I am joining the ranks of self-proclaimed productivity experts: Do you feel distracted by social media? Do you feel that too much scrolling feeds transforms your mind – in a bad way? Solution: Go find an online platform that will put your mind in a different state. Go hacking on hackthebox.eu.

I have been hacking boxes over there for quite a while – and obsessively. I really wonder why I did not try to attack something much earlier. It’s funny as I have been into IT security for a long time – ‘infosec’ as it seems to be called now – but I was always a member of the Blue Team, a defender: Hardening Windows servers, building Public Key Infrastructures, always learning about attack vectors … but never really testing them extensively myself.

Earlier this year I was investigating the security of some things. They were black-boxes to me, and I figured I need to learn about some offensive tools finally – so I setup a Kali Linux machine. Then I searched for the best way to learn about these tools, I read articles and books about pentesting. But I had no idea if these ‘things’ were vulnerable at all, and where to start. So I figured: Maybe it is better to attack something made vulnerable intentionally? There are vulnerable web applications, and you can download vulnerable virtual machines … but then I remembered I saw posts about hackthebox some months ago:

As an individual, you can complete a simple challenge to prove your skills and then create an account, allowing you neto connect to our private network (HTB Labs) where several machines await for you to hack them.

Back then I had figured I will not pass this entry challenge nor hack any of these machines. It turned out otherwise, and it has been a very interesting experience so far -to learn about pentesting tools and methods on-the-fly. It has all been new, yet familiar in some sense.

Once I had been a so-called expert for certain technologies or products. But very often I became that expert by effectively reverse engineering the product a few days before I showed off that expertise. I had the exact same mindset and methods that are needed to attack the vulnerable applications of these boxes. I believe that in today’s world of interconnected systems, rapid technological change, [more buzz words here] every ‘subject matter expert’ is often actually reverse engineering – rather than applying knowledge acquired by proper training. I had certifications, too – but typically I never attended a course, but just took the exam after I had learned on the job.

On a few boxes I could use in-depth knowledge about protocols and technologies I had  long-term experience with, especially Active Directory and Kerberos. However, I did not find those boxes easier to own than the e.g. Linux boxes where everything was new to me. With Windows boxes I focussed too much on things I knew, and overlooked the obvious. On Linux I was just a humble learner – and it seemed this made me find the vulnerability or misconfiguration faster.

I felt like time-travelling back to when I started ‘in IT’, back in the late 1990s. Now I can hardly believe that I went directly from staff scientist in a national research center to down-to-earth freelance IT consultant – supporting small businesses. With hindsight, I knew so little both about business and about how IT / Windows / computers are actually used in the real world. I tried out things, I reverse engineered, I was humbled by what remains to be learned. But on the other hand, I was delighted by how many real-live problems – for whose solution people were eager to pay – can be solved pragmatically by knowing only 80%. Writing academic papers had felt more like aiming at 130% all of the time – but before you have to beg governmental entities to pay for it. Some academic colleagues were upset by my transition to the dark side, but I never saw this chasm: Experimental physics was about reverse engineering natural black-boxes – and sometimes about reverse engineering your predecessors enigmatic code. IT troubleshooting was about reverse engineering software. Theoretically it is all about logic and just zero’s and one’s, and you should be able to track down the developer who can explain that weird behavior. But in practice, as a freshly minted consultant without any ‘network’ you can hardly track down that developer in Redmond – so you make educated guesses and poke around the system.

I also noted eerie coincidences: In the months before being sucked into hackthebox’ back-hole, I had been catching up on Python, C/C++, and Powershell – for productive purposes, for building something. But all of that is very useful now, for using or modifying exploits. In addition I realize that my typical console applications for simulations and data analysis are quite similar ‘in spirit’ to typical exploitation tools. Last year I also learned about design patterns and best practices in object-oriented software development – and I was about to over-do it. Maybe it’s good to throw in some Cowboy Coding for good measure!

But above all, hacking boxes is simply addictive in a way that cannot be fully explained. It is like reading novels about mysteries and secret passages. Maybe this is what computer games are to some people. Some commentators say that machines on pentesting platforms are are more Capture-the-Flag-like (CTF) rather than real-world pentesting. It is true that some challenges have a ‘story line’ that takes you from one solved puzzle to the next one. To some extent a part of the challenge has to be fabricated as there are no real users to social engineer. But there are very real-world machines on hackthebox, e.g. requiring you to escalate one one object in a Windows domain to another.

And if you ever have seen what stuff is stored in clear text in the real world, or what passwords might be used ‘just for testing’ (and never changed) – then also the artificial guess-the-password challenges do not appear that unrealistic. I want to emphasize that I am not the one to make fun of weak test passwords and the like at all. More often than not I was the one whose job was to get something working / working again, under pressure. Sometimes it is not exactly easy to ‘get it working’ quickly, in an emergency, and at the same time considering all security implications of the ‘fix’ you have just applied – by thinking like an attacker. hackthebox is an excellent platform to learn that, so I cannot recommend it enough!

