HackTheBox for Learning Hacking

ctf
0x00sec
pentesting
partnership
hackthebox

(Security Architect & Founder) #1

Hello, 0x00ers!

As you may have heard me talk about before, I am a strong advocate of using labs and CTF platforms for learning to hack and learning the skills involved in performing pentests from day to day.

I believe they’re a great way to learn new skills, practice and validate your enumeration and attacking practices, as well as get exposure to new and fun technologies that you may not have exposure to legally by other means.

For a long time, I have used sites like https://www.vulnhub.com/ in order to practice, however, this has required me often to download a large VM (usually 2-3GB+), install it in my hypervisor, and hope it works. Then, assuming I had the power to run a VM, I’d be able to hack it, find the flag and feel the buzz of breaking into a box and seeing that root.txt, sexy hash.

There is nothing wrong with this method, I think it’s a great resource for people. However, somewhat recently I have come across this new platform called HackTheBox, and I was super impressed with what I found.

You create an account (which you can only obtain by hacking the site), and then you download a VPN profile (which is free), and then you connect to the VPN and can hack a large array of boxes, get the flags, and input them into the platform. It shows up on your profile and you get a title: “Script Kiddie, Hacker” etc.

What is really nice about this is that you can compete with other people, as well as work together with other people on boxes. It gives you a chance to test your skills against boxes running Windows, Linux, BSD and even Solaris. Boxes vary a lot from webservers servers to switches, to old retro machines.

Some of the boxes can be really challenging as well, such as Nightmare, which made some waves on Twitter after it’s release:

Overall, it’s a really cool platform, boxes are turned over and released very often, and is all done really well. Because I really appreciated the platform, I got myself a VIP subscription because I really believe in supporting people like HackTheBox that allow people to get their fix of hacking, legally, and in a productive way, as well as the ability to get access to practically untouched boxes, so they’re super fast, it’s like hitting a box in your local network.

The free labs can be slow occasionally, but you can obtain a VIP subscription, it’s really a no-brainer for what you get out of it, including the potential to improve your skills and do better in your day-to-day profession.

0x00sec + HackTheBox Partnership

Today, we are proud to say that 0x00sec is now in partnership with HackTheBox. What this means for the community is that we will have the ability to provide VIP subscriptions free of charge to winners of future 0x00sec CTFs, as well as those who show a real desire to lead the community and regularly contribute, but just don’t have the means to stretch to VIP.

We hope to start more regular HackTheBox sessions, where we can collaborate and work and learn on boxes together as a community.

enter image description here

This might involve things such as retired-boxes writeups and internal-community competitions to root new boxes.

In order to support HackTheBox and our partnership, if you haven’t done so already, we strongly recommend that you not only go and make an account at HTB but you also get a VIP subscription. There are really no platforms like this around, and it costs money to host boxes across the world in order to provide a good CTF platform for hobbyists and professionals alike.

If you want to support the 0x00sec community, and invest in yourself and your skills at the same time, create an account at HackTheBox and get yourself a VIP subscription. I already have one as do many other 0x00sec members. We even have a #htb channel in the IRC!

Tell me in the comments, what do you think about HackTheBox? What are your favorite boxes? How long have you been using HTB?


(Security Architect & Founder) #2

(Zain) #3

I like it except as a college student I don’t have a lot of time to play around… I just wish I had more time.


#4

Well, here is my two cents.

I think that is a good opportunity for our community. It is, without doubt, the best CTF platform available nowadays and will certainly help people who want to skill up their hacking skills.

However, I doubt that professionals are willing to “waste” time on CTF whereas bug bounty programs are far more interesting and realistic. Indeed vulnerabilities in boxes provided by HTB are rarely present in the wild and mastering of such boxes will not make you, from my POV, a better “hacker”.


(Security Architect & Founder) #5

Your opinion is very valuable here.

