HackTheBox: alone, it's a pain. Two? Then I'm game!
I have had my HackTheBox account for a long time now. Getting close to a decade. For those of you who don’t know, HackTheBox is a training/CTF platform, similar to TryHackMe. It is also a little different, you cannot register a new account without an invite code. You would like an invite code? Sorry, I can’t give you one, and neither can anyone else. To get in, you have to find the invite code generator, use it, and get the code yourself.
I remember my time getting in. I thought it would be easy, got frustrated, and knowing nothing about hacking but wanting to get access to the machines, I found a walkthrough and followed it. That’s how I got my account. After all the years, I may be ready, but I’m not ready to prove that yet (too scared). It may be the lazy way in, but I may have made up for my faux entry in the meantime.
Why write about HackTheBox?
I have been using HackTheBox more and more often lately. One reason may be lack of projects (spring seems to be slow in cybersecurity, at least for consultants like me), but partially because I got a new colleague. Super-cool guy, and a veritable web-hacking Wagner. We were in the same rank on HtB first time I checked, Script Kiddie. When projects got scarce, we would start poking at different machines, trying to get in, looking at the writeup for footholds (and sometimes the whole enchilada).
Over time, we agreed that we would do things the same way we did at work: In tandem. We would boot up the same machine at once, start scanning, and help each other with footholds so that we arrive at the coveted root flag at approximately the same time. Turns out this is a swell system!
Why is tandem hacking great?
I find several benefits in hacking next to someone. Here is an abridged list of my reasons:
We all get stuck on a point. I am no IppSec, so I don’t burn through machines like a bonfire through kindling. I often get stuck, I don’t know everything, and there may be a thing I have never even heard about.
Consider me going solo, on a live machine, with no writeup. I’m not good at this computer stuff, I’ll get bored/angry/desperate, and after a few hours I’m willing to chew my laptop in half. Not a good thing for my teeth or the laptop. When I’m riding in tandem with someone, we both can spitball ideas. Sometimes I chip in with a smooth exploit that I may have seen before, sometimes he shows me that this whole Burp Suite tool is not as disgusting and confusing as I had thought.
If nothing else, it’s very helpful to have someone to complain to and have them actually understand, because they are going through the same thing. To be completely frank, it also feels good whenever I actually know something.
The entire HackTheBox app is a competition, that is absolutely true. However, except for the case of a few known names, you never see the people in person. When one of those names is sitting next to you, it’s a whole different ball game. You don’t want to lull, there is no willingness to let stuff slip. Your recon game goes up as far as you can without frying your brain. The immediateness of the guy next to you shouting “Got an exploit… got user!” makes you speed up. It’s the thrill of the hunt.
If you’re doing a project, you need to know what the other people in your team are good at and how to communicate. If you’re running solo, you have it all in your head, your only communication target is your client. With a team project, your communication needs to happen within the team as well. The smoother the comms, the better your performance will be. What is a better place to train this than a machine that everyone in your team knows is vulnerable and where you can practice note sharing, dividing the work, in short: all the good stuff.
Walkthroughs take no fun away
Even when you have a walkthrough to follow, things may snag up: Your tools may fail to run, for whatever reason. Someone may have tampered with the box you’re on (you’re not guaranteed a box on the same server as the rest of your team). While you all have the same box to work on, you may find different things, see something your colleagues don’t. In this case, consider your colleague who is further along than you a writeup of sorts. They don’t have the full picture, you can’t read them like a PDF writeup. What you can do is ask questions, and get meaningful answers from a real human being.
You may not feel like it, but your asking is helping your colleagues too. It is said that if you teach something to someone, 90% of what you learned gets embedded in your brain. Consider yourself a kind of cement that helps your colleagues remember what they learned, and they help you learn something, whether it’s by helping you, or by you helping them.
All in all, HackTheBox is a great platform. I wanted to share this, because I broke a barrier recently, in no small part thanks to my friend and colleague. I am now a HackTheBox-certified Hacker. It has been years since I got the Script Kiddie rank, and it’s going to be a hard way to Pro Hacker, but this time, it sure as hell is going to go faster.
If you need any help, reach out, and I’ll do my best to help you out. This may sound awfully altruistic, but don’t doubt for a second that I’m not learning from you as well!