Hack-The-Box Starter Pack
Have you been marveling at those hacky hack people chiseling away at HTB challenges and wondered if you can hack the box too? Step right up!
Ever seen the constant Hack-The-Box activity and wondered if you can hack the box too? Good news! You too can hack the box if you happen to feel hacky. This article is intended to be a guide and help you get started on you hacky hack path, I watched the HTB challenges for months before taking the leap and here is what I learned.
You have been listening and reading about hackthebox, retweeting tweets like "someone just owned user/root on machine", you are reading memes about it but can't relate it to yourself, and deep down in your heart and mind you have an urge to get started but you are confused, "how do I get started ?" or maybe you are doubting yourself " Do I have enough skills within me to start with it ?"
Then my friend, this article is for you, thank me later ...haha!
What In The Hell Is "HackTheBox" ?
HackTheBox is an online penetration testing platform, where you can legally hack the vulnerable machines which try to stimulate real world scenarios in a CTF style, also you have an option to hack the offline challenges like, Steganography, reversing, etc. The best thing I think about HackTheBox along with the awesome machines is the community, they have got a huge community of professional penetration testers, security researchers, skids and other hackers,(some black ,some white, not being racist you know what I mean ..!!!).You can see them competing and helping each other on the forums, you can get help from them ,now they wont spoon feed you but will point you to the right direction.
Here's what they say about themselves,
HACK THE CODE IN ORDER TO BECOME A MEMBER
Hang on ! Can't I just signup with my email ? The answer to this is a straight No.
According to me this is a good step taken by "hackthebox" to prevent signups of random people who just spam and be a pain for other genuine members.To become a member you need to hack the invite code and then you get an signup page, where you can register your self and get on board.
What the hack ?
What do I need to hack them, Do I need to be a super hacker?
No!
It is made in such a way that people with basic knowledge would be able to get through, all you need to do is enumerate , what you can see. " Do I need to write an exploit , to signup ? " No! Burpsuite, is all you need..!!! Also some basic understanding about html, js. Remember the invite code is different for every user, so don't try your friends invite code. Last but not the least, there are some blogs which have spoiled the challenge by writing about how to get the invite codes, but trust me, if you cheat you are making a fool of yourself, because you will get stuck badly later.So its better to keep trying, maybe it would take a day, maybe a week , but its worth it.
I hacked them ..!!!
Well ..!!! that was easy right ? Can I have some real fun now ?
Once you are in the dashboard, you need to go to the access tab (checkout your left side pane),there you would be able to download the vpn key, Hackthebox needs openvpn, so you need to install openvpn client on your machine, connecting to their virtual network is as easy as
sudo openvpn <your_username>.ovpn
once you do so, try ifconfig and confirm that you have an tun0
address in it, thats your htb ip address, it would change from time to time.
Once you are in the network, goto the machines tab, there you would see these two tabs active
and retired
, If you hack an active machine you will gain points for them, as well as in retired machines you won't get points. But I would suggest you to first try some retired machines, because if you get stuck,there are few resources for your help.
Its all about flags !!!
So when you get a user level access to a machine, you will get a user.txt flag, you need to enter that flag, below the operation tab you would see a user icon, just click on it and enter the flag. You need to do the same for the root flag, once you get root access on the machine.A flag will always be a md5 string, unlike regular CTF like Fl4G{1337_hax0r}
I Got Stucked!
Assuming that you are new to infosec and trying your first few boxes on HTB, it is possible that you come up to a point where you would think of banging your head to your study table.
But don't do that ..!!! All you need to do is Google, don't just google, google hard.This is the first thing you should do, but if you are still aren't able to get any thing solid, its the time to hit the forums, before posting any comment read the entire thread (which is full of hints, its a gold mine) and then post a comment if needed.Also there are always some chatters on reddit, and also there is a mattermost and telegram group, join them if you use them.
If you got stucked on a retired box you can see the walkthrough of the box on ippsec's youtube channel, or just google it.(You can read some of them here on, secjuice)
urghhh, The Box is Unstable ..!!!
Many a times it happens that there are lot of guyzz trying to hack the same box, in such cases it may happen that someone might delete a file which is intended to use, or simply something happened, you can always reset the box from the dashboard.
Tools you would be using Most of the time
- Nmap (every thing starts with a nmap scan)
- GObuster/dirbuster/dirb (You need to bruteforce directories)
- Burpsuite
- Metasploit
- python http server (thats not a tool)
- Netcat, to get a reverse shells.
Did I miss something ?
It might be possible that i might have missed something in this article, if so do reach out to me on twitter ,I would be pleased to help you get started. Thanks for reading, I hope you are inspired by this article and would start with HTB soon.