One of the first posts on this website was an introduction to the platform that has been with me since the beginning of my hacking career. It is HackTheBox, a pentesting platform where thousands of intrepid hackers race trying to take control of as many machines as possible.
It’s been more than two years since that post, and the platform has undergone major changes. Not only have the number of users of this platform increased exponentially, but recently they have added a number of very new features. Let’s review them.
The first thing we see as soon as we login is a panel with several links and statistics.
The first button is to download the VPN that will allow us to connect to the laboratory.
Below is the link to access all available machines.
There are 20 active boxes. Every week, on Saturdays, one box is removed from the active ones, and a new one is introduced.
From left to right, in this interface we can see the name of the box, the level of difficulty given by the users who have managed to hack it, the score, the number of people who have managed to get the usury flag and the root flag, the last reboot and three buttons: add to the list of boxes to do, reboot the machine and give a flag.
To start hacking, just start the vpn we downloaded, and click on the name of the box you want to do.
Here we will access all the data on the machine: a histogram of the number of people the machine has solved, and a graph that tells us what type the machine is: if to hack it the key is to enumerate, if the machine is similar to one you might find in real life, if the key is to exploit a vulnerability with CVE, if on the opposite you have to modify an exploit or create one yourself, or if it is a machine designed for a CTF and to exploit it you need techniques that would not be used in real life.
In addition, here we can see the machine’s IP address. That’s all we need to start hacking. The aim is to gain access to the machine at user level (and get the user flag) to end up scaling privileges and gain access as an administrator user (getting the root flag).
Standard, VIP and VIP+ users
Standard users can access any of the active boxes, however they will have to share the boxes with many other players. In contrast, VIP users have both active and retired boxes available, and share the boxes with a very small number of people. Finally, the category of VIP+ users has recently been added. These users have all the boxes to themselves.
All retired boxes have a document with the box walkthrough as well as an IppSec video solving the machine step by step. Active machines have no walkthrough, and it is forbidden to publish the walkthrough on the internet until it is removed.
VIP users also have another advantage: pwnbox
Pwnbox is a customised online distribution that you can use from your own browser
A normal user only has two hours of use available for testing, a VIP user has 24 hours a month and a VIP+ user has permanent access.
Personally, I didn’t like the experience very much, not only because it didn’t go as smoothly as it could, but also because I can’t have everything that you install or save deleted at the end of the machine, so it doesn’t allow for the customisation that I like. However, I recognise that it is a very good idea and that it can be very useful as a resource if you don’t have a computer that can run a good virtual machine with Kali Linux or Parrot Security (do you know the differences?) or in situations where you want to access it quickly to check something without having to start the VPN.
In addition to the boxes, HackTheBox has individual challenges that do not require VPN.
There are different categories of challenges, which test knowledge such as reverse engineering, cryptography, steganography, system compromise (pwn), web challenges, miscellaneous, computer forensics, mobile device pentesting, OSINT and hardware hacking.
In the past the challenges were permanent, but for some time now they have implemented the same system they use with boxes: there are a maximum of 10 active challenges per category, and if a new challenge is added another one is removed. Only VIP users can do the retired challenges.
Pro Labs are advanced laboratories that simulate complex environments such as a company’s computer scheme. They are designed for advanced users and require a certain amount to be paid in addition to subscriptions.
There are different types, for example RastaLabs is a red team simulation environment, designed to be attacked as a means of learning and honing your engagement skills.
The tracks are a set of boxes and challenges that they have grouped together to help you have a path to follow. To be able to do most of them, you need to be a VIP, since almost all of them have boxes or challenges that are no longer active.
New UI (Beta)
The new user interface is completely different from the current one, much more dynamic and intuitive. At the moment it is still in beta phase, but when it becomes the official user interface I will make another post explaining all the functionalities. At the moment you can try it out by clicking on the “New UI (BETA)” button at the top of the screen