By the time this post is released, it would be New Year’s Eve. Happy New Year to all of you in advance. That night will also mark the end of my first lunar year (there’s still 3/4 year left for total year) of being hopelessly addicted to pwn.
In this blog, I’ll go over my story of how I started, things I learned along the way, and where I want to see myself in a year. This is more of a personal note to my future self, but I wanted to write it down so I can hold myself accountable.
Start of the journey
Let me take you on a ride down memory lane. A couple of months back, I was talking to a friend who said he needed a pwn player for BlackHat MEA QUALS, which was coming up in a month. Me, knowing nothing about CTFs and even less about PWN, said I’d play with them.
Now there’s a backstory to this. I was 15 at the start of this year—stupid and knowing very little, but naturally very ambitious. At the start of the year, I created a list of things I wanted to learn:
Reverse Engineering
Binary Exploitation
Malware Analysis
Languages
Policy Making
Forensics and DFIR
Blue Teaming Basics
System Programming
OS Architecture
Kernel
API Pentesting
Android and IOS Application Pentesting
Cryptography
Active Directory
OSINT
Cloud Working and Pentesting
AI/ML Basics & Their Implications in Cyber Security
Risk Management and Mitigation
Hardware Hacking
OPSECAs you can tell, it was a very unrealistic target. By the end of the year, I was able to achieve only two items on this list: binary exploitation and a little bit of OSINT. It was August, if I remember correctly, when I had that call with my friend. At that time, I had only gotten started with OSINT and had little to no progress in anything else, primarily because of school and, yeah, me being lazy XD.
So when the opportunity arose to play CTF with a team—and it was a category I had on my “target” list—I thought to myself: there’s demand, so just learn the stupid thing and get on the team.
And again, I still had no knowledge of pwn. But I was facing a tight deadline and wanted to deliver because I had given my word.
So, I had only one choice: to lock in and speed run nightmare series (something I recommend you do if you’re just getting started). That’s what I did, and by the end, I had a little practice and was feeling confident. In the end though, I didn’t solve any challenges during the event. But at that point, I was so addicted to popping shells that after the event, I dove right back in and played CTF after CTF, solving challenge after challenge—150+ challenges and 30+ CTFs in total:
TSG CTF 2025BSides Algiers 2025SECCON CTF 14 QualsniteCTF 2025NexHunt CTFBackdoorCTF 2025LakeCTF Quals 25-26HeroCTF v7GlacierCTF 2025PatriotCTF 2025P3rf3ctr00t CTF 2025PwnSec CTF 2025BuckeyeCTF 2025Infobahn CTF 2025V1t CTF 2025DEADFACE CTF 2025m0leCon CTF 2026 TeaserHack.lu CTF 2025QnQSec CTF 2025POC CTF Qualification 2025Securinets CTF Quals 2025openECSC 2025SunshineCTF 2025Iran Tech Olympics CTF 2025K17 CTFCTF@AC - QualsFortID CTF 2025WatCTF F25BlackHat MEA CTF Qualification 2025AmateursCTF 2025POC CTF 2025And we’re back to the future. In the end, I’m happy about how things panned out. At the end of the year, I ended up finding something that I like doing and want to do in the future and make a career out of it and I’m thankful for that.
Things I learned
- First suffer, then solve: One really interesting learning technique I discovered was to identify the problem and analyze it yourself before looking at the solution. This helped me retain a lot of what I learned because you bind the problem to the solution, and you can reuse that knowledge again and again.
- Upsolve everything: Upsolving challenges from CTFs that I failed to complete taught me to try and try and try and fail along the way—but that doesn’t matter because you end up solving it eventually. It also taught me how to approach problems when you have the solution but, don’t understand it.
Things I enjoyed
- I enjoyed the opportunity to meet a lot of people and collaborate with them on complex problems.
- I enjoyed spending nights on problems that I didn’t end up solving. You might think I’m sadistic—that might not be wrong, but yeah XD.
- I enjoyed grinding challenges and climbing scoreboards while being sleep deprived.
- I enjoyed learning new things and using them to solve challenges.
- I enjoyed pwning my way through challenges.
Where I wanna see myself in 365 days?
I’ve accumulated some basics in the past few months, but most of it has been pretty standard up till now. I’m just getting started with more advanced topics like linux kernel exploitation and hope to learn about browser exploitation. I want to get hands-on practice with vulnerability research by doing n-day analysis and sharing what I learn along the way.
I was browsing through links as one does and came upon this post titled “Do the Real Thing”, and it opened my eyes to what I want to change about what I’m doing. I want to really start doing research instead of just learning and doing CTF challenges. I’m not saying that’s not worth it—it absolutely is—but doing actual research is something I need to do instead of preparing to do it by doing CTF challenges.
I have a few plans I want to share:
- I want to start a series where I look into C++ objects and how to exploit them—something that has very few resources available. This is a way I think I can contribute to the community.
- I’m thinking of writing up notes on things I’ve studied in the past few months and laying them out as blog posts. You might be wondering why I don’t have notes already? Turns out I made a mistake :( As I move into other topics, it’s necessary that I retain my current knowledge.
- Also, I want to implement n-day exploits and release them and also release writeups for more complex challenges (thinking of doing it like maybe once/twice a month).
Mental thoughts
- Right now my “achievements” don’t feel meaningful to me. They’re all good, but deep down I know that they don’t have any real impact. I want to change that in the near future by working on things that have real impact.
- As this field is hyper-competitive, I’m super insecure sometimes, and I’m not ashamed to admit that. In those times, I’m prey to feelings of inferiority—which is different from an inferiority complex. To understand how to deal with this and other things like this, I’d urge you to read “The Courage to be Disliked” by Fumitake Koga and Ichiro Kishimi.
- I have a fear of failure that’s holding me back from growing. To put this into more concrete words: trying new things can be daunting, and unconsciously my mind finds reasons not to do something just because I’m scared of failing.
- I deal with constant panic attacks where I just go crazy and get really scared by normal things—like fear of being left behind or missing out.
- I need to know how to tell if I like doing something and differentiate whether something is just hard or whether it’s something I don’t actually like doing.
Conclusion
This year has been transformative. I went from zero knowledge to solving 150+ challenges across 30+ CTFs. I found something I’m passionate about and want to pursue as a career. But more importantly, I learned that action beats planning every time. The next year is about going deeper—not just solving CTF challenges, but doing real vulnerability research. Not just learning, but contributing. Not just achieving, but making an impact. Here’s to a year of segfaults, shell pops, and growth. See you on the other side.
Let’s hope this year is “Annus Mirabilis” for all of us.