I do however disagree in some areas. Vulnerabilities found are definitely found in the wild, perhaps less extreme ways. I know many professionals that use it to expand their knowledge and for fun, also. CTF’s allow you to test new types of shells, binaries.

You’re right, it is still a capture the flag site, they can only be so realistic. But it still teaches you how to handle new areas, and can be very fun. Such as interacting with Jenkins on some boxes, you might of never hit a Jenkins box before.


#6

I got your idea and I agree with you in some ways. However, do such a platform prepare you to handle cloud based infrastructures assessment? What about AWS, Azure attack vectors?

More and more companies are migrating to cloud based providers, modifying our daily job paradigm. This move can be anticipated through bug bounty program, knowledge that cannot be acquire using CTF platforms.


(Security Architect & Founder) #7

Sure - I do think however your issue is not one with HackTheBox itself, but rather an issue with CTF platforms period. They have their place, and they’re very good for isolated exercises and learning how to exploit things such as code execution, XXE, XSS, SQL Injection, enumeration and the like.

HTB is very good for those types of things.


#8

Woah, big news! Thanks a lot @pry0cc for making this possible :slight_smile:
I’ve been absent for some weeks finishing my master’s thesis. I’ll try to catch up with HTB as soon as I have some time to spare.


#9

That’s some pretty awesome news! I really need to try HTB, those labs look amazing. Did anyone here tried rastalabs? I heard it’s amazing for sharpening AD skills, but I’m a bit reluctant to jump right in, because I have almost no experience in windows environments.


(Occupi) #10

I finally broke in to HTB so I’ll be trying more of their labs now. Excited for this partnership!


(Zain) #11

Awesome job @pry0cc. I will try to be more active since I’m the owner of the channel on IRC. Also, join #htb. :stuck_out_tongue:


(Security Architect & Founder) #12

To be clear, we’d never have this partnership if it wasn’t for the awesome content the contributors here put out.

It’s all cyclical. If people contribute well and produce interesting discussion and content, we become a better platform, and we get the ability to form partnerships and support our hardworking community members.

There is no limit to our growth potential, and our opportunities are simply a result of our hard work as a community. Together, there is nothing we can’t achieve if we work together on it and have a clear mission.


#13

I haven’t done too much on htb yet mostly due to lack of time. Also I find people messing up the boxes and resets can be a pain.

I’ve heard people say that some of the htb boxes are similar to OSCP and some were inspired by OSCP boxes, though I’ve also heard people say it’s a bit more ctf-y than OSCP.

I’m thinking I might try to do more htb in a few weeks while doing OSCP, but it may be better to focus on the OSCP labs instead?


#14

We have a 0x00sec team on HTB as well! Hit up @0x6e756c6c here to get an invite to the team. Also, if you’re newer to the infosec world, start with some of the challenges and do write ups - that’s how I got started with my blog/“portfolio”.


#15

I’ve been on HTB for more than a year now. It’s extremely fun, and imho the best way to practice for OSCP.
I recommend it to every aspiring Penetration Tester. If you don’t know where to begin, just get a VIP sub and watch the retired box walkthroughs by IppSec in ascending order by difficulty.


(Security Architect & Founder) #16

That’s awesome man. Yeah, walkthroughs are super helpful.

I find it’s a great platform for newbies. There is a lot to learn through playing.

We’ve even played it at work when we’ve hammered through a heavy project and it’s a Friday afternoon. I learnt how to exploit XXE through HTB as well as a good platform to learn my enumeration skills.


(R00t9) #17

How i can access https://www.hackthebox.eu


#18

You have to “hack it” to make your own account. Actually that you have to do is to invite yourself with the invite code. Search the invite code at their website and you are done :slight_smile:


(Occupi) #19

I really enjoyed the HTB invite-hacking process. It felt very much like a good use of my technical abilities, plus it gives great insight as to what to expect on the rest of the site.


#20

Sure, they give you a taste but i see this first challenge like a “people filter”. They can’t all join but some of them who have some skills or one idea for hacking, maybe…