Building security skills with Hack The Box
Updated: Jul 7, 2020
The barrier for entry in cyber security skill development can be quite overwhelming and thanks to platforms like hack the box, this barrier for entry and skill development has become more achievable.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated. ... By hacking machines you get points that help you advance in the rankings. These points can also be used to renew the CISSP certification.
Is hack the box for beginners?
The answer is yes and no, let me explain. Hack the box has a ton of content that is so valuable, but can easily be overwhelming for anyone who has not participated in competitive hacking environments, and if you are a beginner, I am going to recommend a very specific path in my blog below.
What is hack the box?
Hack the box in an online pen-testing platform with a focus on skill development. HTB was developed in 2017 and is regularly developed and maintained by a staff of 30-40, within the central office based out of the UnitedKingdom.
The goal of hack the box has been to provide a platform for people to test penetration skills while fostering a community for which to learn, exchange ideas and share methodologies in a safe and friendly environment.
Hack the box overview
Hack the box has a lot of content and I am going to outline everything below.
This section is the bread and butter of hack the box making up the majority of where you will spend your time. This section offers tons of machines that range from easy, medium, hard and insane difficulty levels. Machines either run in the windows or linux operating environments and are designed to offer challenges covering all corners of cyber security. Including website exploitation, binary exploitation, forensics, reverse engineering, privilege escalation and vulnerability scanning.
The challenges section on hack the box offers skill-based development opportunities as well, however, these are not pen testing challenges like in the machines category. These are typically much smaller challenges, meant to teach you about something very particular. These challenges are typically found in the disciplines of binary exploitation, reverse engineer, web exploitation, forensics, and steganography.
This is an area that very few people will ever make it too. As it requires Guru rank (I will go into the ranking system down below). These end game challenges are reserved for the highest ranked players and consist of extremely difficult challenges.
This is a great place to be, if you have some hack the box experience and hold the rank of "hacker" or higher. In fortress, you will be connected to an environment with around 10 flags and 6-8 different machines in the environment, with a mix of windows and linux. Your goal is to capture all the flags.
The ultimate windows pen-test experience with 15-20 flags per environment and equally as many machines.
Pro labs is an immersive Windows Active Directory environment, designed to be attacked as a means of learning and honing your engagement skills. Beating the lab will require a number of skills, including:
OSINT & phishing
Local privilege escalation
Active Directory enumeration & exploitation
A variety of lateral movement techniques
Patience & perseverance
The goal of the lab is to reach Domain Admin and collect all the flags.
The ranking system is largely based on how many active challenges and machines you have completed. With this being said, it brings up a good point about active and retried challenges. All challenges, machines and labs are either active or retired.
When you have completed an active machine, for example, those points go towards your rank. However, every machine is retired after around 3 months and replaced. At this point, the machine becomes retired and you lose your points, but maintain your rank. This forces players to develop and apply a level of consistent skill, for advancing in the ranks.
Noob >= 0% Script Kiddie > 5% Hacker > 20% Pro Hacker > 45% Elite Hacker > 70% Guru > 90% Omniscient = 100%
Where to start for beginners?
To keep up with all things that hack the box will throw at you, I'm going to make a suggestion based on my several years of hack the box experience.
Instead of starting with active machines or challenges where hints and information about how to solve the problems are typically not offered. You may find a better return on investment if you spend that same time in the retired machines/challenges area. The reason being, all retired machines and challenges, have active guides and walk through's written by the community and the hack the box team.
Also, it is key that you join the hack the box discord channel where you can get help and make friends.