Categories
Articles HackTheBox

HackTheBox Beginner Guide

Hi everyone, today I've decided to write this little guide to help new members to start on HackTheBox. I just want to specify that everything in this article is based on my opinions and my personal experience. You may not agree, and in that case, let me know, I would be very interested.

HackTheWhat ?

First of all, what is it ? If you don't already know it, here is the short version : it is a website to train your hacking skills, through "boxes". A box is a remote machine you are supposed to access. The first step is to gain user access, it means being connected with a regular user's rights, and the second step, is to gain root access, it means being connected as an administrator. For each of these steps, you get rewarded with a certain amount of points, depending on how hard the box is (easy/medium/hard/insane).

Boxes a usually running windows or Linux.

There are also challenges available, very similar to CTF's challenges. It is not why you should join HackTheBox, but there are often very interesting and are replaced on a regular base.

Here is the link to the platform : https://www.hackthebox.eu

You should know that there is a challenge to be able to create a HackTheBox account in the first place. For this guide, I'll suppose you already have an account. If not, try to solve the challenge, it's not that hard, but will require some patience if you're totally new to this.

Why this guide ?

I was myself a bit lost at first. I had help starting out, and I think it's the best way to start. That is why I've decided to write this guide

The best way to start

#1 : know your enemy

My first advice would be to read lots and lots of write-ups of easy retired boxes (you're not allowed to publish a write-up about a live box, and I strongly recommend you not to read the articles published anyway). That allows you to see how people usually proceed, and to witness different approaches, situations (if you're lucky, you'll find a box where the techniques are reused).

Once you've done a lot of reading (or watching, there are lots of video write-ups on Youtube), you will start to have a pretty good idea of what to expect.

#2 : carried by the penguin

The second piece of advice would be to know how to use Linux, the terminal, and everything that goes with it. The distro that will make your life easier for that purposes, is Kali Linux. It's a distro designed for penetration testing, created and maintained by Offensive Security. It's Debian-based and contains lots of preinstalled tools that you will find useful throughout your journey.

If you're not familiar with Linux, I recommend you follow online courses, because it's in my opinion a non-optional step.

#3 : Linux, Linux, Linux, ...

Now that you know how to use Linux, you should start solving Linux boxes. That way, even when you gained remote access to a machine, the environment you're in looks familiar in the way it works. Windows boxes are totally different.

#4 : "To lose patience is to lose the battle." - Mahatma Gandhi

As a beginner or a professional pentester, you will get stuck often. But it's part of the process, getting stuck, googling a lot, getting unstuck, re-getting stuck...

It can happen that you get stuck for several days, and that's okay. In that case you should take a break, and retry later with a new eyes.

You can get help and nudges from other HackTheBox users, using Discord (https://discord.gg/hackthebox), or the official Forum.

New interface
Old interface

People wont tell you the answer, but where to look, what to google, etc...

#5 : Names are not random

The box's names are very often linked to a certain logic used to solve the box. It sounds like a service, a tool, technology, etc... So pay attention.

How a box usually works :

Preliminary step :

You need to connect yourself to the HackTheBox VPN. To do so, you need to download the authentication packet from the website.

On the old interface :

  • In the left side-bar, go to "Access"
  • Click "Connection Packet"

On the new interface :

  • In the left side-bar, go to Lab/Machines
  • Click on the Download logo
Step #1 : Recon

The recon process is where you will gather information about the box. The two main tools for this step are Nmap, and Dirbuster (or other alternatives filling the same purpose).

Nmap scans for open ports and services running on a machine. One set of arguments I could recommend is the following:

$ nmap -A -p- -T4 

To have information about the arguments, you can read any of my write-ups. For more detailed information, check out the user manual by typing

$ man nmap

Dirbuster can be used with a GUI interface. To launch it, just type dirbuster in your terminal.

Replace with the boxes IP, and with a wordlist. I could recommend this one : https://github.com/daviddias/node-dirbuster/blob/master/lists/directory-list-2.3-medium.txt

Dirbuster is a brute-force tool, that finds directories and files on a website. Indeed, very often the boxes IP address allows you to view a website. Some of the files could be interesting. Note that the "time left" can display several hours. It will be often the case that you will have discovered everything you need to discover in the first 15 minutes.

