HackTheBox
A step-by-step walkthrough of different machines "pwned" on the CTF-like platform, HackTheBox.
Install / Use
/learn @darth-web/HackTheBoxREADME
Hack The Box Lab Writeups
Starting out in Cybersecurity, HackTheBox (HTB) has been the go-to resource provided to me or anyone interested in Penetration Testing and Ethical Hacking for that matter.
Contents
- Explore - Android (Easy)
- Lame - Linux (Easy)
- Shocker - Linux (Easy)
- Nibbles - Linux (Easy)
- Bashed - Linux (Easy)
- Valentine - Linux (Easy)
- Beep - Linux (Easy)
- Swagshop - Linux (Easy)
- Sense - Linux (Easy)
- Knife - Linux (Easy)
- Armageddon - Linux (Easy)
- ScriptKiddie - Linux (Easy)
- OpenAdmin - Linux (Easy)
- Traverxec - Linux (Easy)
- Networked - Linux (Easy)
- Mirai - Linux (Easy)
Retired Machines vs Active Machines
HTB's Active Machines are free to access, upon signing up. Accessing the retired machines, which come with a HTB issued walkthrough PDF as well as an associated walkthrough from Ippsec are exclusive to paid subscribers.
HackTheBox doesn't provide writeups for Active Machines and as a result, I will not be doing so either. Having said that, I might include some later on, albeit password-protected PDF's to maintain integrity.
HackTheBox in relation to OSCP Prep
Another reason for myself attempting the boxes on the HTB platform is to help me prepare for the OSCP course & exam. As a result, my writeups will have an additional vector to root machines - manual exploitation and privilege escalation in addition to automated exploitation with tools like Metasploit, which are not allowed in the OSCP exam.
Accessing the VM's
The HTB platform uses an OpenVPN connection to access the labs and machines. Once signed up, the connection pack can be downloaded as an .ovpn file and imported using the OpenVPN client.
TJnull's OSCP Prep VM's
TJnull and the team at NetSec Focus have compiled a list of HackTheBox VM's that are a pathway to getting started, building practical skills and preparing for the OSCP in the HTB tab.
I have extracted the table and fed it into this repository and will be ticking off the columns as I move down the line.
Linux VM's
| Linux Boxes | Difficulty | Tags | Completed | |:-------------:|:----------:|:--------------------------------------------------------------------------------------------------:|:---------:| | | | | | | Lame | Easy | Injection, CMS Exploit | Completed | | Brainfuck | Insane | Cryptography | | | Shocker | Easy | Perl, Injection, Web - Shellshock | Completed | | Bashed | Easy | File Misconfiguration, Web | Completed | | Nibbles | Easy | File Misconfiguration, Web - Nibble Blog | Completed | | Beep | Easy | LFI, Web - /vtigercrm in Elastix | Completed | | Cronos | Medium | PHP, SQL, DNS Zone Transfer, SQLi, Web | | | Nineveh | Medium | PHP, Port Knocking, LFI, Web | | | Sense | Easy | FreeBSD, Injection, Web | Completed | | Solidstate | Medium | File Misconfiguration, Web | | | Kotarak | Hard | Arbitrary File Upload, Web | | | Node | Medium | API Fuzzing, JSON, File Misconfiguration, Web | | | Valentine | Easy | Patch Management, Web | Completed | | Poison | Medium | PHP, Log Poisoning, FreeBSD, Web | | | Sunday | Easy | Solaris, File Misconfiguration | | | Tartaresauce | Medium | C, Sandbox Escape, RFI, Web | | | Irked | Easy | Cryptography, Web | | | Friendzone | Easy | LFI, DNS Zone Transfer, File Misconfiguration, Web | | | Swagshop | Easy | SQL, SQLi, Web | Completed | | Networked | Easy | PHP, Arbitrary File Upload, Injection, Web | Completed | | Jarvis | Medium | SQL, SQLi, Web, Injection | | | Mirai | Easy | Linux, Network, Default Creds, File System Forensics, Web | Completed | | Popcorn | Medium | PHP, Web | | | Haircut | Medium | PHP, Injection, Web | | | Blocky | Easy | PHP, Web | | | Frolic | Easy | C, Cryptography | | | Postman | Easy | File Misconfiguration, Web | | | Mango | Medium | PHP, Injection, Web | | | Traverxec | Easy | File Misconfiguration, Web | Completed | | OpenAdmin | Easy | File Misconfiguration, Web | Completed | | Magic | Medium | PHP, SQLi, SQL, Arbitrary File Upload, Web | | | Admirer | Easy | SQL, Web | | | Blunder | Easy | Windows, Bash, Account Misconfiguration, Web | | | Tabby | Easy | Bash, Account Misconfiguration, Sandbox Escape, Web | | | Doctor | Easy | Bash, SSTI, Outdated Software, Account Misconfiguration, Web | | | SneakyMailer | Medium | Bash, Client Side Attack, Web | | | Passage | Medium | Bash, File Misconfiguration, Web | | | Luanne | Easy | Bash, Injection, Web Fuzzing, File Misconfiguration, Web | | | Time | Medium | JavaScript, Deserialization, File Misconfiguration, Web | | | Ready | Medium | Bash, Account Misconfiguration | | | Delivery | Easy | Bash, Account Misconfiguration | | | Ophiuchi | Medium | Java, Deserialization, Golang, Source Code Review | | | ScriptKiddie | Easy | Outdated Software | Completed | | Armageddon | Easy | Outdated Software, Linux, Web, PHP, CMS Exploit, Password Reuse, CVE, Weak Password | Completed | | Knife | Easy | PHP, GTFOBins, Backdoor | Completed | | Pit | Medium | PHP, Bash, CMS Exploit, Arbitrary File Upload, Outdated Software, Process Inspection, RCE, CVE | | | Seal (Linux) | Medium | File Misconfiguration | |
