Hack The Box

Briefly reviewing HackTheBox - an awesome and slick-looking alternative to vulnhub

I’ve recently found hackthebox.gr, a site very similar to vulnhub, in that there are VMs designed to enumerate and exploit. Both are great at this, but hackthebox takes the whole experience so much further.

The first thing is the registration, which makes you feel accomplished as soon as you exploit that. It has to be the most fun registration I’ve ever done!

The next thing you see is the layout, which is slick to say the least:

There is a shoutbox seemingly constantly populated by mods and always active. There is also an accompanying IRC channel.

How it works is very like the OSCP labs; you are given VPN access and attack the IP addresses of the machines that are listed there.

These are my main highlights on hackthebox:

  • Windows VMs: Due to licensing issues, these are blessedly rare for exploit practice, it’s amazing how much my windows privilege escalation has started to improve, especially with how bad it was. There are so many here of so many flavours of Windows, it’s worth donating to their funding just to keep that going.

  • Shared VMs: I wanted to be ready for the OSCP, and having also solo’d my VMs from vulnhub, it’s good practice to see when you might be stepping on someone’s toes or recognising someone else’s exploit from a valid exploit avenue.

  • The UI: as mentioned above, everything is so tight, it’s easy to do anything and is constantly being updated.

  • The community: as there are no available walkthroughs, people talk to each other to trade hints in IRC or the shoutbox. For newbies who can’t reset boxes yet, anyone else will usually reset for them as soon as it’s asked.

  • The ranking: I love this, it’s something to drive you on, and for me gives me confidence for the upcoming OSCP. See the screenshot below, that’s ranked out of nearly 2400 people at the time of writing, 2400 who’ve already gone through that registration process!

  • Meterpreter: I’ve never really used this. I’ve always done manual exploits on the vulnhub VMs, but I really didn’t know a lot about meterpreter, and 90% of my knowledge around metasploit itself was actually using msfvenom to craft payloads for more handcrafted work. MY meterpreter knowledge has jumped forward in massive leaps! That’s not to say there aren’t buffer overflows and the like to get your hands dirty with, of course.

All in all I’ve been on hackthebox for 2 weeks so far and it’s amazing. I plan to support it financially for everything it offers, though this isn’t mandatory by any means. I encourage everyone to give it a go.

Written on June 1, 2017