Step #2 : First access

What I call the first access, is not a mandatory step. It's the step where you get a shell, but not as the user who has the flag. It will often be www-data for example.

So like I said, the goal is to get a shell. In most cases, your job is to make the remote host execute some code (a so-called reverse shell). Here is a list of various reverse shells : http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

There is no real advice for this part because each box is different. First thing you can do, is google the different services you've found with nmap followed by the word "exploit" : "yourService" exploit. This way, you can see if there is a very known exploit on which the box was built.

If that doesn't lead anywhere, you'll need to explore the website, find hidden files (with dirbuster), unchecked inputs, etc. You should train your web skills for this part.

I'll give you one example of how to get a reverse shell running. I chose this example because I encountered this scenario several times on HackTheBox.

You have to upload a reverse shell on the server, by disguising it as another type of file.

It's possible when a user as the ability to upload files on the server (a portfolio with images, or submitting a document, etc), and the file verification isn't done properly.

To see how to do it, check out my writeup of "Magic" once it's available : https://rmrf-logs.com/magic-htb/

Step #3 : Own user

Once you have access, you will need to perform enumeration on the box. There are different ways of doing it. By hand (looking at different directories, sensitive files, the running processes, etc), or using a script like linePEAS.sh : https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

This script scans for many things like right misconfigurations, plaintext passwords, SETIUD bit on files, etc...

To get it on the machine, one option is to copy/paste the code into the /tmp folder of the remote host, and execute it with chmod +x linePEAS.sh && ./linPEAS.sh.

You might want to consider redirecting the output to a file, as it's very verbose, and the line limit history could prevent you of reading the beginning.

$ ./linePEAS.sh > result.txt
$ less result.txt

less is like cat, but it allows to read trough the file as if you had a scrollbar if it's to long.

You'll need some practice to know what to look for in those results, but remember to google every time you don't know something or find anything suspicious to understand what you're dealing with.

Another thing you should always try is sudo -l. This shows you what special commands or programs you are allowed to run with root privilege as the current user.

Once you found a way to login as a user, if you don't have an SSH access, I would recommend to try and get one, to make the next step easier.

There are two scenarios :

  • Or you have credentials and by doing ssh @ you get a shell and it's easy
  • Or you have (when it's possible) to add your own ssh key to the authorized key list.

For the second scenario, there are 3 steps :

First, create the ssh key set.

$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/leo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/leo/.ssh/id_rsa
Your public key has been saved in /home/leo/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:biLof/gLnUnyv1odjUo6acZEWu+iERy/Wd55FQCUkyQ [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|        Eo++.    |
|         .+  .   |
|    . o    .  .  |
|   . * .   o   . |
|    = + S o . .  |
|   . O & + o .   |
|  . +.^ B + .    |
| .  .B.B   .     |
|  ..oo+oo.       |
+----[SHA256]-----+

-b 4096 is to create a 4096 byte key. Leave the file path empty to use the default location. You can leave the passphrase empty as well. Now if you list your ~/.ssh directory, you should have to files :

$ ls ~/.ssh
id_rsa  id_rsa.pub

The second step is to copy the content of id_rsa.pub onto the machine using your previous access. In my case :

