Toying with Hackthebox
About HTB
As a way to study and relearn most of the skills required to pentest real environments I started, a couple of weeks ago, to crack (or trying to) some Hackthebox virtual machines (VM). At first, I was wondering if this was the right way to learn something new.
I must say that I'm not disappointed since most of the box is setuped in such a way that you need an overall knowledge of the Operating System/Technology that you're targeting. In addition, after you exaustly enumerated the box you “must” know a little bit about the service, protocol or whatever you want to attack.
I know that's an obvious statement 'cause this the way that most real pentest works but it's a relief to know that such platform exist. For those that do not have the time or resources to create it's own environment and labs, Hackthebox is awesome. For those that chose to pay for the VIP pass, many more retired VM's are available
The experience
HTB overall user experience was smooth, at least for me. It's portal has an intuitive GUI, menus and options. No complains about that. The only downside is the slow and sometimes unstable connection if you're on the free access. But that's expected for this kind of service with a lot of users massively brute forcing, scanning, crawling and forgering requests to HTBoxes.
To generate the credentials and connect to the HTB network itself is super easy, at least for those with some experience with VPN's.
Choosing the VM and cracking it
For those that never cracked a box or are rusty about pentest, my recommendation is to start with a already cracked box. HTB have a list of retired machines that are available to VIP members but a few of them are available, for a limited period of time, to non-VIP members. Most of those VMs have walktroughs that, after the retirement, can be found on forums, blogs, youtube and may help you if you get stuck on some stage of the pentest.
But try to not rely too much on it. Try it yourself. Many times I found myself stuck on some stages and reading/watching a walktrough just to, later on, get the feeling that I already knew what is necessary to do ('cause I have the knowledge) but lacked the mindset to “think out of the box”.
In future posts I hope to write a little bit about some of the retired VMs and what interesting finds I had.