On Hack The Box you can hack real machines, but before you can do that, you need to hack your way into the registration process. I decided to do this after watching several walkthroughs from IppSec.
Hack The Box has active and retired machines. Members are not allowed to talk a lot about active machines, but they are allowed to post walkthroughs from retired machines. So far I only hacked active machines and I will mention wich they are, but my thinking process and what I learned from them I will keep until they are retired.
Biggest learning points
While trying to hack these machines, I learned a couple of things over and over again:
- Enumerate, than enumerate some more
- Read the output from scripts very carefully
- Read the man pages of commands very carefully
- Don’t assume anything
- When you are stuck, just go to bed and try it the next day
Machines I hacked (or tried to)
- DevOops is rated as relatively easy and, although I looked up some hint on the forum, it was not that dificult. In the end I didn’t really need those hints at all.
- Waldo is alse rated as relatively easy, however for a relatively new penetration tester like me, it was quiet challenging. In order to get user access I had to be creative with PHP, I think I once saw it in a video, but I couldn’t find it. Then I at some point I needed to break out of a restricted shell, but I made it very hard for myself by over thinking it completely. In the end I was pointed in the right direction after asking for a hint.