$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrp4Eg8XSvGJVn81FVErb/89gDBaBp4LlCoYeHpKY0iOIvrHEY4541dNWL2MB7eVNlmjlZQOfB8yadZILqcDWQQA/iA4M1NZ2yxYzf/ArjHvqk8d9lu6BahCI43B90xJOkXNQ0zTlmKZNjGZTp5oH2mwDPYLi7acwfAIYAHAlm9Pxn483/7yMTrMcgPoAU0PCsx0uVY4xh7JxWyOtqvs+7B9ZCV+cG6jua1jIzFGbf6ktMZ12c79gnTcu1KUwBCPeAK9RSkR7Dk7atuqUaD2+ZI1FerMMNvh5GWauk/MRflHXZP+2oc4k9t3QxFxl2WimmgSHnotlSwUwPrg3Cq8jMTOMB3MqUNkjcCWi3C8H3d7DG6imC+fgQJPZZw2tUBAav6OUovwYJPJu9nir0g60lkUH0Blprpj0MPvh5gMjv8EyES44D56M3M7okNrXmsoFqelsR7fsOdjcVLLRGsn6MaR6ex6GMFU8Bl4sdI32B5JDcwEGfwdaZlr82tsRbfqB6wIUIcX/FOsfbF8DJVMbl5UtTAd75rvYgix+UNFmH9hnUzovpy0FDBNkSYLCkbQ2IPyBonq2Qvt3sWhg423b9FryNNI6I624UcMF3NGjhmOvrwSJJXfEJRMc6Y8PMWhNjgYmtTENowKFU4r8PkALguB8gQNpvP5LmowQO2vRrhQ== [email protected] >> ~/.ssh/authorized_keys

The final step is to logging using your private key :

$ ssh -i ~/.ssh/id_rsa @
Step #4 : Own root
  • enumeration

To perform a so-called Privilege Escalation (privesc) to go from user access to admin access, the steps are actually pretty similar to owning user. It's a lot of enumeration (linPEAS), googling, etc. Remember to try out sudo -l since you changed the user.

HackTheBox released a feature called "Starting point". It's like a mini write-up to guide you through the step a first box. Once you're done with it, you have several other small boxes with a guided method to succeed.

Some tips and tricks

Here are some tips I picked up along the way. It's not much, but it makes life so much easier.

Tip #1 : tee

While performing a nmap scan for example, it' a good idea to store the results to take a look at them later again.

The way you could do it is :

$ nmap -arguments > scan.nmap

The problem with this method is if you want to see how far the scan is currently, you need to press a key and open the file to check the output.

The best way of doing it is like this :

$ nmap -arguments | tee scan.nmap

The tee command is actually a reference to this object.

4697B LEGO Pneumatic T Piece New Style (T Bar) - Parts Technic LEGO -  Technic Pneumatic - Brickshop.it
Lego Tee piece

It allows you to split the output flow, to have it displayed in real-time in your terminal, and written at the same time in your file.

This might be useful in other scenarios, like if you run a script and store the result in a file (linPEAS for example), but you want to make sure that the script is running and not stuck.

Tip #2 : rlwrap

The second tip I can think of, is this wonderful tool that is rlwrap.

Often when you get a reverse shell, it happens that the arrow keys (to access command history or navigate through your current command and modify it) are not working.

One solution is to use rlwrap (one of many readline-wrappers). You can install it using the apt package manager :

$ sudo apt-get install rlwrap

To us it with netcat :

$ rlwrap nc -lvp 8888
Tip #3 : cheatsheets

There are tones of cheatsheets out there, on various domains. You should, when you find an interesting one, save the link. Here are a few links I use from time to time :

I'll let you open them and see what they are each made for 😉

How do points work ?

In this part I want to explain how the point system works on HackTheBox.

It can be very surprising at first, but it actually makes sense. Points are actually a ownership rate. Each box is worth a certain amount of point, depending on the difficulty :

  • Easy : 20 points
  • Medium : 30 points
  • Hard : 40 points
  • Insane : 50 points

The formula is the following :

(ActiveSystemOwns + (ActiveUserOwns / 2) + (ActiveChallengeOwns / 10)) / (activeMachines + (activeMachines / 2) + (activeChallenges / 10)) * 100

The particularity is here that, every time a machine you owned gets retired, you loose the associated points. Note that you wont loose your rank (Noob / Script Kiddie / Hacker / Pro Hacker / Elite Hacker / Guru / Omniscient), but you will have to regain those points and the ones necessary to reach the next rank to rank up.

This system makes sure to always show how good you really are, instead of having people owning every easy box, and ending up with the highest rank. On HackTheBox, your rank means something !

Conclusion

Thanks for reading. This guide is only an introduction, and the "recipe" won't work for each box, but it can give you an idea of how to proceed when you're lost.

I hoped you enjoyed, and don't hesitate to give me feedback !