. After all, we have not yet worked through most of the material, but we are already beginning to program (adjust) ourselves to fail. So let's ask if this fear is called for:

  • Have we already worked through all the material?
  • Have we already seen what is being taught and how it is being taught?
  • Do we already have to have the skills that are expected of us?

If we answer "no" to these three questions, it should be clear that we are afraid of something without even trying it. This leads to the fact that the fear, in this case, is not justified.

Don’t act paradoxically to fear.

skills, certifications, network, projects, boxes, cv, “experience”…

We need to know the factors and assess the consequences to make a decision. The more factors we know, the more precise the decision we will be able to make for our goal.

No one will be able to question your success if you: “Decide (Decision Making) on the goal defined in detail (The Goal) that you really want to achieve from your heart (Willingness), and that will make you happy consciously and subconsciously (The Brain).”

No matter whom the documentation is intended for, here are some guidelines we can follow:

  1. It is beneficial to put ourselves in the position of our readers. This will make it much easier for us to design the documentation.
  2. Avoid repetition and ambiguity.
  3. Make documentation as easy to read as possible. No one wants to read the documentation that is difficult to understand or follow.

Organizational tools:

  • Scrum
  • Agile
  • ToDo-Lists
  • Bullet Journal and more.

Management techniques…

image 1.png

image 2.png

  • People fear what might happen in the future while not considering the present.
  • The difference between a winner and a loser is that the winner has lost more often than the loser.
  • Only the person who has taken the exact same journey as you can evaluate you and your decisions. Everything else is only assumptions.

The most important and most difficult thing in any situation is not the search for the right answer but the search for the right question.

Ask precise questions: "How can I use the server's SMB service to identify its existing user accounts?”

“Once we know the goal (The Goal) to which we are attracted (Willingness), we can use various principles, such as the Pareto Principle or Occam's Razor, to develop our talents (Talent) and skills and make our decisions (Decision Making) to pass the obstacles that fall across our path by asking the right questions (Questioning).”

All our questions have a commonality: the relationship between the individual components. So let us take a quick look at a model we have developed, which we call the Relationship-Oriented-Questioning Model (ROQ), and see how it looks and works.

image 3.png This model represents five components:

Component Description
Your Position This describes the position we are in and our view.
The Object The object is the core element of the question. The main component of our sentence takes the meaning out of the question.
Known This information is known to us.
Unknown This information is not known to us.
Other Position(s) This component describes the position of other persons.

PRACTICE!

To get the best guidance on our problem, we need to ask our questions effectively.

Be sure to include the following in our question:

  1. What point of the box/challenge are we stuck at ‘i.e., user/root’?
  2. What steps have we taken so far to get to the point we are at?
  3. What step are we failing at, and what have we done to resolve our issue?
  4. Always try to be very specific on what we need help on, rather than asking for general help

To answer questions on others problems, we need to answer questions effectively:

  1. Be as spoiler-free as possible, and do not get direct instructions on how to complete the current step or the entire box
  2. Give minor hints or tips that can lead to the right direction for completion, and do not give entire suggestions for completion
  3. Share resources that we found helpful
  4. Share tips on points we were getting stuck on