How to Get Started with Hack the Box
Let's get a detailed walkthrough of how to get started with Hack the Box including how to make an account, what are the features on this platform, and how one can proceed.
Hack the Box is just a really popular well-known platform and it's basically focused on a capture the flag type approach where you're hacking and attacking boxes, popping them, getting privilege escalation, getting root, and moving on. They have different levels of difficulty and there's gamification with the scoreboard.
How to create an account on Try Hack Me:
Follow the link below to make an account on Try Hack Me if you are a new user on this platform.
After that, sign in to Hack the Box by clicking on the sign-in tab on the lower left side. After logging in you will get a page like below.
Various features inside Hack the Box:
You can see the Labs tab on the left side of the page shown below.
Inside the “Labs” tab, there is the “Machines” tab. These are the boxes that one has to hack. Boxes are similar to virtual machines where vulnerabilities are induced. These are virtualized services, virtualized operating systems, and virtualized hardware that all run on our servers. Boxes can be Easy, Medium, Hard or Insane and can host different Operating Systems; Linux, Windows, and more.
There is another tab named “Challenges”. Challenges are bite-sized applications for different Pen-testing methods. These come in three main difficulties, specifically Easy, Medium, and Hard.
Each of these has a definite number of vulnerabilities that are basically seen in the real world. Your target is to explore these Machines, find out their vulnerabilities, and gain two flags: one user flag (lower privilege account on the Box) and one root flag (highest privilege account on the Box.
You must have noticed two tabs while checking for available machines in labs. These are active machines and retired machines.
- The Active Machines are the machines accessible to everyone, both VIP and free account users.
- The Retired Machines are the machines that have been retired and give no points. However, these Boxes provide write-ups for the educational achievements of users. You can use these write-ups to learn how to tackle the Box
Connect Using OpenVPN
Hack The Box uses OpenVPN to build connections between you and its machines. You can see in the below image (by clicking on the “CONNECT TO HTB” tab) how it shows offline when you are not connected.
The configuration files that are required to configure your OpenVPN client and to start the connection to hack the box servers are called. ovpn packs. These will put you in the same IP subnet as the vulnerable boxes, permitting you to connect to them (and attack them).
You will need:
- A Hack the Box account.
- The latest version of OpenVPN. (Installed with Kali Linux or Parrot OS)
- A working internet connection.
To download the VPN configuration file, you need to go to the access page. For that follow the steps shown below:
Connecting to Machines has turned out too much easier. You can now directly communicate on the Dashboard.
You will get the “Access” tab in Labs section like this:
Download the configuration files from there as shown below:
After you click the Download button, your pack.ovpn file would be found, probably, in the Downloads folder of your Linux machine. This file will be used as the configuration file for your OpenVPN starting process.
Then, boot up the OpenVPN initialization process using your pack.ovpn as the configuration file. Use the following steps on your Linux Machine:
Once the Initialization Sequence Completed message appears, you can open a new terminal tab and start attacking the boxes.
Please note that you will need to keep this terminal window open to keep the OpenVPN process running.
You can check the connection status that was showing offline before. You can see there are two online connections. It means that the connection has been established successfully.
Open the box in Hack the Box labs section (open any easy box, if you are a beginner).
I have opened the box named Secret (last on the list). You will get a page like below when you open the box.
You can copy the IP address of the target machine named secret. Now you have the IP address of the target, you are connected to the target subnet with OpenVPN, you can use your Linux machine to attack the target. Follow the steps from the walk-through of target boxes if you are a beginner. You can either google the writeup for a particular box or you can get the write-ups for retired machines (if you have a VIP subscription).