What is a HackTheBox Challenge?
Hack the Box Challenges are virtual machines you can download onto your system and exploit without worrying about hacking a real system. There are other great resources, such as vulnhub and picoCTF that also have the same idea. These beginner CTF (capture the flag) challenges are great ways to practice cyber security tools as well as gain confidence in ethical hacking or red team security. While CTF challenges are usually within a time period, hack the box challenges can be started at any time!
It’s important to note that R U Coding Me only condones the safe practice of ethical hacking. These tools should only be used on authorized machines -otherwise it is considered black hat hacking which is illegal. As long as you set up your VM environment correctly, you shouldn’t have to worry about this -as it is your machine. Now let’s get hacking 😎
Virtual Machine Setup
Virtual machines are nested Operating Systems (OSs) within your main OS. We can think of this like partitioning off part of a sandbox into yet another sandbox. With that in mind, it is important that the sand from our mini-sandbox does not cross over into our main sandbox and vice versa. When our virtual machines our isolated from the host, we can perform anything we want within the mini-sandbox without bringing any information to or from the host. Thus, we can remove our workstation entirely should we need to and still have a fully functional main computer.
Before you begin, it is recommended to have at least:
- 8 GB of RAM
- i5 Processor (equivalent) or higher
- 32 GB of storage
for your system. It is important that each virtual machine has enough juice to operate without straining the main system.
Configuring Your Testing VM
You will most likely want to install Kali Linux for your testing virtual machine. Kali is a Debian-based distribution of Linux (same family as Ubuntu or Mint), that comes packaged with several penetration testing tools. Another alternative is to download your flavor of Linux and install the tools that you need as you go. Either way, it is important that this distribution is within a virtual machine.
Generally speaking, there are two popular options when it comes to virtualization: VMWare and VirtualBox. Both have the pros and cons, but this will depend on the challenge box that you are working on. We recommend you pick on and stick with challenges that have the corresponding download for your software. Since I have more experience with VirtualBox, I will base my examples off of VirtualBox
With your software installed, you can import Kali Linux (or Ubuntu, Manjaro, etc.) into your VM software. VirtualBox can accept .ova file types that allow you to import a virtual machine directly into the software. If you cannot obtain a .ova file, you can go through the wizard to set it up for you. USE THE RECOMMENDED SPECIFICATIONS. If you have some extra horsepower, you can allocate some more to the VM, but it is generally a good idea to save a few GB of RAM and a processor for your host. This way, your VM will run as smooth as possible!
Importing Your HackTheBox Challenge
Now that you have your hacking station ready to go, it’s time to set up a hackthebox challenge. Navigate to your challenge on the hackthebox website and download the correct file format for your virtualization software. You should be able to click the import button, select the file and approve of the VM settings before installing it on your system.
Once you have this installed, you’ll want to set up a virtual network. In VirtualBox, this allows for your virtual machines to talk to each other, however, they do not have access to the open internet. This is especially important, because you want to target your VM and not your neighbor’s smart TV for this exercise. In VirtualBox, this is referred to as an internal network. You can quickly set up a virtual network for your virtual machines by selecting the network adapter type to the same virtual network you created.
This configuration will allow your virtual machines to talk to each other, however, they will not have internet access. This is a good thing, because it prohibits any malicious activity from escaping your virtual network and reinforces you to work on the solution without looking up answers. Kind of a two-birds-with-one-stone kind of deal!
Top 3 Open Capture The Flag Challenges
Capture The Flag challenges have a wide range of skills that they can test you on. A lot of these involve programming experience or at the very least BASH scripting, which is another reason to learn programming. Additionally, there are challenges that involve mastery of software/techniques such as password cracking, host discovery and privilege escalation. Keeping this in mind, we will recommend our top 3 picks with entry skill level as our main consideration.
PicoCTF Challenges
PicoCTF was developed by the Carnegie Mellon University as an open playground for cybersecurity challenges! It is an open website that hosts challenges live 24/7 so you can gain experience hacking whenever you like. So long as you access the endpoints they provide and you sign up, they will grant you permission to ethically hack their systems through a series of jeopardy-style challenges.
Of all the challenges, PicoCTF is the most beginner friendly as it has many categories, write-ups and walkthroughs in case you get stuck. Additionally, you do not need to set up a target VM or virtual network; you only need your workstation VM. With this in mind, Pico is our top pick for those with next to no experience with cyber challenges.
Metasploitable 3
Metasploitable 3 is the first box we would recommend you try out, as there are several vulnerabilities built in! This one requires more elbow grease to get set up and working on your system, however, the resource linked provides documentation on how you can do this. Configuration will take a little bit of time and patience, however, the challenges are well worth the effort!
Once you have the virtual machine on your private network, you can begin hacking from your workstation VM! One helpful trick I always employ is to minimize the target VM window. This will emulate a real attack as you will not have access to the virtual machine in a real scenario.
Mr. Robot
Based around the popular hacking TV show, Mr. Robot is a progressive CTF that requires you to solve each challenge in sequential order. The ultimate goal is to gain complete control over the target VM (become the root user). There are several clever tricks you can use to leverage your way through the target system, however, this one is the most difficult challenge we would recommend to beginners.
While this is quite a challenge, we recommend you work your way up to Mr. Robot eventually! It is quite a rewarding feeling being able to gain access to a remote machine and escalating your role to root. The objectives from these challenges are commonly depicted in movies and put into perspective how hard it can be for hackers to “get in”. They also point out some important security features you should employ on your devices.
Wrapping Up
There are several great resources out there to start your offensive security training. Be sure to practice consistently, ethically and safely, as these factors will help you become a better white-hat hacker.
Let us know your experience with CTFs in the comments and if there are any resources you would recommend for folks new to cyber security!
Founder and CEO of R U Coding Me LLC. Jacob obtained his Bachelor’s of Computer Science at the University of Central Florida. He likes to go to the gym and teach people about technology.