Not long ago, a friend of mine shared a link to a “free” course that guaranteed to teach you how to hack into any computer using “easy to learn” methods. It was free. It was easy. And I was naturally suspicious. I figured it was probably just a virus, but I clicked anyway. A video started playing. It showed a hoodied figure with a gruff voice who claimed that in just a few minutes, I would learn how to hack into a computer.
Hack the Box
Hack the Box is an online platform allowing you to test your penetration testing skills. Hack the Box is essentially divided into two parts: Machines and challenges, the connection to the machines is made through a VPN to create it. You must go to access and download the file user. ov. Open a terminal in Linux and right where you downloaded it. OpenVPN is an open-source connection protocol used to facilitate a secure handle between two points in a network. It allows you to connect to a remote network over a secure encrypted connection and mask your IP addresses of all ports. IPV4 and IPV6 are used to identify machines connected to a network. In principle, they are the same, but they are different in how they work. IPV4 is a 32 bit IP address. IPV6 is a 128 bit IP address. Here you can see all the machines; you can also see the difficulty of each machine.
I recommend you start with the ones with the very green difficulty graph. Once you get the user and root flag, they are always a hash, you must enter them in the operations section, and they will end up the points. Each computer has one or more user accounts that are not admin; when you get access to the computer user, it counts as owning that user. The root is when you get access to the root’s account of the computer. This account has permission to do anything it wants, full control over the system. To own a user, you need to submit a user flag which is located on the user’s desktop. Root flag is a user flag for a root or administrator account.
There are also various challenges for you to solve. You need to get the flag and submit it in the given format. There are five phases of hacking:
- Reconnaissance: The first phase is where the hacker tries to collect information about the targets. In this case, we are given an IP address to start.
- Scanning: This phase includes the usage of tools like port scanners, network mappers, sweepers, and vulnerability scanners to scan the data. We are using a network mapper, as shown below. Pn means No ping or no heavy scanning. SV is for version detection. We can see two open ports, one of which is HTTP; we have finished enumerating and scanning the network.
- Gaining Access: The third phase is gaining access. Now that we have an HTTP service, we can use Derb. Derb is a Web content scanner. Derb will make an HTTP request and see the HTTP response code of each request. It works by launching a dictionary-based attack against a Web server and analyzing the responses.
- Maintaining Access: We found the music director using Derb; while trying to log in, we found a new version to download. If properly exploited, it can give remote code execution, then user and root route flags.
- Covering Tracks: And the final phase is clearing tracks so that no one can reach us. Here you can see your progress, points, system own, and user own.
When Box retires, points will be deducted. There is a rank and name given, new Script Kiddie Omniscient. There are also applications for Jobs and HTB University, and you can form teams also.