Hackthebox is no stranger to Security lovers, Pentators or Researchers. This is a Website created with the purpose of providing a real “hackthebox” environment. By providing “machines” – or rather Web Servers, the player’s job is by any means and skill possible, getting the Flag in the / home / and / root / folders.
Want a Machine – a Web Server with vulnerabilities to search and exploit, but not need to go to Vulnhub.com to download gigabytes of files to set up the environment yourself. Hackthebox is the choice for you.
This article is not technical in nature, but rather as an overview of one of the most popular and popular “playgrounds” for training. Let’s start!
1. How to get started?
To register a hackthebox account, and use OpenVPN to connect to the Machine, you can read the article of one of your colleagues here .
After connecting to OpenVPN, you will have an IP of the same IP range as the machines. Currently there are a total of 142 machines and there are 20 Free machines, 2 of these 20 machines will be retired every week, and 2 of the 122 “Free” machines will be “comeback” to serve players.
You can sign up for VIP costs about 10 Euro / month to be able to comfortably play the retired machine.
2. Required skills
Playing machine hackthebox will require some skills to be more accessible and get a flag, thereby creating excitement while playing, the basic skills according to me include:
- There have been times and platforms playing CTF WEB array, but this does not mean that playing CTF is easier than playing Hackthebox.
- Basic use of some tools: Burp Suite, Nmap, Metasploit Framework, Netcat, John the Ripper, Curl, Gobuster, Hydra, …
- Basic programming with Python, Ruby, Java …
- Familiar with the command line of Linux or Windows.
- Knowledge of Reverse Shell, bin bash in Linux.
- Knowledge of Privilege Escalation.
3. Machine on Hackthebox
From the picture above we can see the basic information of a machine including:
- Active Machines: The machines are ready for us to play.
- Retired Machines: Only VIP machines can access and play.
- Name: Machine Name.
- Difficulty: Difficulty calculated by 10 landmarks.
- Rating: A player’s rating of the machine.
- Owns: Number of people who got the User Flag and Root Flag.
- Last Reset: The time the machine was last restarted.
- Action: Add the machine to your favorites list, request to restart the machine and submit the flag.
3.2 More specific about machine
When accessing a machine, you will see the following information:
We can see some information about the above machine as follows:
- Machine name: Postman
- OS: Linux
- Base-Point: 20, the harder the machine the higher the score. When the machine is retired, your score for that machine will be reset to zero
- Number of users with User Flag: 4511 and number of people with Root Flag : 4422
- Difficulty level: 4.2 / 10
- User Rating: 4/5 Stars
- If you have the User or Root flag: The Own User or Own Root boxes will be green as shown in the picture
- Info card: Displays basic information about the card machine
- Rate Matrix: When the Root succeeds, you can rate from 1 to 10 for the machine according to some of the criteria below, including:
- Enumeration: Enumeration , or in other words, collecting information about the machine. The more you have to Recon to have information about port, service, url, … the higher the rating.
- Real-Life: Practical applicability of the machine.
- CVE: Machine related to the CVE.
- Custom Exploitation: Involves customizing your own PoC or writing your own PoC exploit.
- CTF-Like: Is it like playing the regular Jeopardy CTF?
- In the other pentagonal box: Blue shows the User Matrix Rate Matrix, the green shows the Root Flag Rate Matrix.
- Machine IP: 10.10.10.160, to access you must connect OpenVPN to have the IP of the same IP range as the previous machine.
- In addition, we will have more information about ” Machine Maker (s) “: The person who created the machine and the number of days the machine was published, here is 45 days.
Note: Rate Matrix does not represent the difficulty of the machine, it just shows the machine’s relevance to the above criteria!
3.3 Root this box!
If you read here, you try to join and practice searching for flags in such “boxes”. Perhaps you will be interested and switch from developer, coder to Security / Pentester?