Not so long ago, I achieved a milestone in my penetration testing career.: reaching rank 1 on HackTheBox. For those of you that don’t know what Hack The Box (HTB) is:
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security fieldHack The Box main website
The idea is relatively simple, Hack The Box is a platform where every so often, a new virtual machine or a challenge is released. This machine or challenge (those are mutually exclusive, a machine =/= a challenge) is then open to the Hack The Box community to hack. Every machine or challenge is intentionally vulnerable, and every machine or challenge has a respective difficulty. The more difficult the machine or challenge, the more points you get for cracking/hacking it.
I created an account while I graduated university, about 2 years ago, but because my first job did not require any pentesting skills, I let my account lay dormant for a good long while. That is until about a year ago when I decided I wanted to have a full-time job in cyber security. In this blog post I will try to condense some tips and tricks on how I went on to become the highest-ranked hack the box player of Belgium.
1. Learn from the best
If you are relatively new to the field of offensive security and/or capture the flags, I highly recommend a solid foundation first. My personal background is system engineering . I did not learn any offsec skills in school. As a baseline I recommend 2 content creators whom I still look up to:
IppSec releases Hack The Box walkthroughs whenever a Box is decommissioned. I personally learned most of my skills and my methodology from him. He has a very clear approach in his videos and is easy to listen too.
The Cybermentor is the second one on my list. Granted, I have only learnt from his existence not that long ago while I was prepping for my OSCP certification, but the dude is pretty awesome.
While the majority of IppSecs videos are based on breaking boxes, Cybermentors video’s are more tailored towards the raw tactics and technical explanations.
In my personal opinion, these 2 form a very nice duo that will groom you from zero to hero in no time.
2. We learn from failure, not from success
During my journey, this is one of the key lessons I’m taking away. Some boxes will be very easy for you, some will be very hard. Hack The box tries to give each box a ranking, but my personal experience tells me that some boxes that are labelled easy, are actually incredibly hard. Often this is because of the “overthinking” we tend to do as security professionals. Sometimes the answer lies in front of our noses, we just don’t see it. The boxes where I had to spend hours, days and sometimes even weeks, are the boxes that will teach you valuable lessons.
3. Enumeration is key
This one is probably one of the most classic answers you’ll hear when you ask penetration testers for advice. When I tackle a Box, I always try to have some kind of passive enumeration going in the background. Computers are more efficient at multitasking than humans are. Run fuzzers, scanners in the background, even if you think they won’t do you much good. You never know when you might find that diamond in the dirt.
4. Tooling is important
This might seem obvious, but in our infosec community, new tools spawn almost every…single….day. It’s sometimes hard to keep track of them all. Therefore, it is important that after your enumeration is done, you start to look for the proper tooling for the attack vectors you have in mind. It often happened to me that I did not have knowledge of certain tools, which made my exploitation process needlessly complex, longer and sometimes even near impossible.
5. Read the f*cking manual of said tooling
Yep, even if you have used the tool for years, you will probably still get surprised by the functionality that some tools have. This will, again, save you a couple of hours. Unless you are stubborn and think you know it all, in that case … carry on … but you are gonna need that man page sooner or later.
6. When you tried your best but you don’t succeed…
Reset the box!
Unless you have a VIP subscription for Hack The Box, chances are that there are multiple other people trying to hack the same machine as you. More often than not, this means that there are going to be players on your box that I like to call machine gunners, firing off every exploit in Metasploit in the hopes one will hit its mark. Fortunately, this means that sometimes boxes misbehave and will not react the way they should to certain exploits. Whenever you think you’ve hit a wall, just do a sanity check and reset the box.
7. Avoid tip addiction
Hack The box was made for learning and testing your skill. Do you really want to take away from the experience by continuously asking tips? If you are stuck and feel like giving up, yes, look at the forums … but it’s easy to get tip addiction, and just searching for answers straight off the bat won’t learn you anything.
8. Check other people’s write-ups (AFTER you rooted the box/completed the challenge)
IppSec on YouTube is great, however due to YouTube being public, only boxes that are retired are handled by him. I recommend checking out his videos if you are new to Hack The Box or pentesting in general as he is a great guy with very solid content. However, there is a way to check out other solutions to active machines as well: https://github.com/Hackplayers/hackthebox-writeups offers a curated list of write-ups for retired and active boxes and challenges. You will need the root flag in order to open the respective PDFs. I have learned a great deal out of other people’s thought process, enumeration methods, and exploitation strategies. I highly recommend doing this, as it will broaden your perspective on your entire approach. Sometimes there are multiple ways to root a box as well.
9. Recurring attack vectors
Unfortunately, there is only so much in terms of (mis)configurations/vulnerabilities that box creators can choose from. Because of this, once you have done a lot of CTFs (be it Hack The Box or others), you start to notice that there are certain attack paths that keep coming back. Experience will learn you where to look first, and to separate the garbage from the diamonds. As you progress further and further, you’ll start noticing that your ‘clearing times’ per box will become shorter and shorter.
10. Hack The Box will show you your weaknesses, practice them!
Hack The Box has a TON of challenges and boxes. Once you start doing more and more stuff on the platform, it will become painfully clear where your strengths and weaknesses lie. This is a curse and a blessing at the same time. Often, your weaknesses will also tend to be the things you do not really like to do. Unfortunately, in a real assessment, you will not be presented with a choice. You will have to make do with what you see before you. Use the self-knowledge to push through the pain and learn more about your weaknesses. In my opinion, one of the hardest but most satisfying challenges is the following:
Take your biggest weakness and make it your biggest strength.myself
In case you were expecting a golden approach or some 1337 exploits and 0 days, sorry.
Hack The Box is a platform that is different for every single one of us. Cyber security is not static and there are often multiple paths that lead to Rome. All I can say is that I enjoyed the journey and I still have some work to do. Now if you’ll excuse me, I’m off rooting another box…
– Happy Hacking
About the author
Jean-François Maes is a red teaming and social engineering expert working in the NVISO Cyber Resilience team. When he is not working, you can probably find Jean-François in the Gym or conducting research. He is/was also ranked #1 on the Belgian leaderboard of Hack The Box (a popular penetration testing platform). You can find Jean-François on LinkedIn and on Hack The Box