At current (quaran)times, with all our staff in remote working environments, it’s fairly hard for us infosec people to get real hands on in forensics, internal on premise penetration testing or incident responses at customer sites. So how do we train our skills then? How do we keep our capabilities sharpened?
We do – besides research, internal testing and many more (or less) entertaining things – attend to different online platforms for training. One really effective and advanced platform in this field of action is hackthebox (htb). This post is the introduction to a series of blog articles which will invite you to a journey through the wonderland of information security and hacking.
If you now think that this is not for you because you are no penetration tester – on the contrary: Developers, compliance folks, security people – all of you can attend here to learn a thing or two.
But first things first. Before we go ahead and actually pwn, breach, hack or destroy virtual training grounds, we should take some time to get some understanding of what we are doing, why we are doing this, which tools we are using and how we proceed methodology-wise.
Here be dragons
To safely learn hacking without getting into the sphere of lawful prosecutors the founders of hackthebox.eu have created a secure environment to do all this stuff. If you plan to start your hackthebox journey, remember: You are not the only person attacking machines inside the HTB network. There are other hackers trying to break stuff. You should take some precautions: Use a Virtual Machine or dedicated computer (not your work computer!!). Please be warned: Nothing we describe here should be done against real environments without lawful contracts and the consents of the system owners. On some degree, even the attempt (at least in Germany, but many other countries too) to do so is illegal and will most likely bring you into trouble. Be warned!
Words of advice
The write-ups in this series are meant to be a starting point for learning basic penetration testing and hacking. Although they are fun to read our advice is to try to break into the named machines yourself and only use the write-ups if you are stuck at some point.
hackthebox 101 – How things work
Once you hacked your way in – yes, you have to hack your invitation – you’ll be greeted by a dashboard. This might look a bit overwhelming, but you’ll manage.
For now, we’ll be focussing on the machines – these are virtual machines running in a Virtual Private Network (VPN). To access this VPN, you have to navigate to the access page.
This is where you can download your access pack – which is a OpenVPN configuration file that can be used to connect to the hackthebox-lab.
Now all you need to do is to choose a target. The machine overview shows you all of the 20 currently active machines.
There you see the name, difficulty and rating of the machine – as well as some controls to boot up, reset, stop a machine and submit the flags you need to find to complete the machine.
Flags? Yes, flags. On every machine you’ll find a `user.txt` and a `root.txt` that contain a hash. These are the targets. You need these hashes to complete the machines and get the points awarded to your profile.
Every machine has a profile page which will tell you a bit more about the machine – for example the IP address, the creator of the machine and some user ratings that might guide you in your decision to do or do not try to hack your way into that machine.
With all that in mind, let’s go ahead and see how we approach these boxes.
On each and every machine, most basically we will conduct the same steps to get an overview and possible entry vectors to the machine we are attending to. In short, we will do the following tasks in the order and magnitude as depicted following.
Preparing your personal attack environment is essential to be fast and efficient. Usually we perform necessary steps here to prepare a clean pentesting environment (e.g. set up a new VM), update the operating systems and the tools we are going to use to conduct an attack. In addition to that, things like adding an entry for the target system in the hosts file or connecting to a certain VPN are also common.
Enumeration and fingerprint (10 %)
This is a very first step to conduct a scanning of the target machine to identify running or hidden services, the protocols used and versions of the implemented services. Also we’ll be doing a first estimate of worthwhile services to take a peek on.
Typical tools are: masscan and nmap.
After identifying running services we are going to search for known vulnerabilities and flaws in the software. Also we will search for leftovers in source codes or misconfigurations in services.
Tools of the trade are: gobuster, recursebuster, ffuf, patator, hydra.
Exploit (5 %)
The most satisfying methodology phase is the use of flaws and vulnerabilities to actually (mis-)use an attack vector to breach the target machine.
Some of your weapons are: gcc, python, shellcode, powershell, sqlmap, Metasploit, Mimikatz, PwnTools and many more…
What these tools have in common is, that they’ll help you to gain access to places where you shouldn’t have access to – which is nice if that is your intention. Most of them have a steep learning curve – so we’ll provide you with more information about the tools, the underlying processes and concepts and protocols which they are exploiting. This will be provided in the upcoming posts!
You might think This sounds interesting – and also like a bunch of hard work – and it actually is. But it’s also a great deal of fun. Once you managed to get your first connection to a host or find the first vulnerability and exploit it successfully (most of the times after hours of debugging, errors and facepalming), you might be already hooked.
Another aspect is that a platform like this is a great way to keep your skills sharpened and learn while you have fun. Some of the machines are close to real world scenarios that one might see during a penetration test or read about in a data breach report. Other machines have a theme and tell you a story while you exploit your way through them.
The goal in both of these scenarios is to learn and have fun – so we should probably stop talking about the why and how and just get started with the first machine!