Hackthebox.eu Pentest Labs
Welcome back! Today I wanted to talk about another amazing pentester training site: hackthebox.eu. I'm late to the party / new to the site, but when I finally sat down to play I was blown away. This site is a hidden gem among pentest training sites, war gaming sites, and hacking labs. To start, you need to gain access by solving a basic web invite code challenge. Once inside, this den of hackers offers all sorts of treasures, such as a revolving wheel of live challenges, static challenges, job boards, forums, badges, teams, leader boards, end game content, and an impressive feedback system.
Most of the boxes are community driven and vetted, although the official organization actually releases the machines/challenges and assigns them their point value. This makes it a very community driven event, and many members are both well known challenge solvers and creators. They have static challenges, in categories like reversing, pwning, crypto, forensics and more, to get better with traditional ctf challenges. But my favorite challenges are the live machines one can access through their vpn connection. These are pre-staged vulnerable machines, already set up and integrated into the UI so they are easy to reset if you mess them up. This setup reminds me a lot of the PWK or Ubeeri labs, albeit missing the network connected aspect of those labs. The downside to this model is that these live machines are multi-tenant or multi-hacker in this case, meaning other people are exploiting the same machines as you. This means other hackers may leave exploits, flags, or even troll type payloads laying around. Some hackers will even kill your shells, change the passwords, or move the flags, which really sucks. Still, I personally haven't seen much of this and I really enjoy the peer rating system that happens after you solve a machine.
The forums are also an excellent place to find help, and many users will provide general hints as well as direct help if you need it. It seems to be a very positive and respectful community, in my experience. It's also really nice that the solutions aren't on the web. The community is respectful in the sense that they only publish solutions once they retire a machine or challenge, or they will encrypt the walkthrough with the challenges final hash, meaning you have to solve the challenge to read other players walkthroughs. That said, the community regularly posts walkthroughs on youtube or their blogs after the boxes have been retired. That said, some players have described the retiring of machines as a treadmill feeling, as they lose the experience they gained on those machines and have to level up again. In the year+ that it's been running they've already retired 47+ machines, with 20 currently active. Since the new machines work partially on a user submission system, new submission will go through peer review before becoming ranked machines meaning impossible to solve machines are less likely to be introduced to the pool.
Further, when you level up high enough you get access to new features, such as Fortresses and Endgame content. Theres also advanced paid content, such as the VIP labs which offer a more private set of machines, or the RastaLab machines, which offer a full Windows domain to exploit. When you reach the Hacker level (level 3 or 20%) you can also start a team to track your collective progress. I've done that, and I invite you all to join my team WuTangLan, if you'd like to hack the box together. You can reach out to me for help here, or follow my progress in the labs. I've enjoyed these labs so much I've added a permanent link to them on the right side of my blog.
All in all, this is an excellent way to sharpen your skills with hands on labs. I highly recommend getting involved as these are fairly high quality and free. If your looking to learn more or see what some of the machines are like, checkout the IppSec videos which are included with each solved machine. Or you can checkout the official HackTheBox channel below:
Most of the boxes are community driven and vetted, although the official organization actually releases the machines/challenges and assigns them their point value. This makes it a very community driven event, and many members are both well known challenge solvers and creators. They have static challenges, in categories like reversing, pwning, crypto, forensics and more, to get better with traditional ctf challenges. But my favorite challenges are the live machines one can access through their vpn connection. These are pre-staged vulnerable machines, already set up and integrated into the UI so they are easy to reset if you mess them up. This setup reminds me a lot of the PWK or Ubeeri labs, albeit missing the network connected aspect of those labs. The downside to this model is that these live machines are multi-tenant or multi-hacker in this case, meaning other people are exploiting the same machines as you. This means other hackers may leave exploits, flags, or even troll type payloads laying around. Some hackers will even kill your shells, change the passwords, or move the flags, which really sucks. Still, I personally haven't seen much of this and I really enjoy the peer rating system that happens after you solve a machine.
The forums are also an excellent place to find help, and many users will provide general hints as well as direct help if you need it. It seems to be a very positive and respectful community, in my experience. It's also really nice that the solutions aren't on the web. The community is respectful in the sense that they only publish solutions once they retire a machine or challenge, or they will encrypt the walkthrough with the challenges final hash, meaning you have to solve the challenge to read other players walkthroughs. That said, the community regularly posts walkthroughs on youtube or their blogs after the boxes have been retired. That said, some players have described the retiring of machines as a treadmill feeling, as they lose the experience they gained on those machines and have to level up again. In the year+ that it's been running they've already retired 47+ machines, with 20 currently active. Since the new machines work partially on a user submission system, new submission will go through peer review before becoming ranked machines meaning impossible to solve machines are less likely to be introduced to the pool.
Further, when you level up high enough you get access to new features, such as Fortresses and Endgame content. Theres also advanced paid content, such as the VIP labs which offer a more private set of machines, or the RastaLab machines, which offer a full Windows domain to exploit. When you reach the Hacker level (level 3 or 20%) you can also start a team to track your collective progress. I've done that, and I invite you all to join my team WuTangLan, if you'd like to hack the box together. You can reach out to me for help here, or follow my progress in the labs. I've enjoyed these labs so much I've added a permanent link to them on the right side of my blog.