An article about hacking is not complete if it lacks a clichéd stock photo! I am searching for proper hacker’s attire now – this was my first find!

12 Comments Add yours

  1. psychocod3r says:

    I really need to try out that hackthebox thing. I’ve always wanted to do pen-testing, but I’m not quite confident enough in my abilities to really apply them. I have Hacking: The Art of Exploitation, which I haven’t read. Should probably give that a good reading. I’m not sure where I should go after that. Maybe fire up Kali Linux (which I have installed in a virtual machine) and look at some of the cracking tools and research what they do… Any suggestions? I should probably point out that I’m from a completely different walk of life, having never worked with computers or computer security professionally, only as a hobby. Anyway, I found this article inspirational, and hopefully hackthebox will provide a wealth of learning opportunities in the future.

    1. elkement says:

      Thanks! It’s hard for me to suggest something as it really depends on how you prefer to learn something. I think ‘hacking’ – defined in a broad sense, including any sort of ‘making’ – is best learned by doing and by trying out things!
      I’d simply give hackthebox a try! As I mentioned, there is an entry challenge. If you can solve that challenge in a reasonable time, then this platform is for you (as it is relatively simple compared to the machines to be hacked.)

  2. graciellamk says:

    How can I teach myself? Can you give me like a headstart tip?

    1. elkement says:

      For me, it has always been an iterative process, like so:
      – Trying to solve some issue for myself, like in this case: automating something, getting an old piece of software to work, finding out if something I use or I developed myself was really secure.
      – Noting that I lack fundamentals
      – Researching (googling) basics, reading intro articles, tutorials, lectures.
      – In parallel: Searching for working examples, how-to’s
      – In parallel: Trying to apply that knowledge.
      – Possibly detecting more knowledge gaps, repeat.

      Sometimes you discover the original task was too ambitious, then break it down. Sometimes you discover it was actually simple, then extend the scope.

      When I had achieved something, I went back to basics nonetheless and filled in gaps that I was maybe not aware of. For me, this was e.g. ploughing through computer science 101 lectures even though I had been programming for years.

      In general, for ‘hacking’ (as I understand it: Pen testing, reverse engineering) you need both system admin and software development skills.

    2. cybercadett says:

      For what purpose, you need a purpose or else you end up hacking nothing.

  3. graciellamk says:

    Does this website or app teach you how to hack? I really want to learn, but have no idea, how to go about.

    1. elkement says:

      It’s not a course or tutorial – you get VPN access to virtual machines that you can try to hack. You only know the machine’s IP address, and your goal is to become root on those machines. But you have to ‘teach yourself’!

  4. bert0001 says:

    I see that you are having fun.
    I should join this club and start hacking the things that make the iot :-)

    1. elkement says:

      I absolutely recommend it – super addictive!! :-)

  5. You’re post is timely. I’ve been preparing a hackathon I’m co-organizing for September and have been hacking 7 days a week to get an API ready to hacked upon. I’ve been looking into API security and must shamefully admit that I’ve been using the easy test password in the process! Although I’m a complete security amateur I’m questioning the security of login tokens. Surely that stuff gets picked up as easily as passwords stored in plain?

    I totally get the Capture The Flag – not unlike the hacking I’m doing now – this reminds of those early all-nighters when you couldn’t let go of the buggy code you were working on. Totally addictive!

    Have fun and don’t capture the flag. Yet.

    1. elkement says:

      I’ve captured a bunch of flags already ;-)

      Your hackathon and API adventure sounds exciting – good luck and have fun, too! I guess we will read about your API on your blog? What is it about?

      I recall a hack of hardware tokens for two-factor authentication – but it required access to the token (and bypass the PIN). Or you could use weaknesses in mobile carrier protocols to hack SMS tokens – so authenticator apps are recommended over SMS. There was also one interesting social engineering attack where users were tricked into forwarding their SMS token to an attacker …. But in any case 2FA adds a layer of security that is much harder to hack, if at all…

      1. I knew you did :)

        With my team I’ve been developing an API standard for exchanging global freight data and we’re using the hackathon to test it on coders and industry experts. It’s a biggish thing that I’m not likely to blog on privately, more of a full blown media thing :)


        This is mostly a M2M set up and we’ll probably use OAUTH2 with a central authorization server. The bit that worries me is that the client credentials used to obtain a token from the authorization server are likely to be stored in all sorts of unsafe places. Since we’re designing for an open and evolving environment, I don’t want to limit to specific IP addresses. Any pointers welcome!!!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.