A Few Quick Tips For Starting Out With HackTheBox

I’ve been having fun with hackthebox.eu over the past few weeks. Highly recommend the VIP membership for access to the retired boxes; with 150 vulnerable machines, hacking challenges, leader boards and solution guides, it’s great value.

Thought I’d share a few quick tips for anybody starting out with hackthebox, things that can catch you out and cause frustration when you are seemingly doing everything right but still can’t get a shell!

Turn off your VPN

Out of habit, I instinctively install my VPN client on any new machine I build, even a quick VM like Kali for hackthebox. You’ll be using openvpn within your pentest machine to connect to the hackthebox network, and while things will generally “work” with this double VPN, you’ll likely experience weird issues that are difficult to identify the root cause of. For example, I couldn’t get EternalBlue exploits to work over my VPN no matter what I tried. As soon as I turned it off, the exploit worked first time (maybe my VPN provider blocks EternalBlue traffic patterns, I didn’t look too far into it). Even something as simple as an SSH connection to a HTB VM can fail with a VPN on. Investigate using split-tunnelling, routing, application exceptions etc if you want your non-hackthebox traffic to tunnel through your traditional VPN. But take it out of the equation when connecting to hackthebox.

Use TCP VPN if you’re experiencing issues

It’s worth checking out the alternate TCP settings for the hackthebox VPN connection if you’re experiencing strange behaviour connecting to boxes via the default UDP method. As explained above, I initially tried using hackthebox via a double VPN connection, and using this alternate connection method allowed me to do that for a while, before deciding it was best to ditch the second VPN. And of course, this should get you access to hackthebox if you’re having access issues through a firewall you don’t control.

Check your upstream gear

Many of us interested in hackthebox will be running home labs. If you’re anything like me, you have your machine going through some additional routing and security devices that a standard home user connecting directly to hackthebox won’t. Be aware of any rules upstream that might be interfering with your connection and causing you unnecessary frustration.

Always check your LHOST…and use adapter names!

Remember that as part of the openvpn connection to hackthebox, your IP address on the hackthebox network will be the IP assigned to your VPN adapter, not your local network or VM adapter. Also, get into the habit of using the adapter name when specifying a LHOST address in Metasploit; it’s far easier  and more reliable to type in ‘set lhost tun0’ then type in a dynamically changing IP address each time.

Always reset a machine in the beginning OR if you’re ever in doubt

I haven’t been able to confirm yet if powering on a machine also resets it. But why take the chance and potentially cause frustration? When I power on a hackthebox machine or take ownership, I immediately do a reset as well, just to be sure there’s nothing hung, broken or maliciously sabotaged! It’s also worth resetting any time you’ve come to a brick wall in your exploitation attempts, or think you should have a workable exploit that just doesn’t seem to be giving you a shell.

Take notes, and make them accessible across machines

I’m no InfoSec engineer or Red Teamer, but when using hackthebox I like to treat each machine as a pentest engagement. Take lots of notes as you go along, not only because it’s good experience for any future pentest role/job, but it’s great reference for when you come across similar vulnerabilities in the future. It’s also very satisfying to document and tick off each box as you retrieve the root flags. I have a laptop I also like to use for hackthebox when not using my Kali VM. It’s great to have your notes shared so they are accessible across machines.

Don’t be afraid to use guides and tutorials

I hear a lot of people recommending to never read hackthebox guides unless an absolute final resort. As somebody with a full time job, study, hobbies and other responsibilities in my life, I don’t always have days to mull over a single machine. My advice is to absolutely dig into every clue, open port, version number etc, leave no stone unturned in attempting the box yourself. But if you can honestly say to yourself that you’ve given it a decent shot, don’t be afraid to consult a guide, especially for the first dozen machines or so. I believe you can learn more by taking a machine each day for example, and use a guide after a few attempts, than torturing yourself for weeks over the same machines. You’ll have plenty of time to tackle machines without guides when you graduate from retired machines to active machine, where publishing guides online is prohibited.

Don’t forget the user.txt flag!

Took me a while to realise there are two flags per machine; root and user. For completionists out there, remember to grab the user flag. Annoying to have to go back over a previously rooted machine just to get the user flag you forgot about!