I Played HackTheBox For 30 Days - Here's What I Learned

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all righty so another 30-day cyber security challenge for the next 30 days I'm going to be attempting to play hack the box now I have no idea what I'm doing when it comes to ctfs really I've played a limited number of ctfs but in today's video I'm going to be playing hack the box and see what the heck happen so let's overview the project and get into my five weeks of training here in front of me is my project overview page like I said hack the box is basically a cyber security CTF training platform and I'm going be using the hacking Labs training to go through and try to find hidden Flags now my overall goal is to learn more about Open Source tools scripts and just the overall methodology to find these hidden Flags which have a string of text in them and basically that means you've pawned the Box uh now my project is broken up into four total weeks and I'm going to be playing two different areas on hack the Box my first week I'm going to be creating my CTF for hack the Box attacker lab environment which basically is a virtual box Cali machine and then in the subsequent week two and three I'm going to be playing starting point which is a cool little introductory uh exercises that hack the box has for beginners so as you can see in front of me I've already completed some of the tiers here but it's broken down into three different tiers and each of the tiers focuses on a different set of Technologies such as server message block or uh mongod DB or it could be any sort of service so gives you just an overview how to approach these boxes on the hack the Box platform after completing starting points three tiers uh during weeks three in four I'm going to be attempting to play the actual boxes in the hacking Labs so hack the box has active machines and they have retired boxes uh and as a free tier subscriber here uh I get access to the active machines as well as a limited number of retired machines what I'm going to attempt to do is walk through some of these very easy machines uh and maybe try to look at the writeups but try not to until I get stuck so in total I'm going to have four machines that I've completed as well as all of the starting machine boxes so yeah I have no idea what I'm doing with this project hopefully it's somewhat interesting and I can learn some new things but uh yeah so on to week one getting started with my hacking lab and starting points tier zero setting up the hacking lab was straightforward I loaded my Cali Linux virtual machine onto virtual box and ensured I could connect to hack the Box using the supplied openvpn file within the terminal then I was on to the starting point sections starting point tier zero was relatively straightforward each machine includes a self-guided walkthrough reviewing a specific service such as FTP smv SQL server and many more and using using the common open- source tools provided you could probe and log into these machines to fetch the flag most hack the Box machines have two flags a user and root the user flag is frequently found once you're able to access the backend machine and then the root flag is discovered once you escalate your privileges to pseudo or root within the Box all right so week one is finished with the Hacked Box challenge so far it's been pretty easy relatively straightforward so here is what I've done so far all right so as highlighted in my project schedule the two things that I needed to do were build a hacking lab and then complete tier zero starting point challenges I've successfully done both basically just have C Linux up here and that's all I did just load this into virtual box and then I have completed tier zero all free modules are completed there are also some subsequent VIP modules but I don't have VIP access right this moment a component I'm enjoying so far are these written guides they go into detail and the overall methodology with gaining foothold initial access and really just going through the thought process of being an attacker and I really appreciated that uh most of these items are pretty relatively straightforward things that I've used before so it's pretty basic but I'm hoping to get into some more advanced concepts in tier one and tier two and really get into poning the boxes and using no written guys well hopefully my hopes for week two is to continue to learn different tools different Technologies and really just kind of understand the methodology when it comes to approaching these boxes uh so yeah on to week two here and we'll see what happens starting points one and two were a little bit more advanced in both tiers you learn more about enumeration lateral movement and privilege escalation techniques including the various attacks and tools you can use to deploy on these boxes open source tools such as end map for probing open ports gobster for web directory enumeration hashcat and John the Ripper for hash and password cracking and using different attack techniques such as using default credentials SQL injection local file inclusion and spawning reverse shells with PHP are all overviewed in these tiers it was nice to have a refresher on these tools and how to deploy them in the context of the hack the Box environment all right so I have just completed all three tiers on starting point uh I've enjoyed the steps to getting here what really liked about starting point was that they gave you an overview of various command line tools and tools in general that you can use to attack these boxes in addition I liked how they laid out the methodologies in the walkthrough guides so each section has a specific step you're doing such as privilege escalation or at the very beginning enumeration or exploitation so I like how it kind of goes through each of those steps and each step has a set of tools and and kind of thought process that goes into it what I do wish that they had for the starting point uh walkthroughs was more of a thought process with uh trying different attack vectors for example in the exploitation phase perhaps instead of just giving you the exploit maybe they could show hey let's try this path first and then this path and then eventually we get to the correct path which could be path D because I feel like often times in ctfs it's not as straightforward you have to try various different thought processes in order to actually craft and find a vulnerable system or application on the system so that is my biggest complaint with starting point but overall I've been impressed with how hack the box has laid this out with storting Point tiers complete it was time to walk through the retired and active machines available on hack the box I chose to pursue 2 million in keeper as my week three machine maches 2 million was an easy difficulty Linux box where you had to break into their legacy backend system by generating an invite code to create a hack boox account and this is actually something you had to do back in the day once inside the system you had to abuse the included API to get remote code execution spawn our remote shell and then escalate privileges with a Linux colel vulnerability all righty so I just finished the 2 million machine on hack the Box this was my first retired machine in playing it I got about H maybe 10 minutes in and I looked at the write up on Google just a medium article and so this box was sort of interesting I actually ended up getting access to the hack the Box platform based off of some previous knowledge the long story short is I definitely don't know what I'm doing when it comes to ctfs but this is really a good interesting start and for me personally I'm going to write down a whole bunch of notes uh so so that I can use this moving forward when it comes to leveraging API end points and and all the other little nitty-gritty tricks so uh retired Machine 2 million is finished next so uh onto the next week 3 weeks of dedicated hardcore training behind me it was finally time time to see if I could actually do this which you know no week four it was time to test my knowledge and apply what I had learned to the two boxes pilgrimage and cozy hosting both with very easy ratings intended not to use right up glitch escalation you may be noticing a pattern with the techniques or steps used throughout this entire series one must perform these steps to successfully pone the Box these include enumeration where one must learn what type of services are used in the Box versions of the service and acquire a general understanding of that box next would be initial access in this step one must exploit a misconfiguration default or we credentials or a vulnerable service to get access to to the Box this involves creating a reverse shell where you set up a listener on your hacker box upload some code have the vulnerable service reach out to your box and establish a connection next is reconnaissance once you have a foot fold on the system you must perform additional enumeration on the box to learn about all right so I've completed my hack the Box challenge I enjoy the challenge I will be honest I did not complete it in 30 days it was more like a 60-day challenge due to laziness but I still you know went through it and uh I really enjoyed about the hack the Box challenge was just getting Hands-On practice with active kind of pen testing type methodologies you use some different open source tools to attack the boxes and it's it's the thought process that I think is really beneficial for a Defender like myself in my career but uh I think hack the Box really does a good job of showing how you do that starting out from the starting point modules and then slowly transitioning into the retired and active machines where you can pone some very easy boxes so overall I recommend that you do this challenge even if it's over the course of 30 days or 60 days it doesn't really matter it's a fun Challenge and completely free to do on hack the Box platform uh and well yeah I guess until the next video have a good day
Info
Channel: Grant Collins
Views: 240,161
Rating: undefined out of 5
Keywords:
Id: bPv5pb7AcYs
Channel Id: undefined
Length: 10min 22sec (622 seconds)
Published: Wed Nov 01 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.